Thank you, Mr. Chair.
Bonjour, honourable members, and thank you for the invitation to appear.
I'm pleased to hear that it is the intention of this committee to undertake a full and thorough review of the Privacy Act. That was to be my first and main submission today, that you should not leave this matter at just a few quick fixes that you're able to get in before the summer break.
Government has a special trust relationship with the citizenry. The federal government in particular collects, uses, and discloses often highly sensitive personal information about individuals, who for the most part have no choice in the matter. They are required to hand over the information and must trust the government to protect it from abuse.
In the context of the ever-increasing threats to privacy from new technologies, we feel it's critical that the federal government has a strong legislative framework governing its use and disclosure of personal data. In our view, the Privacy Act fails to do this job.
You recently undertook a thorough review of the private sector data protection legislation, in which I participated. I think you are very well placed to now do the same with the public sector legislation, which as you know is much, much older and in more need of review, quite frankly. We would therefore urge you to undertake a full review of the Privacy Act this fall, with a view to recommending amendments by the end of 2008 if possible.
I have reviewed the Privacy Commissioner's submissions, both the June 2006 report and the more recent addendum and submission to this committee. I think you have a very nice road map there to the reforms needed in order to bring the Privacy Act into the 21st century. We agree with most of the Privacy Commissioner's recommendations for reform.
We have not undertaken a thorough review of the Privacy Act, and we're not in a position to provide you with a thorough set of recommendations. In any case, I understand that's not your intention at this point in time. We have instead focused on some of the deficiencies of the act that have come to the attention of the clinic in our work, either on behalf of individual Canadians with particular complaints, or in our research on issues such as identity theft, security breaches, the practices of federal administrative tribunals and agencies in posting personal information online, and many other issues.
I have submitted a written brief, which I just completed this morning. And I apologize; it is in English only. I have provided copies in English only--again my apologies, particularly to the French-speaking members of this committee. I understand it will be translated and circulated to all of you.
We've made a number of specific recommendations for legislative reform in that brief submission, and I'll touch on a few of them now.
We've divided the recommendations into categories. The first area in great need of reform is transparency and accountability. The act is clearly designed to achieve a certain level of transparency and accountability, but we found in our research, for example, that we're simply unable to determine the extent to which the federal government is collecting, using, and disclosing personal information, particularly in the context of national security and transborder data sharing. The Privacy Act allows government bodies to share personal information about Canadians with foreign states for purposes that could be at odds with fundamental purposes of democracy and justice, without even the limited transparency that would be achieved, for example, through requirements that such agreements with foreign states be in writing, be authorized by legislation.
So one of our first points under transparency is that subsection 8(2) of the act be amended to require that information sharing agreements and arrangements with foreign states or entities be in writing, be authorized by an act of Parliament, and be listed in a regulation under the Privacy Act.
We are also suggesting that subsection 8(2) be amended to require the government to notify citizens of new uses and disclosures not originally contemplated when the information was originally collected—except, obviously, in appropriate cases.
We agree entirely with the Privacy Commissioner that the annual reporting requirements of government agencies under section 72 need to be strengthened and expanded so that Canadians and organizations such as mine, which represent Canadians, can find out what is going on behind the scenes and hold the government accountable for its obligations under this act.
Finally, we agree that section 63 of the act should be amended to permit the Privacy Commissioner to disclose information about government information handling practices in the public interest—and not just do so in her annual report.
Another category related to this issue of transparency is protecting Canadians from abusive treatment by foreign entities, and foreign governments in particular. We've had a number of complaints and concerns raised with us at the clinic, particularly about the USA Patriot Act and the right of U.S. government law enforcement agencies under that act to secretly access data about anyone held by private corporations in their customer databases, for example.
So we believe the federal government should be looking at standards, first of all, the kinds of standards Europe and Quebec have adopted, which require adequacy, or at least comparable protection, of foreign laws before the government will allow the transfer of data to those foreign jurisdictions.
Another approach is simply to require that the government institutions disclosing personal data to foreign entities take measures to identify the purpose for which the data are being disclosed, and limiting, by way of contract or otherwise, the subsequent use of the data by the foreign entity to that particular purpose.
We are also recommending that the government consider legislating additional protections, such as those adopted by the British Columbia government, to specifically block direct access by the FBI, for example, in the United States, or by other foreign government agencies, to the personal data about Canadians that this government has outsourced to private corporations.
In this area we're also recommending that paragraph 8(2)(c) be amended to clarify that it applies only to Canadian courts. This paragraph is an exception to the rule of disclosure with consent, and it allows for disclosure
for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information
It doesn't say, “Canadian court, person or body”, but just “court, person or body with jurisdiction”. So it's unclear whether it means just Canadian courts or foreign courts. We believe it should be limited to Canadian courts.
We are also proposing that paragraph 8(2)(f) be limited to allowing disclosure and subsequent use of information to the precise purpose identified by the disclosing agency.
There is another really important reform that we believe is needed. We find it astonishing, quite frankly, that the Privacy Act does not allow the Privacy Commissioner or Canadians to enforce their rights under it, other than through their right to access to information. It sets out all of these rights and obligations, but it has no mechanism for enforcing them. We believe the act needs an enforcement mechanism for all of the rights contained in it, not just access to information rights. We agree with the Privacy Commissioner that she and individual Canadians should have the right to go to court to enforce these rights.
We also think, however, that the Privacy Commissioner should have order-making powers. We believe not only would that increase her clout when she's dealing with federal government agencies, but it would provide a much more accessible enforcement mechanism to individual Canadians.
We also strongly support her quick-fix recommendations--for example, preventing overcollection of personal information by the government, and that is including a necessity criterion to the current clause, section 4, requiring that information collected by the government be related directly to an operating programmer activity. That clause should be amended to say “no personal information should be collected by a government institution unless it relates directly to and is necessary for an operating program or activity”.
We also believe the definition of information is outdated and should be applied to any information, whether it's recorded or unrecorded. In particular, we would point to the expansion of private and public video surveillance in Canada, much of which involves ongoing monitoring. The information is not necessarily recorded for future reference, and that information, the monitoring activity itself, is potentially privacy invasive and should be covered by this legislation.
We also strongly agree that privacy impact assessments, currently a requirement of Treasury Board policy, should be made a legislative requirement. They are, in my view, at the heart of the data protection regime in the public sector. In the private sector we rely more on individual consent; private corporations are required to get individual consent before they can use or disclose personal information.
We don't have the consent rule in the public sector. Instead we rely on the federal government to undertake analysis of privacy impacts in the public interest and to ultimately make decisions in the public interest. Of course, we rely on transparency and accountability mechanisms as well to back that up. But privacy impact assessments are critical; they are, in effect, replacing the consent requirement we have in the private sphere and they should be legislated. They should not be left to a matter of policy.
Finally, one of the areas we've spent a lot of time on at CIPPIC is looking at identity theft and ways in which to prevent and address that problem. We have been advocating for stronger incentives in the private sector for effective security measures and for notification to individuals whose information has been negligently or inadvertently disclosed or made accessible to unauthorized access and potentially criminal use.
We think the same kind of rule should apply to the public sector, that is, there should be a provision in this act--as there is, for example, in some of the provincial acts we've looked at--requiring the federal government to take reasonable security measures to protect personal data from unauthorized access, use, or disclosure. We believe the breach notification requirements that are being considered now--that you recommended for PIPEDA and that Industry Canada is now consulting with the public on--should also be included in this legislation.
Thank you, Mr. Chairman. I would be happy to take questions.
