Thank you for the opportunity.
We're looking at the Canadian federal Privacy Act, which when it was passed in 1982 was undoubtedly on the cutting edge of privacy legislation. But it's starting to show its age. It was built based on what are referred to as the OECD guidelines, which was a consensus of members of the Organisation for Economic Co-operation and Development with respect to changes in the way that governments collect, use, and disclose personal information.
In 1982 the federal government led the way in Canada. It was one of the first jurisdictions to implement legislation that regulated the information governments could collect, how they could use it, and to whom they could disclose it. Since then, every single province and territory in Canada has followed by implementing privacy legislation, often in combination with access-to-information legislation.
This committee has been tasked with taking a look at the Personal Information Protection and Electronic Documents Act. We've recently seen privacy laws extended to the private sector in Canada, so that now, a number of years later, we have comprehensive privacy protection from coast to coast to coast, covering both the private sector and the public sector.
Since 1982 a lot of water has passed under this bridge. We have a lot of experience in dealing with privacy legislation. We've seen it implemented in a number of different jurisdictions, and we know how it works. It's not implemented everywhere in exactly the same way, and we have had the opportunity of seeing how it works in certain implementations.
We are also living in a different world from that of 1982. Probably the paramount difference has to do with technological change. This growth in technology wasn't even foreseen in 1982. It certainly wasn't in place. We now have issues related to data matching, biometrics, genetic information, the decoding of the human genome, portable electronics, surveillance, video surveillance, GPS, and so on.
We've also seen a significant change in the environment within the public sector as information is collected, used, and disclosed. We see more joint delivery of programs by the federal and provincial governments. We also have a significantly different security environment from what we had in 1982, in the post-September 11 world.
Since 1982 we've also seen an enormous consultation among a wide range of stakeholders, primarily in the private sector. It arrived at the remarkable consensus embodied in the Canadian Standards Association's model code for the protection of personal information, which is the nucleus of PIPEDA, a piece of legislation that this committee has recently spent a lot of time looking at.
Also, there's a significant increase in concern on the part of citizens with respect to how information is collected, used, and disclosed. This is not limited to the public sector or the private sector. One cannot ignore the breaches of security related to personal information that are coming out of the private sector. But since the passage of the Privacy Act in 1982, we're also seeing significant breaches in the public sector. One hears stories of stolen servers from government departments, misdirected mail, missing tapes and backup CDs.
We're now living in the age of identity theft, and it's a significantly changed environment. In the same year that the Privacy Act became law, we also saw the Canadian Charter of Rights and Freedoms come into effect, which has changed the expectations of citizens with respect to their own personal information, their intimate details.
In our consultations with the members of the Canadian Bar Association, we have seen the growth of a consensus that in many cases guidelines—and many of the points we address are the subject of guidelines—are not enough. They may be helpful interim measures, but they're very often ignored, very easily overlooked, and don't provide sufficient accountability when it comes to the potential misuse of personal information. Legislation and therefore amendments to the Privacy Act are the only way to make sure that this happens.
Accountability is the touchstone of two of our recommendations, in concurrence with the Office of the Privacy Commissioner of Canada, which would be to extend Federal Court oversight with respect to privacy, and enshrine the necessity of having privacy impact assessments in legislation. Doing so ultimately leads to accountability to court and also goes hand in hand with the recommendation, which we're happy to speak to in greater detail later, with respect to the ability of the Privacy Commissioner to make public interest disclosures that are in addition to the Privacy Commissioner's obligations in reporting to Parliament on an annual basis.
Some of these measures relate directly to the significantly different criminal climate, in a sense. We're now informed that identity theft is one of the fastest growing crimes in the world, if not Canada. The Government of Canada, with its many departments and crown corporations, is the repository of significant databases with what's often referred to as “foundation information for identity theft”: full names, dates of birth, social insurance numbers, and information like that, which if disclosed and misused can lead to identity theft. There are any number of government databases that contain that information.
Currently there's no statutory requirement that government safeguard that information, and there's currently no obligation that government notify affected individuals if their information is lost or disclosed. And it's not just a matter of individuals wanting to know what's happening with their information, which may in fact be their right or should be their right, but it's a matter of giving individuals the opportunity to take steps to mitigate any harm that might happen with respect to the misuse of that personal information.
An important additional maxim that's been developed with respect to best practices for the collection, use, and disclosure of personal information since 1982 is something called the “necessity test”. Simply put, it's to collect only that information that is reasonably necessary, which safeguards against the natural tendency, or what appears to be a natural tendency, to collect more information than is required, which then of course requires that it be safeguarded. And if it's collected and is not necessary, it increases the likelihood that information can be misused.
We also talk briefly on the topic of data matching in our submissions, which ultimately probably does amount to, at least constructively, an additional collection of information, more than was necessary, and certainly an additional use of that personal information.
There are some other matters that are probably not as controversial but that we think are important as well.
There is a distinction between recorded and unrecorded information. There doesn't seem to be a rational reason to make that distinction. More recent privacy laws in Canada, provincial and federal, don't make that distinction. We don't think that the transient images and transient information, for example live video feeds and things like that, should necessarily be excluded from the ambit of the Privacy Act.
We do agree that five-year reviews should be necessary, and that the Privacy Commissioner should also have a public education mandate, and ultimately, in order to try to increase the efficiency of the Office of the Privacy Commissioner of Canada, discretion to refuse to investigate or to produce reports on complaints or inquiries that might be simply mischievous or vexatious or frivolous.
In the end, we do believe that ultimately the Privacy Act is due for significant reform and significant overhaul. At the Canadian Bar Association's annual meeting a couple of years ago, the national sections council did endorse a motion, which passed without dissent, calling for a complete review of the Privacy Act. But since we're at this stage, we're only given the opportunity to comment on incremental improvements. We couldn't sit idly by and do that.
With respect to our final issue, I'm going to pass it back to Greg just to touch on the cross-border information-sharing issue.