Evidence of meeting #20 for Access to Information, Privacy and Ethics in the 40th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
5 p.m.
Liberal
5 p.m.
Liberal
Borys Wrzesnewskyj Liberal Etobicoke Centre, ON
Okay.
Would you recommend, taking into account the track record, the ability to gather information of a type that most other departments cannot, and the nature of the department—a paramilitary department that's supposed to be there for law enforcement—or would you not recommend that there be additional recommendations to particularly target the RCMP, to make sure that these grave concerns to our own democracy and the human rights of Canadians who travel abroad are not violated?
5 p.m.
Privacy Commissioner of Canada
Can I ask Madame Bernier to answer? She is the former Assistant Deputy Minister of Public Safety, so it's an area she knows well.
5 p.m.
Chantal Bernier Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
I would say your statement really underscores our position in relation to information-sharing agreements and to ensure the Privacy Act is more specific in that regard. And what you say has also been the object of the O'Connor report, where Justice O'Connor specifically requires that a much stronger framework apply to information-sharing agreements to ensure the protection of privacy, to ensure that information that is shared is accurate, as well as to make sure that personal information is not shared with states that do not have a human rights record, and that is precisely what we put forward. To contrast law and policy, as the commissioner has said, Treasury Board Secretariat has issued guidelines that seek very much to address these recommendations, and yet in our 2003-2004 report we found quite a few deficiencies, looking at information-sharing agreements.
For example, the information to be shared as described in the information-sharing agreements was far too general. The protection clauses, meaning how the information was going to be secured once shared, were also very vague. We also found that only half the agreements contained a third-party caveat, meaning once we give it to one party, it cannot share it with a third one.
The majority of the agreements did not provide for consistent use, meaning the information could not be used in a way different from the objective it was shared for. And finally, the vast majority did not contain an audit provision. So, absolutely, we are in complete agreement as to the necessity to have stronger provisions in the Privacy Act in relation to information-sharing agreements.
5 p.m.
Liberal
5 p.m.
Conservative
Randy Kamp Conservative Pitt Meadows—Maple Ridge—Mission, BC
Thank you, Chair.
Welcome, and thank you for your efforts in working to help balance the rights of individuals and yet help us maintain our responsibility as parliamentarians, particularly with regard to issues of whether it's balancing personal and national security concerns.
In recommendation nine, you ask for the introduction of the provision regarding a five-year parliamentary review. Regretfully, I haven't spent any time on this committee, but I'm just wondering where this five years came from. Is that an arbitrary figure? Should it not be an ongoing procedure? Should it not almost be yearly rather than necessarily at five years? The world is changing so dramatically. We run into so many circumstances that could alter the provisions we have right now, whether it's cyber-terrorism, whatever. Why did you come up with the five years, and how comprehensive would you like to see this review be, and who should the participants be and how binding should it be?
5:05 p.m.
Privacy Commissioner of Canada
The five-year review comes from precedent. Because we have the temerity to label these quick fixes--we know there are no quick fixes in a parliamentary process that involves so many actors and so on--we tried to hone in on things that were perhaps easy, understandable, and for which there was a precedent. So we looked at the other law we administer, the private sector law that applies to banks, airlines, organizations, and provinces that don't have their own private sector privacy legislation, and there is a five-year review there.
In some of the other provincial legislation, there are five-year reviews too. In B.C., Alberta, I'm not sure about Ontario, but certainly Quebec, the legislation comes up automatically for review. The scope of the review depends on the parliamentary committee that's reviewing it. The legislation just says that so the committee can do an in-depth or a perhaps shorter review depending on that, and then it would make recommendations. But I have not seen any legislation that says the recommendations would be binding on anyone. They follow the normal parliamentary process.
5:05 p.m.
Conservative
Randy Kamp Conservative Pitt Meadows—Maple Ridge—Mission, BC
How privy are you to national security concerns in your deliberations?
5:05 p.m.
Privacy Commissioner of Canada
I'm not directly privy very often to the details of national security concerns. Some of our investigators have a high level of security clearance, and when there are complaints for classified information they may look at it to the extent they understand that, but that's fairly exceptional.
5:05 p.m.
Conservative
Randy Kamp Conservative Pitt Meadows—Maple Ridge—Mission, BC
I'm just wondering, because there are obviously some very serious security concerns at times, and I just wonder where that balance comes in between your responsibility to investigate circumstances where privacy can be breached and of course the necessity for the government and the state to protect the rights of its individuals. I just didn't know how far along that slope you go, and where the final decision-making sits as to what you are allowed to have and what you're not. Could you elaborate?
5:05 p.m.
Privacy Commissioner of Canada
Well, obviously, if it's sharing information and a government department doesn't want to share the information and doesn't, we're kind of stuck there, I would say. But I'd say we do have the confidence of the government under our act to see quite a bit of national security legislation.
We're just finishing up a legislated mandated audit of FINTRAC, which involves understanding the FINTRAC processes of anti-money-laundering legislation. We looked at CSIS, I believe, last year. As I said, we went into the RCMP exempt banks.
So from time to time, on specific issues, yes, we do see national security concerns.
5:05 p.m.
Conservative
Randy Kamp Conservative Pitt Meadows—Maple Ridge—Mission, BC
It is a concern as well, from some particular point--having had some involvement in security over the course of my life--that if you have a contact where there has been 20 years' worth of work to build that source, and millions and millions of dollars invested in that, and then we have information that may or could or should be delivered for the purpose of the preservation of the privacy of an individual, where do we draw that line? That's sort of where I wonder where you come in on this.
5:05 p.m.
Privacy Commissioner of Canada
Perhaps my colleague, who has worked in this area for a long time, could add something.
5:05 p.m.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
The Supreme Court of Canada has drawn that line of balance between privacy and safety. That line is about necessity. So the information that is collected must be necessary to serve the public safety objective it serves, as well as proper attention to the reasonable expectation of privacy. That is contextual, and the context will determine how the intrusion is valid or not.
We need, in the area of national security, to exercise a certain amount of deference for the very reasons that you invoke. The courts have stated as much. In our thinking we apply the principles that have been issued by the Supreme Court of Canada and other tribunals in Canada.
5:10 p.m.
Conservative
5:10 p.m.
Conservative
Kelly Block Conservative Saskatoon—Rosetown—Biggar, SK
Thank you very much, Mr. Chair.
I might have some time that I could easily give back to Mr. Kramp, if he would like.
I am specifically looking at recommendation two and recommendation six. In addition to the conflict that these recommendations appear to pose, does the requester not already have recourse under the Privacy Act if the Privacy Commissioner refuses or discontinues a complaint?
5:10 p.m.
Privacy Commissioner of Canada
Yes. The seeming contradiction between recommendations two and six is another attempt to balance the use of public funds in investigations, which are very labour-intensive operations, and justice for the Canadians who come to us with their privacy complaints.
Actually the commissioner and complainants can go to Federal Court, but only in the very limited circumstances of being refused access to one's file. If there are corrections to be made in one's file and the government department does not want to carry them out, then there's no further recourse. There's also the whole issue of damages. I believe some of the members of this committee have talked about that just now. If the actions of a government agency in the use of your personal information cause you damage, there is no recourse. That is one of the reasons I think it would be a timely amendment to give you that right to go to Federal Court. In the private sector, if an organization misuses your personal information—for example, a bank—and causes you some damage, you can go to Federal Court and have a remedy. Now Canadians who have their personal information misused by the government have no effective remedy. They can just have access to their file and that's all. That's recommendation two.
Recommendation six tries to make the act more contemporary, more focused, and to give my office the power to concentrate on the complaints for which there has not already been a determination, for which we can really do something and help the individuals. For instance, we have many complaints about the same things. For example, why does Canada Revenue Agency take all this personal information; this must be against the Privacy Act. If our powers were changed, then we'd like to say that we're not going to deal with this complaint because we deal with it several dozen times a year over the years, and here are all the examples. We'll tell people that we're not really going to investigate this; we're going to discontinue it because they basically have to give their personal information to the tax authority. That's a frequent source of complaint. We can then concentrate on other issues. For example, on recent issues with Canada Revenue Agency, perhaps there had been some misuse of the personal information within the department and some employees had overstepped their bounds of duty in looking at tax files when they shouldn't, and things like that.
The two may seem to be contradictory, but they work into this kind of more targeted approach to the problems we see coming to us at this particular time.
5:10 p.m.
Conservative
Kelly Block Conservative Saskatoon—Rosetown—Biggar, SK
I have one last question with regard to recommendation eight, which is to strengthen the annual reporting requirements of government departments and agencies. By requiring these institutions to report to Parliament on a broader spectrum of privacy-related activities, would this mean legislating Treasury Board guidelines, which could compromise their flexibility?
5:15 p.m.
Privacy Commissioner of Canada
No. In fact I think it's the inverse. It's taking a lot of the information in Treasury Board guidelines and simply bringing it up to the status of a law. Treasury Board could then issue new directives of interpretation of the law. Again, it's because we're trying to put forward practical things that are already in existence, but we simply want to increase compliance with them.
5:15 p.m.
Liberal
The Chair Liberal Paul Szabo
Very quickly, I'd like to speak about recommendations 11 and 12.
These are existing policies. I'm a little concerned that if you were to bring into legislation existing Treasury Board policy, you'd have to change a whole bunch of legislation because of a difference in force or effectiveness. Is it necessary? Should it be just in the regulations, or is it something that has to be mentioned that of course this legislation is to comply with all Treasury Board guidelines as they bring change from time to time? How important is it? You have to fight for these two, quite frankly. Is this going to make the act a better act at the level of a quick fix, or is this just, by the way, we can maybe do a little amendment here?
5:15 p.m.
Privacy Commissioner of Canada
No. I think this is essential.
One dimension that I haven't mentioned today is the international dimension of Canada as we look around the networked world and see that Canada is becoming one of the few modern countries that really hasn't touched up its national privacy legislation. Right now, your European colleagues in the European parliament are adopting data breach notification under European law.
So the fact that we don't have this, the fact that we don't have many of these provisions even though they exist in directives, dims Canada's lustre internationally, whereas Canada was once a leader in this field.