Evidence of meeting #31 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was institutions.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Ken Cochrane  Chief Information Officer, Treasury Board Secretariat
Donald Lemieux  Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat
Nancy Holmes  Committee Researcher
Clerk of the Committee  Mr. Richard Rumas

The Chair Liberal Paul Szabo

Good afternoon, colleagues.

Our order of the day is Privacy Act reform.

Today we have as our witnesses, from the Treasury Board Secretariat, Mr. Ken Cochrane, who is the chief information officer, and Mr. Donald Lemieux, who is executive director for information, privacy, and security policy.

I understand Mr. Cochrane has an opening statement, of which you have a copy.

The members have asked me about whether or not the Treasury Board representatives had received a copy of the document with regard to the recommendations for consideration with regard to Privacy Act amendments. They are aware of them, but we have to be a little bit careful in our expectations because of the role and responsibilities of Treasury Board in this regard. I think Mr. Cochrane is going to address that.

Mr. Cochrane and Mr. Lemieux, welcome, and please begin.

Ken Cochrane Chief Information Officer, Treasury Board Secretariat

Thank you very much, Mr. Chair, and good afternoon.

My name is Ken Cochrane, and I am the chief information officer of the Government of Canada.

Today, as the chair indicated, I am accompanied by Mr. Donald Lemieux, who is the executive director of the information and privacy policy division of the Treasury Board Secretariat, so the subject expert in this particular area within the secretariat.

I'd like to begin by thanking the committee for this opportunity to discuss the policy role that the Treasury Board Secretariat plays with respect to privacy across the Government of Canada. We have been invited by your committee to offer our knowledge of the policy on privacy protection and the privacy impact assessment policy, for which the Treasury Board Secretariat is the lead department. Therefore, I'd like to take a few minutes to provide an overview of the Treasury Board Secretariat's role in supporting the policy instruments we are responsible for.

First, it's important to note the shared responsibility of the Treasury Board Secretariat, the Department of Industry, and the Department of Justice in the area of privacy protection. In this respect, the policy on privacy protection and the privacy impact assessment policy are under the responsibility of the Treasury Board Secretariat. These two management policies support the Privacy Act. The Privacy Act itself falls under the responsibility of the Minister of Justice, and the Personal Information Protection and Electronic Documents Act, PIPEDA, which the Privacy Commissioner has previously discussed with the committee, is administered by the Minister of Industry.

Heads of institutions are responsible for ensuring that their organizations comply with management policy and legislative requirements.

So the President of the Treasury Board is the Minister designated under the Privacy Act with the responsibility for developing and issuing management policies and guidelines to ensure the effective administration of the act itself. The Treasury Board Secretariat supports the president in this role by developing policies and guidelines and by providing ongoing training and support to the access to information and privacy community in government.

It's important to note that the head of each institution is responsible for protecting personal information under their control and adhering to management policies and this legislation. Detailed information on privacy management policy instruments can be found in the manual that we have provided to the committee members.

I'd like to provide you with a little more information on the privacy policies that fall under the Treasury Board Secretariat's responsibility. As members of the committee may know, the government is going through an extensive renewal of its management policy suite, and this renewal includes our privacy policy instruments. There are two privacy policies issued by the President of the Treasury Board to support the Privacy Act itself: the policy on privacy protection, and the privacy impact assessment policy.

The policy on privacy protection replaces the former policy on privacy and data protection. It was recently revamped to reflect changes made through the Federal Accountability Act. This policy aims to ensure a number of things: first, that sound management practices are in place for the handling and protection of personal information; that clear decision-making and operational responsibilities are assigned within government institutions; that there is consistent public reporting through annual reports to Parliament, statistical reports, and the annual publication of Infosource, produced by the Treasury Board Secretariat; and that there is identification, assessment, and mitigation of privacy impacts and risks for all new or modified government programs and activities that use personal information.

The privacy impact assessment policy itself is the second management policy we are responsible for, and it was implemented in 2002. Privacy impact assessments assure Canadians that privacy principles are being taken into account when planning, designing, implementing, developing, and changing programs and services that raise privacy issues. The results of government privacy impact assessments are communicated to the Privacy Commissioner and to the public. We are currently reviewing this policy and we are working in close collaboration with the Office of the Privacy Commissioner on this matter. We expect our review will be completed within this fiscal year.

To go on with the role of other institutions, while the secretariat plays an important role in establishing policies and guidelines and providing guidance to the ATIP community, heads of government institutions are ultimately responsible for personal information under the control of their respective institutions. They are responsible for ensuring that their organizations comply with all the Treasury Board Secretariat's management policy requirements. And institutions are assessed annually on their compliance through MAF, the management accountability framework, which I am sure you are familiar with.

Specifically, for privacy-related management policy instruments, the responsibility of implementing requirements within institutions is generally delegated to ATIP coordinators within departments. Treasury Board Secretariat is the leader of the privacy community across government.

Given the importance of the mandate of the ATIP community, the Treasury Board Secretariat has adopted different measures to help federal institutions adhere to the policies regarding privacy. For example, Treasury Board Secretariat provides ongoing training to the ATIP community. We do this through a variety of means, such as developing training material and hosting training sessions to ensure members of the community are informed of the latest policy developments; by distributing guidance documents to ATIP practitioners; by holding regular community meetings to share issues of interest and best practices and advise the community of any changes to the policy; and by responding to questions from ATIP practitioners who require assistance and advice on the interpretation of our policies.

Finally, the Treasury Board Secretariat publishes the annual InfoSource bulletin that contains statistics of requests made under the Access to Information Act and the Privacy Act, and summaries of Federal Court cases of relevance to the interpretation of the acts.

Mr. Chairman and members of the committee, as you know, the government is strongly committed to the protection of individual privacy rights. Our policy instruments aim to support legislation that is passed through the House of Commons by parliamentarians on behalf of Canadians. These policy instruments are robust and are taken very seriously by government institutions. I'm confident that the privacy policies strengthen the rights of Canadians in regard to the sound protection of their personal information.

As this committee continues to study the Privacy Act, the Treasury Board Secretariat will await direction set in law by Parliament.

Mr. Chairman, this concludes my remarks. Mr. Lemieux and I would be very pleased to answer any questions from the committee.

The Chair Liberal Paul Szabo

Thank you very much, Mr. Cochrane.

Very briefly, section 71 of the Privacy Act sets out the duties and responsibilities of Treasury Board. Can you give us a very brief assessment of the state of the union, as it were? I think the committee would probably be very interested in the areas in which there should be some attention or concern.

Donald Lemieux Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

With regard to section 71 of the Privacy Act, it basically divides the responsibilities when it comes to regulations. For example, you're looking at certain regulations the Treasury Board Secretariat would be responsible for.

With regard to, as you put it, the general state of the union when it comes to the Privacy Act, although it's one of the first pieces of legislation that's been around, it seems to have weathered the time to the extent that it is still vibrant. Certainly it's been supplemented by the Treasury Board Secretariat in the policy suite renewal exercise Mr. Cochrane referred to. The policy suite renewal in general is part of the action plan under the Federal Accountability Act in terms of strengthening some of the measures. For example, we added a number of institutions under the Privacy Act. Seventy institutions were covered under the Access to Information Act as a result of the FAA, but to do so we also had to cover those institutions under the Privacy Act.

It's maybe not as obvious, but if you look at the way the two acts hang together, the Access to Information Act and the Privacy Act, the definition of what is personal information is in the Privacy Act, so we had to include those institutions in the Privacy Act. So the span now covers approximately 250 institutions.

The Chair Liberal Paul Szabo

Okay, maybe we'll get a little bit more on these kinds of matters.

I have Mr. Hubbard, Madame Lavallée, and then Mr. Wallace.

Charles Hubbard Liberal Miramichi, NB

Thank you, Mr. Chair, and good afternoon.

In terms of the work you do in this area, how big is your staff? How many people work directly with you in providing this service to other departments?

3:40 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

Mr. Lemieux may go into more detail, but his team is about 35 people overall. They support both the privacy elements and the access to information elements on both sides, so it's a mixed team supporting both of these areas. A lot of that, of course, is supporting, as I was indicating, training and answering a lot of questions from the community, in addition to developing many of the instruments and the policy instruments.

Charles Hubbard Liberal Miramichi, NB

In your brief you indicated that a number of programs were ongoing. You indicated, for example, one by the end of the year. How many initiatives do you have? The Federal Accountability Act has really been a big factor in what you're trying to do. Do you have a timeline for the objectives you have, where point A is going to be done by July of 2008, and the other by the end of 2008, and so forth? How would you define the major ones, and when would the completion dates be for each of them?

3:40 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

Maybe I'll start that, and once again I may turn to Mr. Lemieux.

We've broken the role out of the policy work, and it's all part of policy suite renewal, as I'm sure you're well aware. A big part of policy suite renewal was to simplify policy so departments could execute it much more effectively.

In phase one--which really just ended in April 2008, so we had a very tight timeframe--we renewed the access to information and protection of privacy policies, so those policies are now in place and renewed. And there is a directive now on social insurance numbers that is currently in place.

What we're calling phase two takes us from current until April 2009, and it will look at establishing a number of directives that are mandatory instruments under the policy. There will be a directive on the administration of the Privacy Act that will help departments understand how to actually manage the work they must do under this, and there will be a directive on privacy impact assessments. It's currently a policy, but we're changing it to simplify it and put it right under this area. It will also be done in this timeframe.

There is a privacy management directive, and a directive looking at the administration of the Access to Information Act. And there is work that we're doing—and now I'm into a bit of a broader sphere—on duty to assist, which is probably more on the Information Commissioner's side. That is an important piece of the dialogue that needs to take place between us and the Information Commissioner and the rest of the town. I describe that because it's part of an integrated plan, and there are a number of things under way right now with the team.

Charles Hubbard Liberal Miramichi, NB

Under the Access to Information Act, it seems that the press in fact were quite concerned recently when we decided to take this area of study instead of access to information. It appears, anyhow, that under the Access to Information Act the press and a great number of members of Parliament and the public are complaining that access to information has become a very complicated issue, and often the deadlines under the access to information program are not met.

In terms of your work, are you in any way impeding the work that is being done by that office, the Access to Information Office?

3:45 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Mr. Chair, just to make sure I understand the question, in terms of our work we provide policy advice and support the administration of the program throughout the 250 institutions. A large component of that is the training and development of the ATIP personnel, the people who are on the ground answering those requests.

Our responsibility is to make sure that the community understands what their roles and responsibilities are.

As I'm sure you will appreciate, we have added 70 new institutions as well, which is quite important. We were 180 institutions, and we're now 250, so we've added a considerable number. We're putting a lot of effort into doing that, under both the Access to Information Act and the Privacy Act. We do our best to support the institutions in streamlining processes.

If I can just add to something that Mr. Cochrane mentioned earlier, about making it easier for institutions in some of the work we do, one of the big efforts that we have in our division is to put together InfoSource. That's a huge publication, and it's much larger now because we have all these new institutions. One of the things we're looking at is to make it much easier for institutions to do those updates. We're trying to facilitate their jobs by doing that.

As well, because we've grown to support the ATIP community, we have established call centres, and we have a website that we're using to facilitate the work that's done. We're doing everything in our power, within our responsibilities and within our roles, to support the community so that they can deliver the service, duty to assist being a big one that Mr. Cochrane mentioned.

Charles Hubbard Liberal Miramichi, NB

When you indicate this to this committee, in no way are the new guidelines or anything tied to the Federal Accountability Act impeding the problems that the Information Commissioner is having in getting his work done?

3:45 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Impeding? Not at all. In fact, when we're doing the policy suite renewal work that we're doing we are in lockstep with both commissioners moving forward.

For example, we have a working group where there are two representatives from the Information Commissioner's office; we have an ADM committee, and there are representatives from the commissioner's office. We have bilateral meetings with them throughout that process, and that's access and privacy.

We're quite conscious when we do something that it supports the program, and we work with both commissioners.

The Chair Liberal Paul Szabo

Now we'll go to Madame Lavallée, s'il vous plaît.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

Thank you, Mr. Chairman.

Thank you for enlightening us on how the Personal Information Protection Act is implemented. It's more that component that interests us, at least today. We would have preferred to study the Access to Information Act first.

Mr. Lemieux, you referred to the ATIP community, that is to say the access to information and privacy community. In concrete terms, are access to information officers the same as privacy officers?

3:45 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

In most cases, yes, although that depends on the institution. For example, a large institution may have one office for access to information and another for privacy. That way of doing things may be practical for a department with 20,000 employees, but, on the whole, the office of each institution combines access to information and privacy. There are benefits to that. The two acts are similar and must often be weighed, for example, when an exemption is sought for personal information.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

They are the same individuals.

May 1st, 2008 / 3:50 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

On the whole, yes.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

You're right: the Access to Information Act and the Privacy Act are like the Chinese yin and yang. For some people, however, they must make it hard to make decisions. For example, one senior official came here and had a lot of trouble providing information in response to an access to information request. She said that she herself is very concerned about the confidential nature of the information. She was the access to information coordinator.

It seems to me that having to handle two acts creates difficulties for officials. Wouldn't it be better to separate those duties? There are two commissioners. Why isn't it the same for the employees?

3:50 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

In different jurisdictions, that can operate differently. There are always advantages and disadvantages. I'm a former coordinator. So I've had—

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

—existential angst.

3:50 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Yes, exactly. Some issues are quite difficult. As director general responsible for access to information and privacy, I can weigh the pros and cons. When I make a decision concerning access to information. I'm very much aware that it can have repercussions. It's really balanced. Without knowing the exact reason why the coordinator made that comment, I can say that certain decisions are difficult. We encourage those people to come and see us. There are also teams that can talk with their legal department. It's working quite well on the whole.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

Are coordinators more inclined to censor information?

3:50 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

That's very hard to say without talking about a very specific case. Coordinators will understand their role and the exceptions they have to apply or what we call exclusions, like Cabinet confidences. The complaints mechanism of the Commissioner's office can be used. So if a coordinator's freedom of action is too restricted, in that case, the Commissioner will intervene in accordance with the act.

It's the same in the case of privacy. Where it really becomes confusing... In an ideal world, a file contains the personal information of a single person, but if it contains personal information on more than one person, that complicates matters.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

Perhaps in most cases it's information that an access to information coordinator wants to protect, but that isn't necessarily personal.

You know the nature of the exclusions, including national security. For an official, isn't it more tempting to censor more rather than less? Unless it's a very sensitive file like the report on the human rights of Afghan prisoners, which rarely occurs, it seems to me that officials have to weigh matters quite a bit more in order to be sure of avoiding problems. However, if they side more with the public and are more inclined to provide it with the information, as the public is entitled, they may have problems.