Information & Ethics Committee on May 1st, 2008

We understood that requirement was suggested. It is in fact a requirement of the current policy. Mr. Lemieux is just pulling out that piece; perhaps you want to refer to it. I think it will answer the question. But it is well understood by departments that they must follow through on that step initially.

Just in general terms. It's in chapter 2-2. We provided the committee with a binder that has the guidelines. I appreciate that there's quite a bit.... It says something about the information that we give our ATIP community, I guess. So it's chapter 2-2, page 1. It says:

The legislation states that government institutions shall not collect personal information unless it relates directly to an operating program or activity. The policy requires that institutions have administrative controls....

It goes further. The policy requires that institutions have administrative controls in place to ensure they do not collect any more information than is required. And it goes on.

So there is already something in the policy in addition to the legislation, and again, as Mr. Cochrane mentioned, policy is binding on these government institutions to limit the collection of personal information when they're starting off on a new program.

I haven't had a discussion, nor have any of our officials, on why they feel that it should be there. Perhaps she's looking at other jurisdictions, or she's had discussions. I really can't say.

I should just clarify. They're policy requirements.

It's binding on every institution, all 250 now, to do that.

I think the way the mechanism is done--the watchdog, the mechanism, the framework that was set up in the legislation.... There is what they call the four-to-eight. The Privacy Commissioner has audit powers, and she and her staff can come in and do an audit of whether or not they're managing four-to-eight. That's on the collection--which is what I referred to--and the use and disclosure of personal information. So the way the regime in the act was structured is that the commissioner, who has audit powers, can go in there. It can be done also based on a complaint from an individual that it's not being done properly.

So that is the mechanism. The act did not set up a situation where both Treasury Board and the Privacy Commissioner would have the same role of auditing. They specifically gave the Privacy Commissioner those audit roles, subject to, of course, complaints by individuals, which I mentioned.

Unfortunately, I'm not an expert on PIPEDA because it's Industry Canada legislation. It's not the legislation I work with. I want to be quite frank with you that I'm not the expert to be able to do that. But the regime that they set up in PIPEDA is different from what's in the Privacy Act. I can't really evaluate it. That would require a detailed study. I'd hesitate to do so without having done that.

Again, Mr. Chairman, I haven't had the benefit of the exact context in which she said that. She may have seen that.... I'm not even aware that she's reported on that in an annual report, although she may have.

I have no particular knowledge that there's a shortfall there or that there's something she has observed. Certainly, as I said, we have regular meetings. There's nothing specific that has been brought to my attention to say that is an issue--and I tend to have regular meetings.

Mr. Lemieux will correct me, I'm sure, but I'm thinking that when we look at this, part of it is that the privacy impact assessment to some degree marries in with this process. So although you're collecting information, part of it is impacting it, and that's a very transparent process. A report is produced, a serious assessment is done. It is published on their website. It is made available to the commissioner. That's a very public part of the process, and I believe that's done as they establish any new information holdings.

One thing that I might add that I probably should have mentioned earlier is the tie-in it has with the InfoSource. That's the publication I referred to. I always say it's one of the most important parts of the legislation, because you can have all the rights you want, but if you don't know what type of information the government holds on you, then it's a sort of hollow right. In InfoSource there are what they call “personal information banks”, and there is a lawful responsibility on behalf of the heads of the institutions to describe their personal information banks. So that's the transparency element that the public will be able to see.

That's a very good question.

It's one of the challenges of the role of CIO. There are a number of different groups within the CIO branch of Treasury Board Secretariat. Mr. Lemieux has the privacy and access to information people. We have a group that focuses on what we call enterprise architecture. We have another group that focuses on information management. You can see very quickly that there are overlapping and complementary elements.

The people who look at enterprise architecture draw a map of what the government looks like. They look at whether there is common information and try to create a map so that when we move forward and add new systems, processes, or programs, there's a good understanding of the ability to reuse and affect information that already exists. That's a very important discipline and one that we follow very closely. They work in close cooperation with Mr. Lemieux's area.

The information management people, on the other hand, develop basic models of what information should look like in government. If we hold human resources information in 60 different institutions, we should follow a standard. And if we're looking at geomatics information, it should follow a standard so we can look at it in a coherent fashion and understand it overall. I think that really supports the work Mr. Lemieux does as people change information or modify information. It allows us to look at things holistically.

One of our most important assignments in the chief information officer branch is to establish standards for government operations. When you're in unique business lines, that's fine. But when you're in business lines where information crosses over, we establish common standards so we can understand the information much more effectively.