Information & Ethics Committee on May 1st, 2008

Thank you very much, Mr. Chair, and good afternoon.

My name is Ken Cochrane, and I am the chief information officer of the Government of Canada.

Today, as the chair indicated, I am accompanied by Mr. Donald Lemieux, who is the executive director of the information and privacy policy division of the Treasury Board Secretariat, so the subject expert in this particular area within the secretariat.

I'd like to begin by thanking the committee for this opportunity to discuss the policy role that the Treasury Board Secretariat plays with respect to privacy across the Government of Canada. We have been invited by your committee to offer our knowledge of the policy on privacy protection and the privacy impact assessment policy, for which the Treasury Board Secretariat is the lead department. Therefore, I'd like to take a few minutes to provide an overview of the Treasury Board Secretariat's role in supporting the policy instruments we are responsible for.

First, it's important to note the shared responsibility of the Treasury Board Secretariat, the Department of Industry, and the Department of Justice in the area of privacy protection. In this respect, the policy on privacy protection and the privacy impact assessment policy are under the responsibility of the Treasury Board Secretariat. These two management policies support the Privacy Act. The Privacy Act itself falls under the responsibility of the Minister of Justice, and the Personal Information Protection and Electronic Documents Act, PIPEDA, which the Privacy Commissioner has previously discussed with the committee, is administered by the Minister of Industry.

Heads of institutions are responsible for ensuring that their organizations comply with management policy and legislative requirements.

So the President of the Treasury Board is the Minister designated under the Privacy Act with the responsibility for developing and issuing management policies and guidelines to ensure the effective administration of the act itself. The Treasury Board Secretariat supports the president in this role by developing policies and guidelines and by providing ongoing training and support to the access to information and privacy community in government.

It's important to note that the head of each institution is responsible for protecting personal information under their control and adhering to management policies and this legislation. Detailed information on privacy management policy instruments can be found in the manual that we have provided to the committee members.

I'd like to provide you with a little more information on the privacy policies that fall under the Treasury Board Secretariat's responsibility. As members of the committee may know, the government is going through an extensive renewal of its management policy suite, and this renewal includes our privacy policy instruments. There are two privacy policies issued by the President of the Treasury Board to support the Privacy Act itself: the policy on privacy protection, and the privacy impact assessment policy.

The policy on privacy protection replaces the former policy on privacy and data protection. It was recently revamped to reflect changes made through the Federal Accountability Act. This policy aims to ensure a number of things: first, that sound management practices are in place for the handling and protection of personal information; that clear decision-making and operational responsibilities are assigned within government institutions; that there is consistent public reporting through annual reports to Parliament, statistical reports, and the annual publication of Infosource, produced by the Treasury Board Secretariat; and that there is identification, assessment, and mitigation of privacy impacts and risks for all new or modified government programs and activities that use personal information.

The privacy impact assessment policy itself is the second management policy we are responsible for, and it was implemented in 2002. Privacy impact assessments assure Canadians that privacy principles are being taken into account when planning, designing, implementing, developing, and changing programs and services that raise privacy issues. The results of government privacy impact assessments are communicated to the Privacy Commissioner and to the public. We are currently reviewing this policy and we are working in close collaboration with the Office of the Privacy Commissioner on this matter. We expect our review will be completed within this fiscal year.

To go on with the role of other institutions, while the secretariat plays an important role in establishing policies and guidelines and providing guidance to the ATIP community, heads of government institutions are ultimately responsible for personal information under the control of their respective institutions. They are responsible for ensuring that their organizations comply with all the Treasury Board Secretariat's management policy requirements. And institutions are assessed annually on their compliance through MAF, the management accountability framework, which I am sure you are familiar with.

Specifically, for privacy-related management policy instruments, the responsibility of implementing requirements within institutions is generally delegated to ATIP coordinators within departments. Treasury Board Secretariat is the leader of the privacy community across government.

Given the importance of the mandate of the ATIP community, the Treasury Board Secretariat has adopted different measures to help federal institutions adhere to the policies regarding privacy. For example, Treasury Board Secretariat provides ongoing training to the ATIP community. We do this through a variety of means, such as developing training material and hosting training sessions to ensure members of the community are informed of the latest policy developments; by distributing guidance documents to ATIP practitioners; by holding regular community meetings to share issues of interest and best practices and advise the community of any changes to the policy; and by responding to questions from ATIP practitioners who require assistance and advice on the interpretation of our policies.

Finally, the Treasury Board Secretariat publishes the annual InfoSource bulletin that contains statistics of requests made under the Access to Information Act and the Privacy Act, and summaries of Federal Court cases of relevance to the interpretation of the acts.

Mr. Chairman and members of the committee, as you know, the government is strongly committed to the protection of individual privacy rights. Our policy instruments aim to support legislation that is passed through the House of Commons by parliamentarians on behalf of Canadians. These policy instruments are robust and are taken very seriously by government institutions. I'm confident that the privacy policies strengthen the rights of Canadians in regard to the sound protection of their personal information.

As this committee continues to study the Privacy Act, the Treasury Board Secretariat will await direction set in law by Parliament.

Mr. Chairman, this concludes my remarks. Mr. Lemieux and I would be very pleased to answer any questions from the committee.

With regard to section 71 of the Privacy Act, it basically divides the responsibilities when it comes to regulations. For example, you're looking at certain regulations the Treasury Board Secretariat would be responsible for.

With regard to, as you put it, the general state of the union when it comes to the Privacy Act, although it's one of the first pieces of legislation that's been around, it seems to have weathered the time to the extent that it is still vibrant. Certainly it's been supplemented by the Treasury Board Secretariat in the policy suite renewal exercise Mr. Cochrane referred to. The policy suite renewal in general is part of the action plan under the Federal Accountability Act in terms of strengthening some of the measures. For example, we added a number of institutions under the Privacy Act. Seventy institutions were covered under the Access to Information Act as a result of the FAA, but to do so we also had to cover those institutions under the Privacy Act.

It's maybe not as obvious, but if you look at the way the two acts hang together, the Access to Information Act and the Privacy Act, the definition of what is personal information is in the Privacy Act, so we had to include those institutions in the Privacy Act. So the span now covers approximately 250 institutions.

Mr. Lemieux may go into more detail, but his team is about 35 people overall. They support both the privacy elements and the access to information elements on both sides, so it's a mixed team supporting both of these areas. A lot of that, of course, is supporting, as I was indicating, training and answering a lot of questions from the community, in addition to developing many of the instruments and the policy instruments.

Maybe I'll start that, and once again I may turn to Mr. Lemieux.

We've broken the role out of the policy work, and it's all part of policy suite renewal, as I'm sure you're well aware. A big part of policy suite renewal was to simplify policy so departments could execute it much more effectively.

In phase one--which really just ended in April 2008, so we had a very tight timeframe--we renewed the access to information and protection of privacy policies, so those policies are now in place and renewed. And there is a directive now on social insurance numbers that is currently in place.

What we're calling phase two takes us from current until April 2009, and it will look at establishing a number of directives that are mandatory instruments under the policy. There will be a directive on the administration of the Privacy Act that will help departments understand how to actually manage the work they must do under this, and there will be a directive on privacy impact assessments. It's currently a policy, but we're changing it to simplify it and put it right under this area. It will also be done in this timeframe.

There is a privacy management directive, and a directive looking at the administration of the Access to Information Act. And there is work that we're doing—and now I'm into a bit of a broader sphere—on duty to assist, which is probably more on the Information Commissioner's side. That is an important piece of the dialogue that needs to take place between us and the Information Commissioner and the rest of the town. I describe that because it's part of an integrated plan, and there are a number of things under way right now with the team.

Mr. Chair, just to make sure I understand the question, in terms of our work we provide policy advice and support the administration of the program throughout the 250 institutions. A large component of that is the training and development of the ATIP personnel, the people who are on the ground answering those requests.

Our responsibility is to make sure that the community understands what their roles and responsibilities are.

As I'm sure you will appreciate, we have added 70 new institutions as well, which is quite important. We were 180 institutions, and we're now 250, so we've added a considerable number. We're putting a lot of effort into doing that, under both the Access to Information Act and the Privacy Act. We do our best to support the institutions in streamlining processes.

If I can just add to something that Mr. Cochrane mentioned earlier, about making it easier for institutions in some of the work we do, one of the big efforts that we have in our division is to put together InfoSource. That's a huge publication, and it's much larger now because we have all these new institutions. One of the things we're looking at is to make it much easier for institutions to do those updates. We're trying to facilitate their jobs by doing that.

As well, because we've grown to support the ATIP community, we have established call centres, and we have a website that we're using to facilitate the work that's done. We're doing everything in our power, within our responsibilities and within our roles, to support the community so that they can deliver the service, duty to assist being a big one that Mr. Cochrane mentioned.

Impeding? Not at all. In fact, when we're doing the policy suite renewal work that we're doing we are in lockstep with both commissioners moving forward.

For example, we have a working group where there are two representatives from the Information Commissioner's office; we have an ADM committee, and there are representatives from the commissioner's office. We have bilateral meetings with them throughout that process, and that's access and privacy.

We're quite conscious when we do something that it supports the program, and we work with both commissioners.

In most cases, yes, although that depends on the institution. For example, a large institution may have one office for access to information and another for privacy. That way of doing things may be practical for a department with 20,000 employees, but, on the whole, the office of each institution combines access to information and privacy. There are benefits to that. The two acts are similar and must often be weighed, for example, when an exemption is sought for personal information.

On the whole, yes.

In different jurisdictions, that can operate differently. There are always advantages and disadvantages. I'm a former coordinator. So I've had—

Yes, exactly. Some issues are quite difficult. As director general responsible for access to information and privacy, I can weigh the pros and cons. When I make a decision concerning access to information. I'm very much aware that it can have repercussions. It's really balanced. Without knowing the exact reason why the coordinator made that comment, I can say that certain decisions are difficult. We encourage those people to come and see us. There are also teams that can talk with their legal department. It's working quite well on the whole.

That's very hard to say without talking about a very specific case. Coordinators will understand their role and the exceptions they have to apply or what we call exclusions, like Cabinet confidences. The complaints mechanism of the Commissioner's office can be used. So if a coordinator's freedom of action is too restricted, in that case, the Commissioner will intervene in accordance with the act.

It's the same in the case of privacy. Where it really becomes confusing... In an ideal world, a file contains the personal information of a single person, but if it contains personal information on more than one person, that complicates matters.