Information & Ethics Committee on Nov. 19th, 2009

Good morning, Mr. Chairman.

Thank you very much, Mr. Chairman.

Could I begin by simply informing the committee that the group of people accompanying me are on one hand some staff members who in the years they have worked at the Office of the Privacy Commissioner have never attended a hearing of the Privacy Commissioner. We realized, perhaps belatedly, that it was very important for them to see what happened and what the interaction was.

Moreover, as I was explaining to the chairman, we have Mr. Allassani Ouédraogo from the National Commission for the Protection of Data of Burkina Faso, which is now the first commission accredited according to African international standards. Mr. Ouédraogo is here with us in Ottawa to see what we do here and possibly to learn from us since both of our countries are members of the Francophonie.

Thank you very much.

Thank you.

On Tuesday, Assistant Commissioner Bernier and I had the privilege of presenting to Parliament our latest annual report on the Privacy Act. I believe it is an important document for all Canadians because it highlights some vital developments and future trends in public sector privacy. Through the lens of the audit and review and the complaints investigation work of my office during the 2008-09 fiscal year, the report explores the privacy challenges posed by two broad societal influences: national security initiatives and technology.

I will touch on key highlights of the report in a moment, and then I propose to share a few thoughts on the unresolved matter of Privacy Act reforms. First, though, I would like to underscore the principal message that emerged from our annual report.

That message is that privacy rights should not be at odds either with public security or with the use of information technology. On the contrary, we contend that measures to respect privacy must be integral to all these new developments.

First of all, I'd like to talk briefly about the FINTRAC audit. In this annual report, my office reports on what we discovered in privacy audits of two major national security initiatives: the passenger protect program, better known to Canadians as the no-fly list; and FINTRAC, the Financial Transactions and Reports Analysis Centre of Canada. Our FINTRAC audit found that the agency generally has a robust and comprehensive approach to securing the personal information of Canadians. However, our examination of the sample of files in FINTRAC's database turned up personal information that the centre did not need, use, or have the legislative authority to collect. In some cases, in fact, reports existed absent even a shred of evidence of money laundering or terrorist financing. Clearly, excess personal information should not be making its way into the FINTRAC database.

One of our key recommendations was that FINTRAC do more work with reporting organizations to ensure that it does not acquire personal data beyond its mandate. After all, it is a bedrock privacy principle that you collect only the personal information you need for a specific purpose.

Aside from the recommendation on data collection, we also called on FINTRAC to delete permanently from its holdings all information that it did not have the statutory authority to receive. We recommended that FINTRAC analyze all Proceeds of Crime (Money Laundering) and Terrorist Financing Act guidance issued by its federal and provincial regulatory partners to ensure that such guidance does not promote client identification, record keeping, or reporting obligations that extend beyond the requirements of the act.

We were very pleased that FINTRAC accepted 10 of our 11 recommendations. We had recommended that it strengthen its information sharing agreements with foreign financial intelligence partners by including mandatory breach notification and audit provisions, but the centre maintained that its efforts in this area were sufficient.

I am now going to discuss our Passenger Protect Program audit. A second audit summarized in the annual report relates to our examination of the Passenger Protect program. In general, we found that Transport Canada collects, uses and discloses personal information related to the program in a way that safeguards privacy. We did, however, identify a few gaps.

One related to the information that officials supply to the deputy minister, who is ultimately responsible for adding to or removing people's names from the no-fly list or Specified Persons List.

In light of the serious consequences flowing from every one of these decisions, we found that officials have not always provided the deputy minister with all the relevant information on which to base a sound decision.

Our audit also revealed that Transport Canada had not verified that airlines were complying with federal regulations related to the handling of the Specified Persons List. The risk of a breach was especially high for the handful of air carriers that relied on paper copies of the list. Further, we found that air carriers were not obliged to report to Transport Canada security breaches involving personal information related to the no-fly list.

The audit also found that the computer application used to provide air carriers with information on the no-fly list was not subjected to a formal certification and accreditation process designed to ensure the security of sensitive personal information.

We were, however, pleased that Transport Canada responded positively to all our recommendations.

We'd like to now turn to investigations and inquiries.

The annual report we presented to you this week also includes details of our engagement with Canadians through our public inquiries and complaints work.

Over the 2008-09 fiscal year, my office received more than 12,000 calls and letters from Canadians concerned about privacy issues.

With respect to concerns focused on the public sector, we received 748 complaints in 2008-09, down slightly from the previous year. The most common complaints related to problems people encountered in accessing their personal information in the hands of the federal government and to the length of time it was taking departments and agencies to respond to access requests.

In analyzing our caseload, we noted that technological glitches can have an extraordinary impact on the privacy of Canadians. For instance, we found that a hacker, using amateurish off-the-shelf software, was able to penetrate a computer at Agriculture and Agri-Food Canada, exposing about 60,000 personal data records of farmers using a federal loan guarantee program. But we were equally disturbed to discover, 26 years after the passage of the Privacy Act, that too many data breaches could still be traced to decidedly low-tech origins, from a briefcase left on an airplane to the careless mishandling of sensitive documents.

That said, I want to underline that the vast majority of public servants we have worked with across the government do take privacy issues very seriously.

I will now talk about the challenge the backlog presents. In all, our office was able to close 990 complaints files related to the Privacy Act during the fiscal year, up almost 13% from the previous year.

You will notice that we closed more files than we opened. That is due to a concerted effort to tackle a significant backlog of cases, which had driven up our treatment times from an average of about 14 months in 2007-2008 to 19.5 months in 2008-2009.

Our backlog challenge was exacerbated over the past fiscal year when we decided to redefine when a file is deemed to be in backlog, to more accurately reflect how long Canadians actually have to wait for service.

As a result of the redefinition, 575 files were backlogged in April 2008. Fortunately, through a significant re-engineering of our systems and processes, we managed by the end of the fiscal year to cut that number down by 42% to 333 cases. We are on track to eliminate it altogether by next March.

I will now discuss the Privacy Act reform. Over the past year, my office and this committee have also continued to work toward the modernization of the Privacy Act, to ensure it properly protects the fundamental right to privacy in the digital age. Reform of this statute is essential to meet the modern privacy needs of Canadians. And yet, despite our efforts and those of this committee, I confess to a measure of disappointment when it comes to the government's response to this committee's report of last June.

As we all know, Mr. Chair, updating antiquated privacy legislation and ensuring that privacy principles apply uniformly to the public and private sectors is becoming increasingly urgent in this globally interconnected era. Indeed, other industrialized democracies have already recognized this imperative. Australia, for instance, is rewriting its federal privacy laws so as to create a single set of principles covering government agencies and businesses alike, address emerging technologies, and introduce consistent new provisions on cross-border data flows.

The European Commission has announced that it will be re-examining its 1995 directive to see whether it is still capable of fostering the level of data protection required for the modern technological era. In light of the fact that our own Privacy Act is 12 years older, we can no longer ignore the need to make significant updates to our own law in order not to be left behind.

In summary, Mr. Chairman, I would like to end with a few words about the work of my office as we continue to move through 2009 and 2010.

I can tell you that we're already deeply engaged in several key files, all of them with significant impacts on the privacy of Canadians. Notably, with the 2010 Winter Olympic and Paralympic Games just around the corner, the challenge of integrating privacy and security will come to a head in an unprecedented way. We have already engaged security officials in a constructive dialogue to build privacy considerations into their security measures.

At the same time, we are taking a close look at Citizenship and Immigration Canada's plans to roll out initiatives using biometric information. For example, CIC is collecting fingerprint data from refugee claimants and is sharing it with other countries.

And we will continue to make known our views about Bill C-46 and Bill C-47, legislation to oblige wireless, Internet, and other telecommunications companies to make subscriber data available to authorities, even without a warrant.

Since the terrorist attacks of 9/11, Canada has seen a proliferation of new national security programs, many involving the collection, analysis, and storage of personal information. We fully appreciate that the underlying aim of many security programs is to protect Canadians. But as we will continue to remind Parliament and Canadians at every opportunity that it is critical that privacy protections be integrated into all such initiatives at the outset.

Thank you very much, Mr. Chairman and members of the committee. My colleague and I welcome your questions.

My recollection is that we were consulted several times on this. This dates back a certain time, but we certainly were consulted on it. In fact, we are regularly consulted on the development of Treasury Board guidelines that have to do with personal information protection. We have an ongoing relationship with that unit, which is usually under the supervision of my colleague Chantal Bernier.

No, we don't. We're happy that there are policies, but policies are not law and policies are often of uneven application. It's clear, if it is a policy, that as a policy it's not quite as compulsory. A lot of our efforts--to which this committee has been a partner--are taking some of these existing policies and saying that if this is government policy, why couldn't it be in an updated Privacy Act?

I take the example of what's happening in Australia. One of the policies you mentioned about criteria for sending across borders personal information of Canadians held by the government and its agencies is one of the things that are going to be integrated into the new Australian privacy law.

We could provide that to you.

My colleague is just checking the list to see if we see any.

I'd be surprised if there were or, if there were, if there was more than one, because, as you say, people don't know when their information is there. And people in national security have pointed out to me that if you suspect you're in there, the last thing you want to do is draw public attention to yourself by making a complaint.

So we don't see any this year.

It would be hard for me to answer that accurately right now, so again I'll get back to you on that, because I may be confusing CSIS and CSE. We did some preliminary checking—perhaps it was with CSIS, as I remember—and the preliminary analysis suggested that everything was correct in terms of personal information handling issues. But let me get back to you to be completely accurate.

I certainly don't, and I don't know that my mandate would give me the authority to ask exactly what their protocols are.

My colleague has worked in national security for a while.

Can you respond?

What I was going to add is that in fact this goes to one of our recommendations that there be a reform of the Privacy Act to put clearer definition as to how personal information can be shared with foreign governments. We agree with you that this area would deserve some attention.

Yes. There is an oversight authority over CSE who used to be a retired judge of the Supreme Court. I'm just trying to think...Monsieur Gonthier, but he just died recently. So there is some oversight built into it. And we met with Mr. Justice Gonthier about two years ago. He just wanted to be sure that he was applying the Privacy Act the same way as we were. So I found that was very positive. But he of course didn't tell us about his work because it's highly confidential and top secret.

So there is an authority, though, who does oversee some of the work of CSIS.