Evidence of meeting #31 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was institutions.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Ken Cochrane  Chief Information Officer, Treasury Board Secretariat
Donald Lemieux  Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat
Nancy Holmes  Committee Researcher
Clerk of the Committee  Mr. Richard Rumas

3:50 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Once again, I can only talk about my experience. I can say that it was helpful to play both roles. When I explained to senior management officials their responsibilities under both acts in a specific case, I was well equipped to do so.

There definitely can be more difficult cases, but the act has been around for 25 years, and I think that it's working quite well on the whole.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

How much time do I have left, Mr. Chairman?

The Chair Liberal Paul Szabo

You have 30 seconds.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

Thank you very much.

The Chair Liberal Paul Szabo

Mr. Wallace.

3:55 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

Thank you, Mr. Chair.

And thank you, gentlemen, for joining us today. I'll try to go fairly quickly through my questions.

In your presentation you talked about shared responsibility: the Privacy Act is the Department of Justice, PIPEDA is Industry Canada, the Treasury Board is another. Would it be better to be all under one ministry? Are you able to give us that kind of response? Does it cause any difficulties from an administrative point of view at the bureaucratic level?

3:55 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

Meaning that the two acts being under—

3:55 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

We've really got three departments. You even mention here that you've got three areas that are responsible for different things. Do you have any issue with that?

3:55 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

I don't think so, because fundamentally we're looking at the Privacy Act, which is with the Department of Justice, and the Access to Information Act, which is with the Department of Justice. PIPEDA, which really focuses outside of government, is with Industry Canada, and I believe that's a rational place for it to be. And we sit in the centre looking inside the government, so I don't think we have any difficulties there.

3:55 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

Okay, I appreciate that.

You say the Treasury Board Secretariat provides management policy support to the Privacy Act. When you say “support”, what do you mean by that? Does that mean that if I have a problem and I'm working in another department, I call you and you give me advice? Or do you provide manuals on how to do things? What do you mean by “support”?

3:55 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

Really what we're looking at, then, is this. Here is the act; it's been established in legislation. The people in the Treasury Board Secretariat in the different policy areas—so in ours in this particular case—take that legislation or that act and interpret it in terms of what the actual administrative rules will be. So we do some translation of that so departments can act appropriately according to the act.

3:55 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

And you provide that to the departments.

3:55 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

We provide that to departments along with.... So when we say “support”, it goes all the way from not only providing it, but publishing it, providing tools, easy access tools, training, and a help desk.

3:55 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

So you're used to doing it all the time on the support side.

The Privacy Commissioner has presented us with some suggestions in terms of improvements, and I think there are ten or eleven recommendations. As a group we're working on this. From the Treasury Board point of view, should that come from the President of the Treasury Board in terms of suggestions for changes, or have you as the administrative staff on this looked at things you'd like to recommend to this committee on changes to the Privacy Act to make it easier for you to do your job or to support the system?

3:55 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

I'm just going to just turn that over to Mr. Lemieux.

3:55 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

First of all, I think I mentioned we just got the recommendations....

3:55 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

From her, I know, but have you, as the Treasury Board, been looking at this at all from the point of view that during this review, which may last a few weeks...? Who would we call on from the Treasury Board to say “Okay, you guys support this. You see where the rubber hits the road on these issues, often, in your support groups. Do you have suggestions for us?” Has that process taken place in the Treasury Board?

3:55 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Not to the extent that I think I understand from your question. When I look at these recommendations, at the outset I need clarity about what exactly they are getting at. I think we're still at the discovery stage in terms of the scope. I know there were a few that were specifically mentioned, such as Madam Stoddart mentioned about the Treasury Board Secretariat and some of the stuff we've done already in policy.

3:55 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

So you'd be comfortable, then, if we gave you some time and called you back? Would you be able to look at that in the next month or so? Is this a political thing, or are we okay in asking you what you think?

3:55 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

It's an interesting space for us, because some of it is in the act, and that's the prerogative of Parliament to make decisions on what they want to incorporate.

But where we spend our time with the commissioners--and we have a good relationship with the commissioners because of our role--is looking at the practicality of a decision that might go into a piece of legislation. If we do that, it may sound good, but is it practical? Can the community manage it effectively? From that perspective, there's likely a role we could play in providing feedback.

3:55 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

That's a perfect segue to the area I wanted to talk about today, which I probably only have a couple of minutes left to do. With respect to the privacy impact assessment reports that now exist but are not part of legislation, would you consider them voluntary, or are they a requirement but not legislatively required?

May 1st, 2008 / 4 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

They are a mandatory requirement because we've established that as a directive under management policy for the Government of Canada. The reason I say they are mandatory is that these instruments the secretariat has put in place are mandatory for heads of institutions to follow. In addition, as you well know, we determine whether they're following them through vehicles such as the management accountability framework. So we look very closely at their compliance.

4 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

So the head of the department does this privacy assessment when there's a change in the program, or a new program. What happens to that information for that report? Does that reside with TB? Does it stay with their department? What actually happens with that information? And if you're not happy with it in terms of following the Privacy Act, based on your interpretation, what's the recourse? What happens to these reports?

4 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Maybe I could address that, Mr. Chairman.

If a government institution is on a project that has privacy implications, then they would first prepare a privacy impact assessment--a quick review that will service any privacy issues. Obviously there are files that would immediately suggest that, so they ask some basic questions. Then they will consult the Privacy Commissioner so the Privacy Commissioner is immediately engaged in the privacy issues related to that specific program.

We are working with the Privacy Commissioner and departments right now on how to make it better. The policy came into effect in 2002, and we're looking at a more streamlined process. We want to avoid any delays. We want to be much more efficient in doing these privacy impact assessments and developing templates--that useful tool that institutions will need to help identify, for example, horizontal issues.

4 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

Have you been discussing in these meetings the need for it to be legislated or not?