Information & Ethics Committee on May 11th, 2009

Yes, both of them are cases of what I was discussing with the previous honourable member; that is, they are in fact policies. Obviously the Government of Canada has a security policy and Treasury Board has breach notification guidelines. Again, we don't hear much about problems with data being lost or misused in the public sector, but we know there are some problems. We know them often from the media. Occasionally we'll hear something from the government itself. But again, there's a kind of momentum, as I was describing to you about going to Federal Court. If you put this into a law and you say there are breach notification guidelines and that they have to inform the privacy minister when there's a breach notification, I am hoping this will mean that these issues will be taken more seriously and that there will be fewer stolen laptops with citizens' information found under bridges, as we reported a couple of years ago.

Ye. You will notice I haven't asked for order-making power, because that would not be a quick fix, to say the least. It would involve looking at the whole structure of my office. In fact, in the context of PIPEDA, I am commissioning work by some scholars to look at the things that weren't looked at when PIPEDA was brought in. Many people now say we should have order-making powers, and the Information Commissioner has asked for limited order-making powers. So I am commissioning a study that should be out this year. But again, that's not something that's already in a directive. If you look, we do most of these things already, or they've been suggested, for example, by the O'Connor inquiry, or they're not radically different.

It certainly is, and we're looking at that, yes.

It's exactly that kind of thing, to have specific reporting powers so we can keep up with the modern media.

Maybe Hedy Kirkby can explain the problems with the current Privacy Act.

I'll start by mentioning that under the private sector act, PIPEDA, there is a specific provision that enables the commissioner at any time, at her discretion, to disclose information concerning the privacy management practices of private sector organizations. When there is a matter the commissioner wishes to bring to public attention, she may do so. In so doing, the name of the complainant is never identified, but the name of the organization is.

A similar type of provision would be welcome in the Privacy Act, because currently it has nothing whatsoever other than provisions that speak specifically to annual reports and special reports to Parliament. It's unclear at best, legally, what the ambit of the commissioner's power is to go public upon completion of an investigation, for example, in which she would identify the government institution by name.

We did a special report recently for the audit of the exempt banks of the RCMP. I believe we also did it for the joint audit that was conducted with the Auditor General more recently. On those two occasions, these were important issues that we felt should be brought to the Canadian public in a timely way.

Those are large reports that have Parliament as their intended audience. They are presented to Parliament, as is an annual report. What is envisaged is that on a smaller, more periodic basis one could report in a more summary fashion on interesting developments and decisions made by our office.

It's to the Canadian public by putting information on our website. That's the way we do it currently for the private sector act. We simply put up a case summary.

The intention certainly is not to go behind Parliament. The intention is to try to tailor the language of the 1983 Privacy Act to the way with which the public is used to being communicated to in 2009-10. How do you get a message about the protection of personal information to Canadians, particularly the younger generations now, if your primary vehicle is, for example, an annual report? By the time it's done and so on, it's 18 months after things have happened.

We would like to have a more flexible approach. For example, we could report to Parliament at much closer intervals. We could and do put some anonymized information on the website. We could perhaps make public some of our audits, so that Canadians know what to expect and have more transparency about the government's handling of their personal information. If you look at what we do in PIPEDA, you'll see an example of how we would like to deal with the Privacy Act.

No, we would never jeopardize the protection of personal information nor our relationship with Parliament.

If we could have the possibility of going to Parliament whenever we wanted to, if for example we had done some kind of audit that we thought you should know about, we could kind of turn it around a lot faster and lay it out before you specifically rather than waiting 18 months and saying it's a special report. It would have to be a very big audit to be a special report. So we need something in between.

That's interesting that you quote the Minister of Justice as saying that this power's already there, because in fact my office noted that the Minister of Justice used this recommendation as an example that some of the proposed changes we suggest may be possible. So I don't know. I think he appeared several times. That's more my reading of it.

Yes, we come to slightly different conclusions, but I will answer your question.

The public education mandate is not specifically spelled out in the Privacy Act, again in contradistinction to PIPEDA, a much more modern law. As a consequence of that, I believe that we don't really have the resources for a public education campaign or public education activities in terms of informing Canadians about their privacy rights vis-à-vis the government.

We don't, for example, have specific allotted resources to do research on national security and privacy issues, as we do under PIPEDA, with its specific contributions program that was written right into the law. I distribute grants every year so that people can do research into the impact of PIPEDA on their privacy. I think that would be very useful in terms of developing public policy.

That's the difference. It would make a big difference in terms of what we can do with the broader public.