Evidence of meeting #4 for Access to Information, Privacy and Ethics in the 40th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was complaints.
A recording is available from Parliament.
4:35 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Pardon me?
4:35 p.m.
Bloc
Ève-Mary Thaï Thi Lac Bloc Saint-Hyacinthe—Bagot, QC
Is there any uniformity, in the various departments, with regard to information gathering or protection?
4:35 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Practices vary somewhat among the departments and agencies. I can refer you—because it's more recent—to the special report that I made public last week together with the Auditor General. These are two concurring reports. Each commissioner's office has its own mandate, its specific mission, but one of the messages, which was the same in both cases, was the importance of Treasury Board's leadership as the central agency that defines and enacts standards with regard to privacy, training and resources to ensure that what happens to personal information is reported. We said that this leadership left something to be desired and that we expected the Treasury Board to take a firmer, more directive stance and to take a closer interest in what happens to the personal information gathered in the various departments under its responsibility.
4:40 p.m.
Bloc
Ève-Mary Thaï Thi Lac Bloc Saint-Hyacinthe—Bagot, QC
Have you considered common procedures for improving the protection of that information?
4:40 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
We've worked together with Treasury Board in recent years. That's the specific role of the Assistant Privacy Commissioner. Under the act, we cannot stand in for the Treasury Board. I could draw your attention to the fact that, year after year, we say that training for Canadian public servants on privacy matters is inadequate. Staff appears to be overworked, overwhelmed by privacy issues. Authorities do not ensure that people are trained in this area. They don't ensure that a course on privacy is mandatory, as we request.
4:40 p.m.
Bloc
Ève-Mary Thaï Thi Lac Bloc Saint-Hyacinthe—Bagot, QC
I have one final question. Are there any decision-making powers that could be granted to you so that your office could increase protection for citizens' personal information?
4:40 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
A number of critics of my office and of the Personal Information Protection and Electronic Documents Act have said before this committee that they thought the commissioner's office should be a tribunal, as in Quebec, Alberta and British Columbia. I've answered that the present model is fine with me for the moment. I haven't yet explored all I can do under this act. However, toward the end of my term, which is rapidly approaching, I intend to ask that we once again examine this issue of personal information protection in the private sector because Canada is currently the only major country that has a commissioner's office without power of order. However, we can appear in court. That's working very well for us for the moment. However, I think we should take another look at that issue.
4:40 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
Thank you for coming and thank you for the presentation made by your office a week ago. It was a great pleasure for me to talk to you and to hear what you've been doing.
I think Canadians are more interested in this issue, particularly with modern credit card payment methods and innovations by people who want to do bad things. It also has to be acknowledged that they are creative, even though we aren't entirely happy about that creativity.
My questions relate to the four organizations you focused on. You mentioned in 1.1 of your summary that the Office of the Privacy Commissioner examined the key elements of the policy frameworks of Elections Canada, Human Resources and Social Development Canada, Service Canada, and the Canada Revenue Agency. Collectively these institutions manage extensive personal information on just about everybody in Canada. Is that why you selected them for this audit?
4:45 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
No. In fact they were selected by the Office of the Auditor General, who was undertaking an audit for reasons of her own. Her office approached my office and said that given that these particular agencies also have a lot of personal information on Canadians, we might like to do an audit at the same time, from our point of view. Then we could publish a report jointly or together about what we see from two different points of view. That's how it came about.
4:45 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
Okay.
What other agencies did you consider, or did the Auditor General consider, including in this particular audit?
4:45 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
My understanding is that this was it. That was what the Auditor General approached us with. I don't know how her office functions in terms of the audit. Certainly, from my office, we audit various government agencies every year on an ongoing basis. Those are audits we do alone as part of our regular functions.
4:45 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
All right.
Now, I was reading through at point number 1.11 here, on page 7. You indicate that Treasury Board Secretariat monitors all institutions subject to the Privacy Act, through its public accountability instruments. TBS did not rate accountability for privacy as strong for any of the 46 institutions that it recently reviewed. So that's a pretty high failure rate for privacy.
4:45 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I thought it was interesting, because it showed that even TBS agreed with our analysis that accountability for privacy needed to be strengthened in the government.
4:45 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
And to credit TBS, at least they're willing to offer a frank assessment.
4:45 p.m.
Conservative
4:45 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Absolutely.
4:45 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Treasury Board has our recommendations. We are waiting for the results of what is called a policy suite renewal, and we encourage Treasury Board to move on that. That's the continuous updating of privacy management guidelines for departments. Certainly if the government interested itself a lot more in the compulsory training on personal information protection, there would be fewer incidents or problems. There would be a heightened awareness by employees all through the government on this.
If it strengthened what are called its ATIP shops, which share the responsibility for access to personal information and access to other information, and where people—we met with them recently—feel under great pressure because of the interest in their personal information.... I can't speak to access--Mr. Marleau can do that. But certainly Canadians have a heightened awareness of personal information--where it's going, what's being done with it, and so on--and this creates new challenges for many of the workers in this area.
4:45 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
So you think training plays an important role in improving the system?
4:45 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes. I think training is an overlooked key to improving personal information protection. Because a lot of this comes out of the use of technology, I think we tend to use and look for new technology to solve the problem, and of course there's always someone who comes and tells us that if we just buy this technology, it will solve the problem.
But if we look at, for example, the self-reported breaches that come to my office from private sector organizations, some 40% of them have to do with just human error. This happens often in institutions where there's a big turnover of employees, and they don't have enough training, so they just forget. They're doing too many things at once.
To come back to your question, yes, if you trained civil servants better, I think you would reduce the risk to personal information.
4:45 p.m.
Liberal
4:45 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Thank you, Chair.
When I was last questioning you, Ms. Stoddart, we were talking about the enhanced driver's licence program in B.C., and you listed a number of concerns that you had and that you'd raised about the enhanced driver's licence. Will any of those concerns have been addressed before the program goes into operation in March?
4:50 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
There is, shall we say, an ongoing dialogue, Mr. Chairman. We learned last week that the trial database, which was going to be shared with the United States, or situated in the United States just for the trial of those 500 people who've signed up, was being repatriated into Canada, with the firm assurance that henceforth all personal information of Canadians will be permanently housed in Canada and it will be queried at the border point for the screens of the agents.
But I don't think we have—and I'll ask my colleague to complete this, since she's much closer to this project—enough information for the moment about how the trial is working. There are issues concerning the distance at which you can read this information, how well the sleeve is working, and whether the suggestion of another of my colleagues--to have an on-off switch, so you turn the emitting function on or off at the border--can be taken up in a useful time.
Perhaps my colleague can add something.
