Thank you.
I am going to start in French, but I am going to change to English because for more complicated things like the protection of personal privacy, it is easier for me to speak in English.
I also have jet lag. That's an additional good reason.
I feel I am almost twice as old as the Privacy Act. I started working on privacy issues as a young student from Montreal studying at Columbia University in 1964. I lobbied for the Privacy Act in the 1970s in the House of Commons during the Trudeau years and in Joe Clark's government. I've worked with every Privacy Commissioner of Canada since Inger Hansen, who was the first “sort of” commissioner under part IV of the Canadian Human Rights Act. The only one I didn't really work for was the late lamented Monsieur Radwanski. I've known them all.
I've written academic books about the Privacy Act and its origins and its development and how to implement it and things like that. I wrote case studies of data protection and privacy protection in Europe--in Sweden and Denmark and lots of countries--so I have had some comparative insights.
In 1993, through absolute good fortune, I became the first Information and Privacy Commissioner for British Columbia, which was a new position then, and I had the good fortune to move to Victoria. I was on leave from Western for six years, which was attractive, because I had the independence of returning there if I wanted to, but I fell in love with British Columbia and I've worked there since 1999.
I'm primarily a privacy and freedom of information consultant. Most of my consulting work is in the health field; in this area there are some really serious privacy issues with electronic health records and all this stuff. I have national clients. I've worked a fair bit with the federal government. I could give you as an example of a federal department that's doing pretty well at managing privacy risk Health Canada, and I take some credit for that, because as a reward for something I did for the deputy minister around 2001 I was invited to do what I call a privacy review of privacy management at Health Canada. They set up a structure, a policy department of about 35 people who advise Health Canada on privacy issues.
It's fortuitous, at least for me, that last December.... I have been an advisor to the Privacy Commissioner of Canada, Jennifer Stoddart, since she was appointed three or four years ago. I've actually known her for almost twenty years because we're both historians of Canadian law, and I published her work that far back, in the early 1980s.
Anyway, she and her colleagues invited me to do--and I emphasize this--an independent essay on the need for Privacy Act reform. I've written a 45-page essay that she mentioned to you, and that's how I got to talk with you. The essay is pretty much finished. It's fairly academic; it's tough-talking, and I'll try to reflect some of that in what I have to say to you today, but in a way you've surpassed me because you're already into the nitty-gritty of how you can improve the Privacy Act with the little things you can do and the ten quick fixes that she gave you. Mine is a more high-level overview of why this should be done.
An analogy I would use with you for the Privacy Act, which was progressive in its time, is that if you bought a house 25 years ago and did no maintenance or decoration, you'd be living in something of a slum. The Privacy Act is a somewhat slummy piece of privacy legislation. I used the word somewhere that it's risible in terms of what we need.
It reads very well in French:
the word “risible” sounds even better in French.
It's really a pathetic piece of legislation. I looked at it again online this morning. It was just hilarious. No wonder my federal clients aren't too bothered by the Privacy Act and its obligations: there ain't much there. There's not much meat in the sandwich. It doesn't meet the national privacy standard.
In 2000 Parliament voted PIPEDA through. I'm sure you're being driven crazy by all this alphabet soup of privacy legislation. That's the very fine piece of private sector law, the Personal Information Protection and Electronic Documents Act, which I helped lobby for in 1999-2000. It incorporates what we call the national privacy standard, which is built around ten principles.
For most of you, all you need to know is that there are ten privacy commandments, these ten privacy principles. There should be openness about what you do with personal information. There should be accountability; somebody should be in charge of the shop. You should state the purposes for which you're collecting personal information. You should limit the use, collection, and disclosure of personal information. You should get consent; I call that the adultery clause in the privacy standard, because it's the critical one. There's absolutely no consent requirement in the federal Privacy Act; it's disgraceful.
Some people say to me that the public service would never go for a consent standard. Well, why not? Why shouldn't they use either express consent, or implied consent, or notice to ask us for our personal information?
Then you're supposed to have reasonable security. There is absolutely no security requirement in the federal Privacy Act. Can you imagine that, in the years of identify theft and data breaches? That doesn't mean there's no security, but there's no standard of reasonable security against which the Privacy Commissioner can test what's actually done.
There is also the right to access your own personal information, to make privacy complaints, and so forth. That's done reasonably in the federal Privacy Act. That's about the only thing that's done well there.
I thought it was wonderful when it was enacted in 1979, 1980, 1981, and 1982. I helped push for it. But it no longer cuts the mustard, to put it quite simply. In particular, the Privacy Act doesn't begin to meet the kinds of privacy rights, constitutional rights to privacy, and statutory rights to privacy that we have under the Charter of Rights and Freedoms. It fundamentally fails to protect the privacy interests of Canadians in their relationship with the federal government.
I can tell you the story, if you wish, of the Ontario government changing the adoption law to allow individuals to have access to information about adoptees or those who were adopted, against the wishes of these individuals. Ann Cavoukian, the Ontario Information and Privacy Commissioner, fought this thing all through the legislature, etc., and she lost. But then a group of litigants led by Clayton Ruby as their lawyer went to the Supreme Court of Ontario. I was the privacy expert on a pro bono basis, and we overturned those parts of the statute, based on our articulation of privacy rights under the charter.
I would tell Canadians that over time they're going to bring constitutional challenges regarding the inadequacy of privacy protection and data protection at the federal level. And I would think that would be a good thing.
The work I did for the Privacy Commissioner's office is independent work. They're not telling me what to say. You'll be happy to know that almost everything the Privacy Commissioner of Canada and her associates have said to you makes perfect sense to me. A lot of the essay I've written seems to say “yes, sir, yes, sir, three bags full” regarding the need for educational power and various kinds of things in the ten quick fixes that Madame Stoddart has given to you. I'm completely onside with her and her colleagues. I assure you I'm very independent. There are some of them behind me, but I'm not Pinocchio, and they're not telling me what to say. They may take notes if I say something that doesn't meet the party line, but that's fine. I'm here to tell you what I think and what should be done.
The thing I'm promoting, which I think is regarded as somewhat radical but which I like very much, is the idea of giving order-making power, regulatory power to the Privacy Commissioner of Canada. I regret to tell you that it's much too easy to ignore the Privacy Commissioner of Canada. It's a talk-shop at one level. All she can do is tell you to do good or don't good, but you don't have to listen to her. I teased her yesterday. I called her a toothless tiger in some remarks I'd written. But I've changed that to a toothless watchdog, because I regard the Privacy Commissioner as the watchdog for our privacy interests, who articulates the privacy interests that are at stake in issue after issue and then helps the public bodies, helps the government institutions—and there are 250 of them subject to the Privacy Act—learn how to comply with these rules and regulations.
No doubt in the 1980s I agreed with John Grace and then with Bruce Phillips that the ombudsman role was satisfactory in just giving advice and so forth. She's not being listened to. The way you get listened to is to have the power to say “stop doing that”.
There was a case two years ago at the Ottawa Hospital where a poor unfortunate patient went in for open-heart surgery. When she got in there, she told them that her ex-husband and his new partner worked there. She and her ex-husband were involved in a custody dispute, and she wanted her information to be kept highly confidential. That couple, or at least the female part of it, started accessing her records right away. Eventually the ex-husband told his ex-wife that he had seen her records, knew that she was in for heart surgery, and all this stuff.
Ann Cavoukian, the Information and Privacy Commissioner of Ontario, has order-making power under both the Freedom of Information and Protection of Privacy Act in Ontario and the Personal Health Information Protection Act, PHIPA, which regulates all health information in the public and private sectors in Ontario. She issued an actual order--the situation was that bad--at the Ottawa Hospital: do this, do that, don't do something else. While this order-making power might not have to be used very often, it's a weapon or tool that can be used to bring the public service to the table to find pragmatic solutions to the issues taking place.
I will add, just while I'm thinking about it, that the public service, I regret to say, has not learned to live with the Privacy Commissioner of Canada. The last person they want to tell about their schemes and plans is the Privacy Commissioner. They wait until everything is almost finished and ready to go, a bill in Parliament for whatever it is that could be invasive of the privacy of Canadians, then they tell her about it--almost when it's too late, a fait accompli. There needs to be consultation up front with the Privacy Commissioner of Canada. There's a sorry track record of not doing that; they're not frightened of her.
I'm also arguing, in my presentation, for putting into the Privacy Act a framework for what we call “privacy risk management”. As I go from client to client on a daily and weekly basis, the way I get the attention of boards of directors, CEOs, senior executives, or in this case members of Parliament is to talk about privacy risk management. All of you know what risk management is all about, from your business backgrounds, your work in government, or whatever it is. This is privacy risk management.
We have developed some tools in the last 10 or 15 years that should be put into the Privacy Act so that every federal institution that's privacy-intensive--that is, that collects, uses, and discloses a lot of personal information--should have in place what we call “chief privacy officers”. The Bank of Montreal has a chief privacy officer, as does Aeroplan, Bell Canada, Intel, Microsoft, Oracle, Sun Microsystems, and Maximus Inc. All these companies have chief privacy officers. Why? They're a centre of privacy expertise. They're a focal point. If you put them high enough up, at the director level at least, then people will pay attention to them. They'll know to go to the privacy officer and their staff to get advice on this cross-cutting issue across the government.
The second thing they should be doing is privacy impact assessments. I helped invent, with some New Zealanders and fellow Canadians, the whole idea of privacy impact assessments. I do them regularly. They are very arcane, almost academic kinds of activities. I write them according to my own format. I'm going to send Nancy home with some background material--some of it she's seen before--on how I do these sorts of things.
The privacy impact assessments are terrific things to apply to a sensitive new database or sensitive application. They are being done under Treasury Board guidelines, but they're guidelines only. I would like to see a statutory requirement to do privacy impact assessments that are actually good ones, not lousy ones that skim over everything, and show them to and get them vetted by the Privacy Commissioner's Office, and then post them on the website so that you can actually see them. For a couple of the airline passenger information systems, I think there's a PIA on this website.
In term of privacy training, there are more than 200,000 public servants, most of whom have not had privacy training in a long time. They don't understand the ten privacy principles and wouldn't know a privacy issue if it hit them in the head. Some do, of course, but that kind of knowledge is transitory. The name of the game today is a 20-minute quiz, 30-minute test, taken once a year, with certification to your HR record that you've actually had privacy training. As I said to you before, you'll recognize that one of the basic privacy principles is involved.
There's been a lot of talk in the last few days, after the Auditor General's report, about data-sharing agreements and the lack of data-sharing agreements with the provinces for public health surveillance. That's just ridiculous. Why are they not doing them? They're a pain in the ass: you have to negotiate with the provinces, the provinces want to put the rules into the documents, and then you have to follow the rules. And guess what? The privacy commissioners from the provinces and territories might come and audit what you're doing--which they damn well should be doing.
I forgot to mention earlier that my argument for order-making power is largely derived from the fact that in Quebec, Ontario, British Columbia, and Alberta, which have pretty decent pieces of privacy legislation, the commissioner had order-making power. I used to get the attention of the British Columbia government, the NDP government of Glen Clark and others, in the 1990s. You can imagine what fun it was to be a privacy commissioner then. Life was pretty good because of the privacy impact assessments and the fact that I could get their attention because I could order them to do something.
I also want to leave with you this idea: the Privacy Act and PIPEDA were the products of political leadership and leadership in the public service. It was Perrin Beatty who brought the first Privacy Act, in a private member's bill in 1980, before the House of Commons. Then Francis Fox, from another party, with the Trudeau government coming in, put through the Access to Information Act and the Privacy Act. That was political leadership. In the 1990s we needed to regulate the private sector, and it was Allan Rock, justice minister, and John Manley, industry minister, who stepped up to the plate and said yes, we should be doing this.
If there's anything you can do.... In my opinion, the heavy lifting here has to be done by the Department of Justice.
I forgot to tell you that twenty years ago they had this report--Open and Shut, for 1984 to 1987--on how lousy the Privacy Act was and how it needed to be improved. Guess who was the expert on privacy for three years? Me. What did we get out of it under the Mulroney government? Nothing. Nothing was done. Some policy changes were done.
All the recommendations we made twenty years ago are still relevant, but what has happened in between? The Internet, the World Wide Web, ubiquitous computing--imagine trying to use the old Privacy Act to control that kind of stuff.
The political leadership also came from people I call “policy entrepreneurs”. In the 1970s there were three or four senior public servants--Barry Strayer, now in the Federal Court; Gill Wallace, subsequently Deputy Attorney General of British Columbia; and I've forgotten the other names--who recognized that it was part of an international movement to have sound privacy management in the federal government. That then was replicated in Ontario and Quebec. Quebec was actually the first, even before the federal government, in 1981, as I recall. I gather you're having Paul-André Comeau, one of my former colleagues as Privacy Commissioner, to talk to you before too long. He knows the Quebec scene much better than I do.
I think you also as politicians--this is my final point, at least in this beginning presentation--have to ask why doesn't the federal government, why doesn't the bureaucracy, why don't deputy ministers want a stronger Privacy Act? It would be a pain in the ass. They'd have to do things much more carefully than they're doing them now. Their power would be constrained. They wouldn't be able to have kind of a free-for-all with the personal information of Canadians.
They have a lot on their plate, I will admit. There are a lot of other issues they have to deal with. But the Privacy Act, like the Access to Information Act, is cross-cutting. Everywhere in the federal government there's personal information collected, used, disclosed, retained for all kinds of purposes for very long periods of time in more and more massive databases and with more and more data-sharing across government institutions.
I have no objection to outsourcing. I'd be happy to discuss the outsourcing in B.C. with you. It's in my speaking notes. I have no objection to data-sharing with consent. If I want to file my tax return online, I'm doing it consensually. That's exactly the way it should be. All of our relationships with the federal government should be based, to the fullest extent possible, on consent.
In 1999-2000, when PIPEDA was going through, I was lobbying on behalf of Industry Canada as a paid consultant. The Canadian pharmacy association said that we were going to shut down pharmacies in this country if we put PIPEDA through. Why? Because every time someone came in with a prescription, the pharmacies would have to read people's privacy rights to them. We told them that was crazy; we'd be using implied consent.
When I take a prescription to my druggist and hand it to him, why do you think I'm handing it to him? Is it just so he can have a little read? No; it's to fill my prescription. So I'm giving implied consent, as you do, to use my personal information for the purpose of filling a prescription. But then if he starts calling me up and saying, “I see you have this little medical problem, and I have this hot new product I'm selling on the side”, I'd be quick to complain to the Privacy Commissioner. That's a completely unacceptable use of my personal information. It's not in the statement of purposes for which the personal information is collected.
I hope those introductory remarks, plus the 30 other points I've made in my written stuff, will whet your appetite. I'm a teacher by background, so I'd be particularly happy to help you understand some of this stuff. There's no particular reason, as lay persons, you should have gotten a university degree in Privacy 301.
Thank you.
