Evidence of meeting #38 for Access to Information, Privacy and Ethics in the 40th Parliament, 2nd session. (The original version is on Parliament’s site, as are the minutes.) The winning word was complaints.
A recording is available from Parliament.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
No, not the problems involving Aeroplan specifically. However, we did discuss these matters a few years ago in one of our conclusions where we said that a credit card company affiliated with a major bank—
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Exactly.
It was transferring data concerning Canadians to the United States for processing. We concluded that since this had been explained when the credit card was obtained, this fell within the parameters of Canadian law and that the company or the bank in question had taken all the measures necessary to prevent illegal access. We know that data in the United States are subject to American laws. So that is how the matter was viewed in the past.
However, I'm not aware of the exact details concerning Aeroplan since this was not brought to our attention either through a complaint or in any other way, to my knowledge.
Be that as it may, I'd like to get back to another part of your question. You asked me if our jurisdiction was being called into question, if I am not mistaken.
I don't think that with regard to this, there are jurisdictional issues. There are in the case of insurance: certain American companies are challenging this. Moreover, when businesses such as Air Canada are concerned, whose head offices are located in Montreal, we collaborate fully with our colleague from the Quebec committee. For instance, one may say to the other that he or she could do this, or that this will be done, or suggest that we undertake action together. Recently, we went to Brussels concerning a matter involving doping standards. The head office of the body responsible for administering the antidoping program is in Montreal.
Bloc
Meili Faille Bloc Vaudreuil—Soulanges, QC
Are you the body responsible for overseeing and certifying this type of action at this time?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
This matter does fall under our jurisdiction since this is an international matter. However, that does not exclude the fact that Quebec could also have jurisdiction over this matter. We want to work in a collegial way with our colleagues. And in the pursuit of friendly relations, we work in a complementary fashion. That is what we do with several provinces.
Bloc
Meili Faille Bloc Vaudreuil—Soulanges, QC
I'd like to focus my question on the information being kept without the consent of citizens. The Canada Border Services Agency has a system known as the Advanced Passenger Information System. When they approach organizations such as the Department of Citizenship and Immigration, the Canada Border Services Agency and the RCMP, it seems that citizens are meeting with automatic resistance when they ask for information. It is only when they threaten legal action or complain that information is suddenly provided to them.
Have you noted an increase in negative first responses due to this resistance of organizations when the time comes to provide information to Canadian citizens?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I am going to ask my colleague to reply because she supervises the administration of complaints in this area. She may have information on this topic.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
Indeed there is tension inherent to access and the protection of information, so that in our relations with certain federal agencies in particular, we note greater resistance because they are more concerned with keeping things confidential.
That being said, that is why the Privacy Act exists and why it gives citizens the right to request access. We are there precisely to intervene to facilitate access and decide whether the denial of access is well founded or not.
Bloc
Meili Faille Bloc Vaudreuil—Soulanges, QC
That's fine. I simply want to ask another question.
I want to talk about a similar situation, which is when information is being kept without the consent of citizens. At Citizenship and Immigration Canada, when a permanent resident loses his or her card and requests a replacement or reports that the card has been lost, his name is automatically recorded in a system known as the secondary referral process. This person then finds himself in a system which means that whenever he leaves Canada and returns here, he is automatically searched and an investigation is done.
Have you had a chance to study this system? Do you deplore the fact that there is no way of getting out of this system? This is a system people are placed in automatically. I find this unjust and unjustifiable.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
We have not yet studied this system, but I take good note of your comments. This is the type of problem that falls within the purview of our mandate.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Thank you, Chair.
Chair, I wanted to begin by saying that I know there have been some challenges to you personally lately regarding your chairing of this committee, and I want to express my confidence in your work. I believe you serve this committee extremely well and very fairly. I just wanted to begin with that comment this morning.
I want to thank Ms. Stoddart and Ms. Bernier for being here yet again, and also thank you for the work in your annual report. There's a lot going on at the Office of the Privacy Commissioner and some very important work.
I wanted to go through the Minister of Justice's response to the committee on our report and get your observations about some of the points he makes.
The first one is in the fourth paragraph of the Minister of Justice's response to our report, where he responds to the idea of bringing the Privacy Act and PIPEDA in line. He seems to point out that there are two difficulties with that. One has something to do with the legislative mandate, that there's a problem deriving from the authority to carry out mandates from federal statutes, and the other is that there is some requirement around charter compliance.
I wonder if you could comment on those two points the minister makes.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes. Thank you for that question.
Indeed, in reading that, I was very surprised at that reasoning, because while in a sense it is true, yes, that the commercial entities are not covered by the charter, more and more we are looking to try to converge the standards for personal information handling between the public sector and the private sector.
Indeed, I gave you two examples. Australia, which has often served as a model for Canadian law-making because of the similarities in terms of population, history, and constitution between the two countries, is in fact moving to such a converged system. On the other hand, the European Union, as I understand, with the implications of something called the Treaty of Lisbon, is going to move to a system where both of what they call the first and third pillars—that is their government, the European Union, as well as all the commercial activities, which were the basis of the European Union in the beginning—will be covered by the same data protection directives and policies.
So here are two very interesting political entities whose movement, in fact, presents another vision than that put forward by the minister.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
In the sixth paragraph.... I think we've already talked this morning a little bit about this. It's the question about whether you need legislated requirements or if policy is enough. The minister uses the word “obliged”. Do you think “obliged” is a strong enough response to the requirements you saw for changes in the Privacy Act and legislated requirements in certain areas?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Well, “obliged” means departments should do it, but one of the things we've been concerned about is that there's no clear sanction if they don't do it. There are a number of policies. Senior officials will say there are so many policies in the government that it's hard to comply with them all, but we are increasingly concerned about policies that are honoured in the breach. We can talk about the privacy impact assessment policy, PIA. We continuously find that programs that have significant consequences for personal information protection go ahead without a privacy impact assessment. That was the case of the recent do-not-call list put on by the CRTC. That's an obvious one to do a privacy impact assessment on, but it's being done now, after the program has been in force for about a year.
One of the audits that my office did was to see how departments comply with the policy of having to do an annual privacy report. The answer is that they do a kind of so-so job, because it's not seen as something that is essential enough. So I think the distinction between policy and law is an important one, and certainly laws get the attention of a large and busy bureaucracy better than policies.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
In the next paragraph, there's a list of a number of new policies that are in development at the Treasury Board Secretariat. I'm wondering if you're in consultation on the development of any of that policy.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Perhaps I could ask my colleague, because she's actually talking to Treasury Board.
November 19th, 2009 / 9:40 a.m.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, we have regular meetings with them, and indeed, we are working with them on these. We have commented and we have been involved.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Terrific.
In the next paragraph--I've lost track of my numbers here, I think it's the eighth one--there's a line that says, “Law enforcement and security agencies cannot operate in silos and must be able to share intelligence quickly and efficiently.” This is in response to a concern that concerns about privacy really aren't well placed in terms of issues of law enforcement and security. Can you comment on whether or not it's possible to have privacy requirements that are efficient and don't block the transfer of necessary data between law enforcement agencies?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Again, I'll ask my colleague to comment because of her knowledge of national security.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
I would go even further than that. I would put to you that greater discipline with respect to privacy will bring greater effectiveness in public safety measures. I would simply give you the example that being disciplined but collecting only relevant personal information will mean that you will have only information that you truly need for your public safety need, and you, at the same time, adopt a minimalist approach, which is the foundation of collecting personal information.
As you may have noticed, the key message was stated by the commissioner in her opening statement of our annual Privacy Act report. We feel that privacy and security go hand in hand. They are not at odds. We can give several examples of how, indeed, the protection of privacy helps discipline and streamline the public safety national security processes, thereby contributing to their effectiveness in addition to respecting fundamental rights.
Liberal
The Chair Liberal Paul Szabo
I want to move on. You are on the second round, Mr. Siksay.
We'll go to Madam Davidson, please.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Thank you very much, Mr. Chair, and thank you very much, Ms. Stoddart and Ms. Bernier, for being with us today.
I certainly enjoyed reading your annual report. Thank you for that and for the work you're doing through your offices. I think it's an extremely important role. Certainly, Canadians need to feel comfortable that their privacy is being protected, so it's very important that we have these updates and so on.
I'm going to refer to page 1 of your report. You state that the “...report explores two of the most serious threats to privacy today. In two often intertwined themes, we report on the urgent need to integrate privacy protections into state security measures, and on the impact of information and communications technologies on the privacy of individuals.”
Could you explain to us what the privacy impact assessment process is? How do you determine that?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
We ask departments or agencies to look at every step in their proposed program or the proposed measures in the light of the Privacy Act as well as what we call the fair information principles. It has been said to us that strictly speaking these aren't part of the Privacy Act, and that's true, but these are the modern iterations of good data protection standards in the light of their impact on individuals' privacy in terms of keeping the personal information private.
We then look at the assessments that were done. We dialogue with the departments. We make suggestions. We point out where there could be changes. Sometimes the departments will make changes and sometimes they won't.
That's basically the process.