Information & Ethics Committee on May 11th, 2009

Thank you very much, Mr. Chairman and distinguished members. It's a pleasure to be back here to conclude a journey that we've undertaken together over at least a year now. It's a year and a half that we've been talking about it.

My remarks today are going to highlight some of the important concerns, some of the reasons why I would encourage you to move forward to make recommendations for significant changes to the act.

We have enshrined in this latest document.... You'll remember that about a year ago, I guess in April, the first document we gave to you had eight recommendations, then the following month it went to ten, and because of witnesses and debates it's now at twelve significant things that we believe should be changed but that should not, we think, cause too much basic overturning of the structures of the act.

I'll begin by reminding us all that the Supreme Court of Canada, which is called to interpret our privacy legislation, has repeatedly affirmed the central importance of the informational relationship between the Canadian state and its citizens.

I had the pleasure of being at a training day for the government access to information and privacy community here in Ottawa last week, and Madam Justice came and gave a luncheon address herself and reaffirmed the importance of the work that the people in the ATIP community do and the importance of enshrining privacy.

The Privacy Act that you're looking at today has been accorded quasi-constitutional status because of the fundamental values it's intended to protect. However, as you have seen over the last year and a half, the act remains woefully inadequate to protect such fundamental rights in the face of new technologies, new ways of offering services, new imperatives, and new conceptions about privacy.

While other quasi-constitutional laws such as the Canadian Human Rights Act and the Official Languages Act have been progressively modernized to enshrine fundamental and contemporary Canadian values into law, the Privacy Act has remained virtually unchanged ever since it came into effect in 1983.

In the quarter century since, we have witnessed unprecedented growth...

Okay. Mr. Chairman, I could repeat the question in the other language and repeat my answer in both languages, if that would help.

Okay. I'm very sorry. I will continue in English.

Barring a full revision of the Privacy Act, I've previously proposed that the government consider what we call quick fixes—this is a bit of a nickname, I guess—that might help address some of the more substantial shortcomings of the act. However, my view remains that a fully modernized Privacy Act would reinforce the pivotal importance of privacy rights and ensure that government institutions remain accountable and transparent with respect to the handling of personal information, and that my office can fulfill its mandate.

I'd like to go on and talk about the gap that's more and more inexplicable between our standards for public sector privacy and private sector privacy. I'm not suggesting, and I've not suggested over the time you have looked at this act, that the modernized Privacy Act should mirror PIPEDA in every respect. However, I do think it makes sense in this year of 2009 to align the Privacy Act with certain elements of PIPEDA. Expanding the definition of personal information to include non-recorded information, giving my office a clear public education mandate, and requiring ongoing five-year parliamentary reviews are examples of changes that would allow more uniform protection of privacy rights.

The proposal to broaden the grounds for an application for a court review is also meant to provide uniformity with respect to privacy rights. I should add that there's absolutely no discrepancy, in my mind, between providing complainants with the opportunity to apply for a court hearing following an investigation and providing me with a limited and specified discretion to refuse to entertain certain complaints.

Indeed, the Minister of Industry has recently proposed how I might exercise such discretion. Under Bill C-27, which creates a new electronic commerce protection act and amends PIPEDA, among other acts—it's an act introduced about three weeks ago—I would have the discretion to decline to investigate complaints or to discontinue complaints made under PIPEDA in certain specified circumstances. I could, for example, decline to investigate where there is a more appropriate alternative review procedure, more suited to deal with the complaint. As well, I would have discretion to discontinue a complaint in certain limited circumstances—for example, where the matter of a complaint has already been investigated by my office. Bill C-27 would still allow individuals to apply for a court review, even if my investigation has been discontinued, therefore protecting an individual citizen's right to recourse to the Federal Court. If this has been adopted in Bill C-27, I respectfully put to you there's no reason the same approach could not be adopted under a revised Privacy Act.

I've also asked that my office be provided with greater discretion to report publicly on the privacy management practices of government institutions. This recommendation is intended to allow my office to put information regarding audits and specific investigations on our website on a timely basis and as events occur.

As I mentioned a year ago, security safeguards under the Privacy Act also lag behind those in PIPEDA, and mandatory breach notification should be considered for the Privacy Act, as it is being considered for PIPEDA. There's no reason to deny Canadians a certain level of consistency with respect to their privacy rights, regardless of the organization or institution in question. Indeed, the principles of accountability and transparency beg a higher degree of protection for personal information in the hands of the government, especially considering the position of trust in which citizens stand vis-à-vis the overwhelming machinery of the state.

You have heard from some of the witnesses who have come before you in the last year that we don't need modernization of the Privacy Act because we have policies on that. I'd like to address that particular point.

Several of our proposed reforms of the Privacy Act include the necessity of enshrining into law current government policies related to privacy. I commend the Treasury Board Secretariat for putting into place a policy on privacy impact assessments, for providing guidance to departments on information sharing with foreign states and the outsourcing of personal data processing, and for improving reporting requirements of government departments under section 72 of the Privacy Act. Nevertheless, such practices need to be circumscribed by law as a matter of ensuring the government remains accountable and transparent with respect to its personal information handling practices.

Privacy audits, reviews, and investigations carried out by my office have unfortunately shown that institutions are not consistently meeting their commitments under government policies and that government standards provide little assurance or information to Canadians, or even to parliamentarians, seeking to understand the privacy implications of government services and programs.

Privacy impact assessments are instrumental in addressing privacy risks associated with government programs. For example, my office worked with the Canada Border Services Agency when the enhanced driver's licence was being piloted in British Columbia. As a result of concerns we raised about the custody and control of the information on Canadians travelling to the United States, the agency agreed to relocate the database containing personal information on travellers from the U.S. to Canada. We would see more of these successes if the requirement for privacy impact assessments were enshrined in law so that Canadians and parliamentarians alike could have an opportunity to voice concerns and receive assurances that privacy issues were being addressed.

The truth is that it is far easier to ignore a policy than a legislative requirement. Indeed, some departments are still collecting excessive personal information, even though Treasury Board policy includes a necessity requirement. In a recent audit of Elections Canada, for example, we found that it was receiving personal information on young people under the voting age that was clearly not needed for a voters' list.

Parliamentarians need to have better information about how federal departments and agencies are doing managing the personal information they have from each and every one of us. Leaving it to the vagaries of policy and the good will of public servants is simply not good enough.

I'd like to just remind this committee of some of the recent events that suggest that we do, in fact, need stronger privacy protections.

The lessons of the past few years teach us that stronger privacy protections are needed if privacy is to have any meaning at all in the face of contemporary challenges. A recent EKOS poll commissioned by my office showed that 60% of Canadians feel that their information is less protected than it was ten years ago, 71% of Canadians see the issue of having stronger privacy laws as a matter of high importance, and only about one in seven Canadians is confident that Canadian law enforcement and national security authorities respect the laws that protect Canadians' privacy. These numbers, to my mind, speak volumes about the profound attachment that Canadians have to their privacy rights.

The recent events surrounding the O'Connor inquiry and the Iacobucci inquiry shed light on the information-sharing practices of national security and law enforcement agencies and highlight the need to hold government institutions to a higher standard of privacy protection, information handling, and data protection. Given the enormous trust accorded to the government and its institutions in relation to law enforcement and national security and their global implications, we need a more precise legal framework around information sharing in an international context.

In conclusion, in 1982 Canada took a leading role when it became one of the first countries to adopt stand-alone privacy legislation that applied to its government; however, the inevitable impetus of change has gotten the best of the Privacy Act. It no longer reflects our modern conception of privacy and is out of tune with the realities of contemporary government.

The committee's review of the act is certainly timely. It is joining an international trend in modernizing privacy legislation to meet the realities of the 21st century. For example, the Australian Law Reform Commission has recognized that its own 20-year-old Privacy Act needs a host of refinements to help navigate the information superhighway. These refinements are currently under consideration by the Australian government.

Thank you very much for inviting me once again to this committee, Mr. Chairman, and I would be pleased to take any questions you may have.

From memory, it is one of the targets of the greatest number of complaints.

Yes, I believe I do.

I have to look at my last annual report. The Royal Canadian Mounted Police were ranked fourth in the number of complaints, with 52 complaints, of which three were well founded, two were well founded and resolved, nine were settled in the course of investigation, and one was resolved.

Three were well founded. Two were well founded and then resolved after the finding of being well founded. They're just kind of nuances as to when either an agreement or a resolution was--

I'd probably have to do a lot of quick mental arithmetic, at which I'm not too quick.

Okay. We could provide that. I can say that consistently--and we understand--because of its activities, there are many complaints against the RCMP--

I would presume so, but not from direct or institutional knowledge. Perhaps it's more from the fact that the assistant commissioner and I appeared last Thursday at the public safety committee, along with the former counsel for the O'Connor inquiry, and we heard that this had been one of the highlights of the O'Connor inquiry: the sharing of Canadians' personal information abroad with countries that don't have satisfactory human rights records.

No. I disagree with that approach, not only here, but in the public safety committee, where we appeared last week. This points to at least two of our recommendations. One is the necessary change from “recorded” simply to “information”. That is the standard in PIPEDA. That would allow the inclusion of privacy protections to such things as genetic data, GPS location, and so on, whether or not it was in a recorded form. Another recommendation that we think is not that difficult to implement and is necessary now is to have some kind of what we call in the jargon “privacy management framework” with standards.

What are the standards for the RCMP to share information abroad? On what conditions? How long is it going to keep the information? What is it going to do with the information? What are some tests for this information? We've called for a necessity test—I think this joins our recommendations to the other committee—and we need some kind of public oversight. The RCMP is the only body now that still does not have major oversight. And I think this may explain the lack of comprehension and the lack of empathy, I guess, with some of our suggestions, because presumably this would be material for oversight by an eventual oversight mechanism or committee.