Information & Ethics Committee on May 1st, 2008

Thank you very much, Mr. Chair, and good afternoon.

My name is Ken Cochrane, and I am the chief information officer of the Government of Canada.

Today, as the chair indicated, I am accompanied by Mr. Donald Lemieux, who is the executive director of the information and privacy policy division of the Treasury Board Secretariat, so the subject expert in this particular area within the secretariat.

I'd like to begin by thanking the committee for this opportunity to discuss the policy role that the Treasury Board Secretariat plays with respect to privacy across the Government of Canada. We have been invited by your committee to offer our knowledge of the policy on privacy protection and the privacy impact assessment policy, for which the Treasury Board Secretariat is the lead department. Therefore, I'd like to take a few minutes to provide an overview of the Treasury Board Secretariat's role in supporting the policy instruments we are responsible for.

First, it's important to note the shared responsibility of the Treasury Board Secretariat, the Department of Industry, and the Department of Justice in the area of privacy protection. In this respect, the policy on privacy protection and the privacy impact assessment policy are under the responsibility of the Treasury Board Secretariat. These two management policies support the Privacy Act. The Privacy Act itself falls under the responsibility of the Minister of Justice, and the Personal Information Protection and Electronic Documents Act, PIPEDA, which the Privacy Commissioner has previously discussed with the committee, is administered by the Minister of Industry.

Heads of institutions are responsible for ensuring that their organizations comply with management policy and legislative requirements.

So the President of the Treasury Board is the Minister designated under the Privacy Act with the responsibility for developing and issuing management policies and guidelines to ensure the effective administration of the act itself. The Treasury Board Secretariat supports the president in this role by developing policies and guidelines and by providing ongoing training and support to the access to information and privacy community in government.

It's important to note that the head of each institution is responsible for protecting personal information under their control and adhering to management policies and this legislation. Detailed information on privacy management policy instruments can be found in the manual that we have provided to the committee members.

I'd like to provide you with a little more information on the privacy policies that fall under the Treasury Board Secretariat's responsibility. As members of the committee may know, the government is going through an extensive renewal of its management policy suite, and this renewal includes our privacy policy instruments. There are two privacy policies issued by the President of the Treasury Board to support the Privacy Act itself: the policy on privacy protection, and the privacy impact assessment policy.

The policy on privacy protection replaces the former policy on privacy and data protection. It was recently revamped to reflect changes made through the Federal Accountability Act. This policy aims to ensure a number of things: first, that sound management practices are in place for the handling and protection of personal information; that clear decision-making and operational responsibilities are assigned within government institutions; that there is consistent public reporting through annual reports to Parliament, statistical reports, and the annual publication of Infosource, produced by the Treasury Board Secretariat; and that there is identification, assessment, and mitigation of privacy impacts and risks for all new or modified government programs and activities that use personal information.

The privacy impact assessment policy itself is the second management policy we are responsible for, and it was implemented in 2002. Privacy impact assessments assure Canadians that privacy principles are being taken into account when planning, designing, implementing, developing, and changing programs and services that raise privacy issues. The results of government privacy impact assessments are communicated to the Privacy Commissioner and to the public. We are currently reviewing this policy and we are working in close collaboration with the Office of the Privacy Commissioner on this matter. We expect our review will be completed within this fiscal year.

To go on with the role of other institutions, while the secretariat plays an important role in establishing policies and guidelines and providing guidance to the ATIP community, heads of government institutions are ultimately responsible for personal information under the control of their respective institutions. They are responsible for ensuring that their organizations comply with all the Treasury Board Secretariat's management policy requirements. And institutions are assessed annually on their compliance through MAF, the management accountability framework, which I am sure you are familiar with.

Specifically, for privacy-related management policy instruments, the responsibility of implementing requirements within institutions is generally delegated to ATIP coordinators within departments. Treasury Board Secretariat is the leader of the privacy community across government.

Given the importance of the mandate of the ATIP community, the Treasury Board Secretariat has adopted different measures to help federal institutions adhere to the policies regarding privacy. For example, Treasury Board Secretariat provides ongoing training to the ATIP community. We do this through a variety of means, such as developing training material and hosting training sessions to ensure members of the community are informed of the latest policy developments; by distributing guidance documents to ATIP practitioners; by holding regular community meetings to share issues of interest and best practices and advise the community of any changes to the policy; and by responding to questions from ATIP practitioners who require assistance and advice on the interpretation of our policies.

Finally, the Treasury Board Secretariat publishes the annual InfoSource bulletin that contains statistics of requests made under the Access to Information Act and the Privacy Act, and summaries of Federal Court cases of relevance to the interpretation of the acts.

Mr. Chairman and members of the committee, as you know, the government is strongly committed to the protection of individual privacy rights. Our policy instruments aim to support legislation that is passed through the House of Commons by parliamentarians on behalf of Canadians. These policy instruments are robust and are taken very seriously by government institutions. I'm confident that the privacy policies strengthen the rights of Canadians in regard to the sound protection of their personal information.

As this committee continues to study the Privacy Act, the Treasury Board Secretariat will await direction set in law by Parliament.

Mr. Chairman, this concludes my remarks. Mr. Lemieux and I would be very pleased to answer any questions from the committee.

With regard to section 71 of the Privacy Act, it basically divides the responsibilities when it comes to regulations. For example, you're looking at certain regulations the Treasury Board Secretariat would be responsible for.

With regard to, as you put it, the general state of the union when it comes to the Privacy Act, although it's one of the first pieces of legislation that's been around, it seems to have weathered the time to the extent that it is still vibrant. Certainly it's been supplemented by the Treasury Board Secretariat in the policy suite renewal exercise Mr. Cochrane referred to. The policy suite renewal in general is part of the action plan under the Federal Accountability Act in terms of strengthening some of the measures. For example, we added a number of institutions under the Privacy Act. Seventy institutions were covered under the Access to Information Act as a result of the FAA, but to do so we also had to cover those institutions under the Privacy Act.

It's maybe not as obvious, but if you look at the way the two acts hang together, the Access to Information Act and the Privacy Act, the definition of what is personal information is in the Privacy Act, so we had to include those institutions in the Privacy Act. So the span now covers approximately 250 institutions.

Mr. Lemieux may go into more detail, but his team is about 35 people overall. They support both the privacy elements and the access to information elements on both sides, so it's a mixed team supporting both of these areas. A lot of that, of course, is supporting, as I was indicating, training and answering a lot of questions from the community, in addition to developing many of the instruments and the policy instruments.

Maybe I'll start that, and once again I may turn to Mr. Lemieux.

We've broken the role out of the policy work, and it's all part of policy suite renewal, as I'm sure you're well aware. A big part of policy suite renewal was to simplify policy so departments could execute it much more effectively.

In phase one--which really just ended in April 2008, so we had a very tight timeframe--we renewed the access to information and protection of privacy policies, so those policies are now in place and renewed. And there is a directive now on social insurance numbers that is currently in place.

What we're calling phase two takes us from current until April 2009, and it will look at establishing a number of directives that are mandatory instruments under the policy. There will be a directive on the administration of the Privacy Act that will help departments understand how to actually manage the work they must do under this, and there will be a directive on privacy impact assessments. It's currently a policy, but we're changing it to simplify it and put it right under this area. It will also be done in this timeframe.

There is a privacy management directive, and a directive looking at the administration of the Access to Information Act. And there is work that we're doing—and now I'm into a bit of a broader sphere—on duty to assist, which is probably more on the Information Commissioner's side. That is an important piece of the dialogue that needs to take place between us and the Information Commissioner and the rest of the town. I describe that because it's part of an integrated plan, and there are a number of things under way right now with the team.

Mr. Chair, just to make sure I understand the question, in terms of our work we provide policy advice and support the administration of the program throughout the 250 institutions. A large component of that is the training and development of the ATIP personnel, the people who are on the ground answering those requests.

Our responsibility is to make sure that the community understands what their roles and responsibilities are.

As I'm sure you will appreciate, we have added 70 new institutions as well, which is quite important. We were 180 institutions, and we're now 250, so we've added a considerable number. We're putting a lot of effort into doing that, under both the Access to Information Act and the Privacy Act. We do our best to support the institutions in streamlining processes.

If I can just add to something that Mr. Cochrane mentioned earlier, about making it easier for institutions in some of the work we do, one of the big efforts that we have in our division is to put together InfoSource. That's a huge publication, and it's much larger now because we have all these new institutions. One of the things we're looking at is to make it much easier for institutions to do those updates. We're trying to facilitate their jobs by doing that.

As well, because we've grown to support the ATIP community, we have established call centres, and we have a website that we're using to facilitate the work that's done. We're doing everything in our power, within our responsibilities and within our roles, to support the community so that they can deliver the service, duty to assist being a big one that Mr. Cochrane mentioned.

Impeding? Not at all. In fact, when we're doing the policy suite renewal work that we're doing we are in lockstep with both commissioners moving forward.

For example, we have a working group where there are two representatives from the Information Commissioner's office; we have an ADM committee, and there are representatives from the commissioner's office. We have bilateral meetings with them throughout that process, and that's access and privacy.

We're quite conscious when we do something that it supports the program, and we work with both commissioners.

In most cases, yes, although that depends on the institution. For example, a large institution may have one office for access to information and another for privacy. That way of doing things may be practical for a department with 20,000 employees, but, on the whole, the office of each institution combines access to information and privacy. There are benefits to that. The two acts are similar and must often be weighed, for example, when an exemption is sought for personal information.

On the whole, yes.

In different jurisdictions, that can operate differently. There are always advantages and disadvantages. I'm a former coordinator. So I've had—

Yes, exactly. Some issues are quite difficult. As director general responsible for access to information and privacy, I can weigh the pros and cons. When I make a decision concerning access to information. I'm very much aware that it can have repercussions. It's really balanced. Without knowing the exact reason why the coordinator made that comment, I can say that certain decisions are difficult. We encourage those people to come and see us. There are also teams that can talk with their legal department. It's working quite well on the whole.

That's very hard to say without talking about a very specific case. Coordinators will understand their role and the exceptions they have to apply or what we call exclusions, like Cabinet confidences. The complaints mechanism of the Commissioner's office can be used. So if a coordinator's freedom of action is too restricted, in that case, the Commissioner will intervene in accordance with the act.

It's the same in the case of privacy. Where it really becomes confusing... In an ideal world, a file contains the personal information of a single person, but if it contains personal information on more than one person, that complicates matters.

Once again, I can only talk about my experience. I can say that it was helpful to play both roles. When I explained to senior management officials their responsibilities under both acts in a specific case, I was well equipped to do so.

There definitely can be more difficult cases, but the act has been around for 25 years, and I think that it's working quite well on the whole.

Meaning that the two acts being under—

I don't think so, because fundamentally we're looking at the Privacy Act, which is with the Department of Justice, and the Access to Information Act, which is with the Department of Justice. PIPEDA, which really focuses outside of government, is with Industry Canada, and I believe that's a rational place for it to be. And we sit in the centre looking inside the government, so I don't think we have any difficulties there.

Really what we're looking at, then, is this. Here is the act; it's been established in legislation. The people in the Treasury Board Secretariat in the different policy areas—so in ours in this particular case—take that legislation or that act and interpret it in terms of what the actual administrative rules will be. So we do some translation of that so departments can act appropriately according to the act.

We provide that to departments along with.... So when we say “support”, it goes all the way from not only providing it, but publishing it, providing tools, easy access tools, training, and a help desk.

I'm just going to just turn that over to Mr. Lemieux.

First of all, I think I mentioned we just got the recommendations....

Not to the extent that I think I understand from your question. When I look at these recommendations, at the outset I need clarity about what exactly they are getting at. I think we're still at the discovery stage in terms of the scope. I know there were a few that were specifically mentioned, such as Madam Stoddart mentioned about the Treasury Board Secretariat and some of the stuff we've done already in policy.

It's an interesting space for us, because some of it is in the act, and that's the prerogative of Parliament to make decisions on what they want to incorporate.

But where we spend our time with the commissioners--and we have a good relationship with the commissioners because of our role--is looking at the practicality of a decision that might go into a piece of legislation. If we do that, it may sound good, but is it practical? Can the community manage it effectively? From that perspective, there's likely a role we could play in providing feedback.

They are a mandatory requirement because we've established that as a directive under management policy for the Government of Canada. The reason I say they are mandatory is that these instruments the secretariat has put in place are mandatory for heads of institutions to follow. In addition, as you well know, we determine whether they're following them through vehicles such as the management accountability framework. So we look very closely at their compliance.

Maybe I could address that, Mr. Chairman.

If a government institution is on a project that has privacy implications, then they would first prepare a privacy impact assessment--a quick review that will service any privacy issues. Obviously there are files that would immediately suggest that, so they ask some basic questions. Then they will consult the Privacy Commissioner so the Privacy Commissioner is immediately engaged in the privacy issues related to that specific program.

We are working with the Privacy Commissioner and departments right now on how to make it better. The policy came into effect in 2002, and we're looking at a more streamlined process. We want to avoid any delays. We want to be much more efficient in doing these privacy impact assessments and developing templates--that useful tool that institutions will need to help identify, for example, horizontal issues.

Because of the nature of the mandate of the policy suite renewal, it's limited to the policy realm. And again, we are working in lockstep with the commissioner on this.

We understood that requirement was suggested. It is in fact a requirement of the current policy. Mr. Lemieux is just pulling out that piece; perhaps you want to refer to it. I think it will answer the question. But it is well understood by departments that they must follow through on that step initially.

Just in general terms. It's in chapter 2-2. We provided the committee with a binder that has the guidelines. I appreciate that there's quite a bit.... It says something about the information that we give our ATIP community, I guess. So it's chapter 2-2, page 1. It says:

The legislation states that government institutions shall not collect personal information unless it relates directly to an operating program or activity. The policy requires that institutions have administrative controls....

It goes further. The policy requires that institutions have administrative controls in place to ensure they do not collect any more information than is required. And it goes on.

So there is already something in the policy in addition to the legislation, and again, as Mr. Cochrane mentioned, policy is binding on these government institutions to limit the collection of personal information when they're starting off on a new program.

I haven't had a discussion, nor have any of our officials, on why they feel that it should be there. Perhaps she's looking at other jurisdictions, or she's had discussions. I really can't say.

I should just clarify. They're policy requirements.

It's binding on every institution, all 250 now, to do that.

I think the way the mechanism is done--the watchdog, the mechanism, the framework that was set up in the legislation.... There is what they call the four-to-eight. The Privacy Commissioner has audit powers, and she and her staff can come in and do an audit of whether or not they're managing four-to-eight. That's on the collection--which is what I referred to--and the use and disclosure of personal information. So the way the regime in the act was structured is that the commissioner, who has audit powers, can go in there. It can be done also based on a complaint from an individual that it's not being done properly.

So that is the mechanism. The act did not set up a situation where both Treasury Board and the Privacy Commissioner would have the same role of auditing. They specifically gave the Privacy Commissioner those audit roles, subject to, of course, complaints by individuals, which I mentioned.

Unfortunately, I'm not an expert on PIPEDA because it's Industry Canada legislation. It's not the legislation I work with. I want to be quite frank with you that I'm not the expert to be able to do that. But the regime that they set up in PIPEDA is different from what's in the Privacy Act. I can't really evaluate it. That would require a detailed study. I'd hesitate to do so without having done that.

Again, Mr. Chairman, I haven't had the benefit of the exact context in which she said that. She may have seen that.... I'm not even aware that she's reported on that in an annual report, although she may have.

I have no particular knowledge that there's a shortfall there or that there's something she has observed. Certainly, as I said, we have regular meetings. There's nothing specific that has been brought to my attention to say that is an issue--and I tend to have regular meetings.

Mr. Lemieux will correct me, I'm sure, but I'm thinking that when we look at this, part of it is that the privacy impact assessment to some degree marries in with this process. So although you're collecting information, part of it is impacting it, and that's a very transparent process. A report is produced, a serious assessment is done. It is published on their website. It is made available to the commissioner. That's a very public part of the process, and I believe that's done as they establish any new information holdings.

One thing that I might add that I probably should have mentioned earlier is the tie-in it has with the InfoSource. That's the publication I referred to. I always say it's one of the most important parts of the legislation, because you can have all the rights you want, but if you don't know what type of information the government holds on you, then it's a sort of hollow right. In InfoSource there are what they call “personal information banks”, and there is a lawful responsibility on behalf of the heads of the institutions to describe their personal information banks. So that's the transparency element that the public will be able to see.

That's a very good question.

It's one of the challenges of the role of CIO. There are a number of different groups within the CIO branch of Treasury Board Secretariat. Mr. Lemieux has the privacy and access to information people. We have a group that focuses on what we call enterprise architecture. We have another group that focuses on information management. You can see very quickly that there are overlapping and complementary elements.

The people who look at enterprise architecture draw a map of what the government looks like. They look at whether there is common information and try to create a map so that when we move forward and add new systems, processes, or programs, there's a good understanding of the ability to reuse and affect information that already exists. That's a very important discipline and one that we follow very closely. They work in close cooperation with Mr. Lemieux's area.

The information management people, on the other hand, develop basic models of what information should look like in government. If we hold human resources information in 60 different institutions, we should follow a standard. And if we're looking at geomatics information, it should follow a standard so we can look at it in a coherent fashion and understand it overall. I think that really supports the work Mr. Lemieux does as people change information or modify information. It allows us to look at things holistically.

One of our most important assignments in the chief information officer branch is to establish standards for government operations. When you're in unique business lines, that's fine. But when you're in business lines where information crosses over, we establish common standards so we can understand the information much more effectively.

This is where privacy starts to drift into security. We also have the security policy for the Government of Canada. When we look at security, I'd say there are three main areas. One is the physical security of our buildings and facilities. The second is personnel security and screening, because those are all factors in the loss of information. The third is IT security. That whole policy area really deals with that.

When you look at IT security, specifically, first of all, you want to make sure your facility is sound. The security policy with respect to facilities very much deals with how you need to secure a facility so that people can't go in and take things.

In the case of laptop computers and mobile computing, the information technology security part deals with the way you need to store information if you are going to be mobile. There are very specific rules in place as to what should be on mobile equipment. If it's there, you need to encrypt it and protect it.

If you're using mobile equipment to gain access to government, there are very specific rules on how you need to access government services through secure channels and secure networks. There's a lot of regulation within government to control all those elements.

This falls within the broader space of policy suite renewal. Before we began the exercise on policy suite renewal, the Government of Canada had a whole series of management policies that departments needed to follow. I believe that the number of management policies when we began the review was about 180. Our sense was that this was a very large number of rules for departments to try to follow. As we've gone in, we've tried to collapse and combine things, as much as possible, into logical chunks. We've reduced the 180 policies to about 44.

In this particular case, we had two separate policies. One was on PIAs, privacy impact assessments, and one was on privacy. We've put them together, because they logically fit together. This is not so much reassessing the privacy impact assessment itself as it is putting it in the family. As we put it under the umbrella so it's easier for departments to use, we'll work with the Privacy Commissioner to make sure the process for privacy impact assessments is most logical.

I wasn't here when Ms. Stoddart made that comment. I don't know under what circumstances she made it.

In fact, under the act itself and the policy, there are restrictions on departments that want to disclose... There are rules, under the policy and the act itself, for departments wishing to disclose personal information.

If I correctly understood the example she gave, this is a photograph that—

I think I understand now.

In fact, she would like there to be greater understanding of the statistics and an annual report to Parliament. One of the things I mentioned about the Accountability Act is that the Treasury Board President was specifically mandated to gather statistics, which we were doing in any case, as part of our role.

Obviously, we haven't restricted ourselves to our discussions with the Office of the Information Commissioner; we also have discussions with the Privacy Commissioner.

For the moment, as part of our role, we're exploring the possibility of adding it to the policy and of working with the Commissioner's office to try to reinforce certain areas.

That field is shared with Service Canada. We are responsible for monitoring government institutions with regard to social insurance numbers.

I would like to emphasize that a social insurance number is also a piece of personal information. However, the Privacy Act makes no mention of social insurance numbers. In 1988, I believe, we issued a policy on that matter. Social insurance numbers are such important pieces of personal information that we established a policy in an attempt to control them.

The directive itself provides that institutions must restrict that use in accordance with their mandate. Our website provides a list of statutory reasons for which social insurance numbers can be used, as well as the programs that are authorized.

If I may supplement that, I think that will answer your question. In some cases, there may be programs or acts as a result of which there may be a sharing with other sectors. That's provided for in the agreements between the departments and—

In the private sector, SIN numbers are considered a piece of personal information. They should therefore be protected. Regardless of whether it's DNA or whatever, it's protected in the same way. Unfortunately, there may be cases in which personal information—SIN numbers or other items—may be disclosed. As Mr. Cochrane said, the aim is to protect them as far as possible.

Yes.

I mentioned that there are agreements between the departments and the private sector. It's the same thing for the banks. At Revenue Canada, for certain provisions, the banks must have access to social insurance numbers. That's protected in the private sector by PIPEDA. Those institutions are governed by that act at the federal level. There are comparable acts in other provinces and territories, where that information is protected as personal information. On the one hand, it all makes sense.

For us, the SIN is a number that was created by the federal government. In the private sector, as a result of agreements with the departments, or programs or acts, businesses have that number. It's protected at the federal level by PIPEDA and by a provincial statute such as the Ontario—

Do you mean with regard to identity theft?

No criminal penalties are provided for in the policies, whether it's ours or that of Service Canada.

That's not my field, the field of the policy—

You're talking about a theft, a crime. That's a justice matter. If someone steals an identity or does something illegal with personal information belonging to someone else, I would say that is more of a Criminal Code matter. The RCMP or the police would conduct an investigation, if there was a theft or some form of abuse. That's straying a little from my area of responsibility.

I believe Mr. Cochrane would like to add something regarding identity theft.

May I answer in English?

In the area you're talking about, if there were to be sanctions or whatever, PIPEDA needs to deal with that with respect to private industry. As Mr. Lemieux says, it's a criminal matter when information is stolen, so we're into the criminal side of this process.

Identity is an area we're also engaged in on behalf of the Government of Canada. It's a new area. Different institutions determine the information required to verify that you are who you say you are and I am who I say I am. We're working collectively on identity standards across the country, with all the jurisdictions. We're also speaking to the banks and others about identity standards. Is my social insurance number, my driver's licence, and my passport sufficient to identify me? It's an area we're very active in right now. I don't have a solid answer. I can't tell you three things we'll accept.

It's all part of registering and establishing the person. We're a little outside of our discussion here. But registering and establishing a person is the most important part of the process. As an institution, you need to determine that you're satisfied that this is Mr. Lemieux. Once you've done that, we have tools we will put in place as part of identity management.

I agree. It's a leading-edge area for all of us: the Americans, the British, the banks, and everyone else. It's an area we're very active in. The possibility exists that we will put some controls in place. From a policy perspective, what that means in terms of legislation--

You'd be happy if she didn't.

Like so many of these things, it cuts across a bunch of areas. If you're talking about federal public servants, you already have some human resources issues if someone is mishandling information. Employees have clearances so that they can handle information at a certain level. It breaks down into Protected A, Protected B, Protected C, Secret, Top Secret, and that kind of thing. As an employee, you're limited in what you have access to. If you don't have access to that information, or you shouldn't have access and you do, then perhaps there's a sanction from a human resources perspective.

There are also various disciplinary measures. If someone has access who has committed an offence, we're looking at the Criminal Code.

Absolutely. It cuts across security, privacy. If there's a breach, it's a Criminal Code offence. It could be a number of things.

There is policy around the use of electronic networks, which really allows people to have access to systems and so on, so there are very strict policies.

Mr. Chair, there are a couple of things I'd mention on that front.

First of all, there's the work we did at the Treasury Board Secretariat going back a couple of years now, maybe three years, on the U.S.A. Patriot Act. There had been a complaint in B.C. regarding some employees, and the federal government became engaged because we were talking about the transfer of personal information. We got involved, our division got involved—because of its policy role in terms of sharing personal information—in developing some tools, some guidelines for government institutions when it comes to contracting and sharing information. We worked very closely with the Privacy Commissioner, and we issued a report, I believe just over a year ago maybe—years seem to come and go pretty quickly here—called Privacy Matters, in which we gave pretty solid policy direction on what should be done.

We're also working on additional guidelines and advice on transborder data flow. We've actually shared a document with the Privacy Commissioner on issuing guidelines on that, and we're still going back and forth. It's obviously an area that's sensitive, and I think everyone's aware of that, so we're just trying to be as careful as we can.

No, Privacy Matters.

Yes, it's up on our website.

It deals with the contract provisions. It's exactly one of those tools departments find useful because it has templates, tools. If you're issuing a contract, and you're dealing with a certain level of—

Yes, it's very much a how-to.

If you're outsourcing something, it suggests how you need to word the contract to protect Canadian information that might be held by the outsourcer.

It was very well received in that regard, I think.

It was just following up on some questions you've already had, I think, from Mr. Hubbard and Mr. Wallace, and just sort of tightening it.

You said you haven't had much opportunity to look over the document that the Privacy Commissioner prepared, and that's sort of setting the framework for what this committee is doing in terms of its study. So it might be really helpful if the committee were able to get something back from you in response to those recommendations, particularly the recommendations dealing with putting into the act existing Treasury Board policies.

That's fair.

I just want to comment on one aspect of it. We do work very closely with both commissioners for the very reason that we want to make sure that the legislation or the policy is well implemented in departments. And on a few things you made note of--I think on the privacy impact assessment--we know there's a horrendous backlog with the Privacy Commissioner. These are areas where, regardless of funding, we're trying to work together to break that backlog by doing things differently.

I think your resources are always a factor for all of us, but we have to look at ways to be more efficient. So there are ideas we've worked on together to try to reduce the load that arrives at their door. We'll play a different role; we'll put more responsibility on departments. I think there's a balance between adding resources and trying to improve the flow of information and to change the process and simplify it for departments and to simplify it for us and the commissioners. This would be true with both commissioners.

Thank you, Mr. Chair.

The next committee meeting will be Tuesday, May 6, when we have the Canadian Internet Policy and Public Interest Clinic. They will be accompanied—we're waiting for final confirmation that this is going to happen—by the Canada Border Services Agency.

Next Thursday, May 8, we have a man who wore many hats, including the first Privacy and Information Commissioner of British Columbia, Mr. David Flaherty.

The following Monday, which is the 13th, we have asked for the RCMP, CSIS, and the CSE.

On the 15th, which is the Thursday, we have Mr. Paul Comeau and Professor Michael Geist, who are, as you may have seen, on the Office of the Privacy Commissioner's advisory panel on reform of the Privacy Act.

Then there is a break in May. After the break, we have scheduled for May 27, which is a Tuesday, the minister with his officials from the Department of Justice. We're still working on the 29th, and tentatively we have scheduled the Canadian Bar Association for June 3. That Thursday may be the last sitting of the committee if the House follows the parliamentary calendar.

So that's where we are right now, Mr. Chair.