Information & Ethics Committee on Feb. 23rd, 2009

Thank you very much, Mr. Chairman.

It's a pleasure to be here again with the committee, our committee. As an agent of Parliament, we report to you.

With me today is Chantal Bernier, who's just joined us as assistant commissioner for the Privacy Act. You may remember

Raymond D'Aoust, who was assistant commissioner. His term ended in September and he was replaced by Ms. Bernier.

Also with me today is Lisa Campbell. I believe you met Lisa Campbell, our acting general counsel. She came up last week. Unfortunately, I had another engagement, briefing a minister, I think, on our upcoming report. She came with Mr. Tom Pulcine, who is just behind me and whom you'll recognize. Also here with me today are two other members of my staff: Éric Charlebois, who is our parliamentary liaison officer, and Ann Goldsmith, who's head of the policy section.

I'd also like to say, Mr. Chairman, that Elizabeth Denham, who is the commissioner for PIPEDA,

the Personal Information Protection and Electronic Documents Act,

is in Calgary this week and unfortunately can't be with us.

Members, Mr. Chairman, you can see that we've supplied you with a fairly thick binder of information about the Office of the Privacy Commissioner, about our statutory responsibilities, and about some of the issues currently preoccupying us, and we hope that you'll find it a useful reference.

As Privacy Commissioner, for those of you who aren't too familiar with what I do, I'm an independent officer of Parliament. I report to Parliament, which means through this committee, through annual reports, or through special reports.

My office, with its 160 employees, is responsible for overseeing two laws: the Privacy Act, which covers federal departments and agencies--this has just been increased through the Federal Accountability Act--and PIPEDA, which is short for the Personal Information Protection and Electronic Documents Act. PIPEDA, which was adopted almost 20 years after the Privacy Act, covers private sector organizations, including retailers, financial institutions, airlines, communication companies, and so on.

The objective of both these laws is to protect the privacy of Canadians by setting out the ground rules for how organizations collect, use, and handle personal information.

I'm going to continue by talking about privacy threats. I would be happy to elaborate later on the philosophical underpinnings of these laws, but suffice it to say that there has never been a greater need for them.

The threats to the privacy of Canadians are real and they are grave. For my Office, a major challenge is the fact that the list of issues we must address is long—and growing longer every day.

Technology, for all its benefits, has created unprecedented threats to privacy. I'm thinking here of surveillance technologies, electronic tracking devices, and biometric scans, among others.

Computer memory has never before been so plentiful and cheap, which makes it incredibly easy, not only to compile information about people, but also to cross-reference it, manipulate it, analyze it, massage it and sell it to the highest bidder.

Many businesses now see detailed personal information as essential to their marketing efforts. Governments are increasingly interested in personal information as part of their national security efforts.

And in recent years there has also been a growing recognition by thieves that they can make a lot of money by stealing names, birth dates, credit cards and other personal information. According to the RCMP, organized crime groups in Canada now see personal information as an important money-maker that complements their more traditional sources of income.

Many of the emerging risks for privacy involve incredibly complex technologies. My office needs to delve into highly technical matters, such as nanotechnologies, genetic technologies, and deep-packet inspection techniques, to name just a few examples.

Later this week my office is appearing before the public safety and national security committee on the review of the DNA Identification Act.

Adding to the complexity is the fact that many privacy issues are now global in nature. “Cloud computing” has entered our vocabulary. Data flashes around the planet literally at the speed of light, which challenges us to ensure that the personal information of Canadians is protected on the other side of the world.

Whatever we do within our borders will never be enough to protect Canadians' privacy abroad. So we work with other countries to develop a basic level of level of data protection around the world. To this end, my office has been a keen participant in a number of international privacy initiatives by the Organisation for Economic Co-operation and Development, or OECD, Asia-Pacific Economic Cooperation, or APEC, and other organizations.

Now I'll move on to the issue of legislative reform.

On the legislative front, you will recall that I appeared before this committee last year to talk about the mandatory review of PIPEDA. I am pleased to report that the process is continuing apace, and I look forward to amended legislation coming forward through Industry Canada in the near future.

I would also like to mention another significant challenge for my Office—the Privacy Act.

As I—and a string of privacy commissioners before me—have pointed out to parliamentarians over the years, this piece of legislation is seriously outdated and in urgent need of reform. To add a bit of perspective, consider this: when that law was passed, the Commodore 64 was a novelty.

Last spring, this committee launched an important review of the Privacy Act. I presented a list of 10 quick fixes that would bring some immediate relief. But, in the long run, the legislation needs a complete overall to bring it in line with the privacy challenges of the 21st century.

I know the committee has heard from many witnesses and I look forward to responding to their comments and speaking further on this issue with you.

In conclusion, reforms to Canada's privacy laws will have to start here, in this committee, with you. I would suggest to the honourable members of this committee that privacy is an issue that should be of concern to all Canadians, regardless of political beliefs.

The threats to privacy that confront Canadians may not always be apparent to the average citizen. Indeed, the risks are often subtle and nuanced. They don't tend to appear all at once, but rather in a stealthy and gradual manner and from many different directions.

Canadians cannot possibly defend themselves against such threats alone. They need a government that sees privacy as a human right and that sees personal information as a commercial asset that must be valued and properly protected.

As an officer of Parliament, my job is to support you in this important role. My office is currently developing materials for householders, such as information on identity theft, to help you talk to your constituents about privacy.

We look forward to working closely with you to ensure that the privacy rights of Canadians are protected, and I welcome your questions.

Thank you.

We do publish a quite extensive cross-tabulation in our annual report.

While my colleague looks for that, perhaps I could say that, generally speaking, relatively few of the complaints are founded under the Privacy Act. It's only a minority of complaints that are founded under that act, which I guess is good news in terms of the privacy practices of most of the organizations. Some are settled in the course of the investigation.

We could give you that information later.

I don't know, Mr. Chairman, that I've seen that specific figure or that we've analyzed it.

That's quite an interesting question.

I'll take it under advisement, yes.

I believe that we do have a few of those a year, but they're a rather rare occurrence, because the releasing department in these cases relies on the public interest override, if it is an issue of community safety or the general public needs to know something about it.

So it's discretionary. Even if somebody does complain, it's up to the department head.

We have not done an analysis of particular issues such as briefing notes being released. As I say, the department heads do have wide discretion under the Privacy Act to release personal information exceptionally when they believe there is a public interest. We'll have to leave it at that.

Could I ask, Mr. Chairman, if the honourable member is referring to our special report on the exempt banks?

Yes.

Mr. Chairman, we did not study the question as to whether the information had been obtained illegally. That is not within our mandate. We just looked at the information and its relationship to the administration of the Privacy Act.

If I may just add to the comment of the honourable member, “exempt banks” doesn't mean they're exempt from us looking at them. That is how we did the report on the exempt banks. That kind of report hadn't been done for a while. It means that the ordinary member of the Canadian public finds that these banks are exempt from their right to access their own personal information for national security reasons. That's how they're exempt.

As far as I know, now there's only one.

No. Project Shock was closed. The Project Shock exempt bank was closed as a result of our audit.

I'd have to get back to you on the exact number.

Mr. Chairman, I would like to ask my colleague Ms. Bernier to respond to the member on that subject, since she is supervising the work on priorities.

Indeed, I've been asked to coordinate the four priority projects, each of which is directed by one person. Simply to give you some background, I'll say that these projects concern respectively technology, developments in genetics, developments in national security policy and identity management.

To answer your question, then, I'm going to tell you about what we're doing specifically with regard to technology. As you'll no doubt understand—the Commissioner moreover said this in her opening remarks— we must be at the forefront of technology and we must very carefully monitor developments with respect to privacy.

What we're doing can be divided into four major components. The first consists in forming the greatest understanding and the greatest possible expertise in technology so that we can truly understand the scope, extent and impact of the various technologies. So we're working on research and training projects on identity systems, technologies such as RFID and on biometrics, for example.

We're also taking part in international work in order to genuinely take advantage of information sharing. In our audits, we're focusing particularly on certain types of communications such as wireless communications. We're also starting an audit at six departments that were selected on the basis of our analytical work to see how wireless communications are managed.

In short, the purpose of our activities is, on the one hand, to develop and broaden our expertise and, on the other hand, to see how federal institutions manage the information retained through technology in order to protect privacy. In this area, I am responsible for the Privacy Act.

We're doing a lot of things. First, we're conducting assessments of the impact certain programs have on privacy, in cooperation with the federal institutions. When they introduce a program that can leave room for an invasion of privacy, they conduct an assessment of it.

For example, one of those ongoing assessments received some media coverage. It was the Canadian Air Transport Security Authority pilot project in Kelowna, in which they used what's called the Integrated Checkpoint System, a machine for viewing passengers with the aid of holographic images. That was reported in the press. The Administration got us involved in it from the outset. We haven't issued a decision or judgment, but we're working with the administration's representatives to assess the impact on privacy.

So this is an upstream job to determine in advance whether a proposed program would be consistent with privacy. That's one of our activities.

We're also proceeding with audit activities. Once a program is in place, we determine whether personal information management is adequate. We also do policy development work, research work and public information work.

With respect to technology, I'll give you a recent example. Two weeks ago, we handed out some awards for videos produced by young people in which they had to show how technology can compromise personal information. It was a contest held in Canada's high schools. Projects were submitted, and we awarded prizes for the best ones. That was one way of making youths aware of the dangers of technology.

There are a host of examples, even though I've just given you a few.

Mr. Chairman, I'm going to supplement my colleague's comments.

For a number of years now, we have urged the Government of Canada to adopt a cyber security policy. We clearly have to have such a policy. I believe that Canada is now one of the only OECD countries without a policy on its cyber infrastructure. That's quite serious.

I would like to point out to you that our office does not have an obligation to protect data. That's up to each department, agency and organization. However, we increasingly take the opportunity to remind them of their responsibility in both the private and public sectors. The two acts, that is to say the Privacy Act and PIPEDA, require that all data be protected from all threats so that it remains confidential. Where there is an attack, we can investigate and suggest remedies. We've done that in a number of cases.

Once again I would ask that my colleague Madame Bernier answer this, since before joining our office--as you probably read--she was assistant deputy minister of public safety. She has a great knowledge of security issues, which means that she was immediately assigned this file. In fact she met with the RCMP in Vancouver, so she can give you a much better description of it than I can, if you would allow that, Mr. Chairman.

Of course.

We have a series of concerns, but they are not concrete in the sense that we have observed some practices that are of concrete preoccupation. However, the question arises obviously from having an intensification of security, which leads to an intensification of the duty to protect privacy. I had a list of questions that I shared with the RCMP in advance of our meeting, which was on February 5. The RCMP met with us for three hours and answered all of our questions.

We asked the RCMP if they have a policy specifically for that occasion, being so exceptional, to protect privacy within the security measures they have to take. Secondly, will they train their officers? Will they ensure that the security, and therefore any intrusion into someone's privacy, not become the norm?

We will also ask them to make sure that any foreign governments will not have access to information they should not have access to. So how are they protecting Canadians' current rights to privacy within this exceptional context?

Their answer, in fact, was much more detailed, but you can see a summary in their own press release of February 4, which was very much based on the questions we had put to them.

On the question of how they were going to manage the information, they said they would ensure that current Canadian laws would be fully, rigorously respected. Their general counsel was there and said that he assumes that responsibility.

In relation to surveillance itself, it will not go beyond what is strictly necessary. For example, one of the concerns we had was the possible overuse of closed-circuit cameras. They said they would be minimal and would be used exclusively as necessary and would be turned mostly towards prohibited zones. Hence, if a person were captured on one of those cameras, it would be because he or she had in fact trespassed. There will be, of course, cameras outside. The RCMP is in a much better place than I am to answer that, but they were saying they would make every effort to be compliant globally. We are engaged with them in a continuing dialogue on that.

They said that the equipment would be on a lease service contract. They would not retain any of the equipment, and therefore they did not feel that this was an issue, that they would not keep the equipment.

They said that they will not keep it. They said that it would be a lease contract, a service contract, and that therefore past the need--the actual Olympics--they would not have that equipment any more.

I can tell you the sense that they gave us is that there would not be a legacy of increased security beyond the need occasioned by the Olympics.

I don't know. I have not seen their budget.

We've actually funded a research project by Queen's University. I've read the draft report. It's being finalized. It will be released, I understand, before the end of March. So if you want, we would be happy to send you a copy. Obviously it's for dissemination.

I have no idea.

Our concerns are very much those of our colleague, B.C. Information and Privacy Commissioner Loukidelis. In fact, we're working together with him and with a number of other provincial commissioners on that. We're concerned at various levels. We continue to be concerned about access to the information. When a Canadian crosses the border, how much information is transferred with him or her? We have concerns about the technology and the extent to which the information can be captured by those other than border service agents. We are concerned about the extent of background checks that go into the issuing of one of these enhanced driver's licences, about how this links into other security issues that we may not know about.

So we're certainly watching this with great interest. We've made some suggestions to the Canadian government in our response on a privacy impact assessment, and we continue to talk about this on an ongoing basis, as the results of the trial will come in soon.

I in fact get a lot of information from the same sources as other Canadians. I may just get specialized information a little sooner from some of the studies that we do. We know that Canadians are very concerned about how their personal information is handled. They're concerned about security. They're concerned about transborder data flows, that information may go to a country that has lower data standards and so on. So that's a constant theme that comes up again and again.

Could you just repeat the second part of your question?

No, I think with what they know now, they're concerned and they're not satisfied with how their personal information is protected. One indicator of that is the tremendous interest in recent years in the work of my office, both in the public and the private sector.

Parents are worried about their children's privacy because the children spend all their time online now. We've got eight million Canadians on Facebook, and it's not clear where their information is going once it's on Facebook. That's one of our ongoing investigations. People are worried about their personal information being stolen. ID theft is rampant, unfortunately. I've mentioned ID theft issues before this committee in the past and have ongoing recommendations that we amend the Criminal Code and that we pass anti-spam legislation.

Canadians who can't afford expensive software updating packages are exposed to a lot of spam. Just on my government computer, I'm told that 98% or 99% of the e-mail we get is spam. The Government of Canada can afford pretty sophisticated spam filters, but it shows you the extent of the global problem. We're the only one of the G-8 countries that has no anti-spam legislation.

So I think Canadians are pretty realistic that they don't have all the privacy protection they need.

Yes, I do.

Yes. Let me try to think of this in reverse order.

In October I travelled to Strasbourg with members of my office to take part in the International Conference of Data Protection and Privacy Commissioners. We had hosted the event in Montreal a year before and had been invited by members of the committee. That conference was opened by the Speaker, Mr. Milliken, which was an honour for us and a link with our parliamentary function. We go to that every year.

Prior to that, outside the country I was with the ministerial delegation of Industry Canada in Seoul, South Korea, in the context of OECD work, where my office has been very active in drawing up cross-border procedures for the sharing of remedies in cases of mismanagement of personal information. I participated on a panel and was part of the discussion among the Canadian delegation.

Prior to that, I was in London giving a speech to an international e-crime conference about the lessons that could be learned from the joint investigation between my office and the office of the Information and Privacy Commissioner of Alberta on the TJX affair, which had to do with hacking into a TJX database and stealing some million credit cards. This had repercussions worldwide. The people are just being brought to justice, but millions of dollars in damages were paid out.

Prior to that, I was at the OECD for a working meeting. I think that's back to last March.

Does that give you an idea of what takes me out of the country?

There are two main things. One is that the Canadian approach is of great appeal. The privacy world is divided into three groups: people who don't have privacy legislation, then there are people who take an approach like the European Union does, and then the approach of the United States, which doesn't have overall privacy legislation. The Canadian version of this blends in both the European and the American approaches. So it's of great interest and great appeal because it adapts itself to many situations and many cultures.

However, that's the good thing. The sometimes depressing thing is the rate to which Canada has fallen behind in its privacy protection and the extent to which we are challenged in enforcing some basic measures. One honourable member raised the question of security. We have no data breach notification legislation, unlike that in most states. We do not have a system that really deters to any extent a lot of misdoing. Within our own government we have a very opaque system of management of personal information that needs to be seriously looked at. The average Canadian has no recourse. If the federal government misuses his or her information, there really is no recourse. You just have a right to get access to your information, but if they've misused your information and made some egregious mistake that causes you harm, as is the case of Mr. Murdoch from Edmonton, you cannot go to the Federal Court or any other court to say I suffered damage to my reputation, my livelihood, and so on.

These are some of the areas in which on the overall approach we're good, and on the details we've fallen seriously behind.

I believe we do, Mr. Chairman. We distributed some in the context of the appearance for the supplementary estimates, so we have that on human resources, which we could distribute to you.

I could.

And we have some material on the backlog.

Yes, to the best of my recollection, Mr. Chairman, I appeared twice. Once was with the director general of elections to talk generally about the use of identifiers and how they were handled in the context of defining who was an eligible voter. That was with the House of Commons committee. Then once the draft legislation was passed, I appeared at a Senate committee, as I remember, with the assistant commissioner from Ontario to express my concern about the full birth identifier, as the Ontario practice was the year only. This is from recollection. We could supplement that for you, but I did express concern about that.

Yes, absolutely. That's what our staff does.

Well, once we had announced our intention to audit and once my staff began to discuss this with the RCMP, they came to the conclusion with us that many years after 9/11--it was set up in the context of 9/11, in the months following 9/11--they didn't need that particular information in an exempt bank and could therefore close it down. So it was in the context of our audit.

I haven't reread our audit report since we launched it, but as I understand it, it was information that was no longer relevant to their needs; it was no longer useful. This was information that they thought might have been of strategic importance in 2001, but certainly isn't now. And it had never been reviewed, so that for most of it, I gather, the exempt status was removed.

I don't know on what particular database Mr. Arar may have been.

I don't know. I simply don't know personal information about who was in the database.

I'd have to look into the report. I don't remember that it was, but it doubtless could have been under Canadian law.

Yes, certainly, we will look into that and get back to you.

I don't recollect that we've had specific complaints or been notified that this is happening at this time. Again, we can check to see, but not that I'm aware of.

Yes, we did an audit in the last year, and I believe the results of that audit will be coming out in our next annual report.

Well, my annual report will be coming out soon.

I believe it is 1,134.

Yes.

These are active files with my office.

If you'll bear with me, I can take you through all that with the greatest transparency. I can do both, but in what order? Would you like me to answer the personnel question or--

Can I start with the good news?

As you recall, the committee took a very direct interest in the human resources state of my office last spring and we said at that time that we were severely understaffed due to a very severe problem of retirement, flow-through, people moving on, etc., in spite of having a fairly generous budget. The figures showed that it was hard to retain employees. At that time my staff and I testified that we had measures in place that would turn those figures around, so I am very happy to tell you that we are now slightly over our quota of employees as requested in the budget. We had about 120 in May and we now have 161, which was our goal.

I'm particularly pleased with the fact that in the various categories where the Government of Canada asks us to make special efforts, we're well over the targets to hire aboriginal people, people with disabilities, and visible minorities. The vast majority of those 124 positions are bilingual positions, so we have a very good cross-section of Canadian society. We did make some progress in the last eight months.

I thank you for your interest, and I think we are in much better shape for the future than we were in a situation of constant staff turnover.

I don't have that figure with me today, but I did see that we're under that now. We have a very low turnover rate and in the last few months we've been well below the general civil service turnover rate.

We currently have 547 PIPEDA investigations and 662 Privacy Act investigations as of the end of January, so we have a few more Privacy Act investigations than PIPEDA.

Yes, they do.

If we look at our last annual report, we received some 759 complaints under the Privacy Act in all, and 248 complaints received were against Correctional Service of Canada. That does not mean that those who made them necessarily were themselves incarcerated at the time. At one point we had a whole flux of complaints by prison guards. But there's a high correlation. So that's over a quarter; that's a third. In the last annual report, a third of complaints were against Correctional Service of Canada.

That is the report for 2007-08.

There is a constant phenomenon, as far back as you can see in the Privacy Act, that one of the huge users of the Privacy Act is the incarcerated population.

Yes, there is unfortunately a backlog. We have decided to opt for the definition of less than one year, in terms of files being backlogged, because I think it was inaccurate and possibly misleading to say they're not assigned, and if they're assigned, that doesn't mean they're going to move, and so on. So we've taken a chronological criterion. In terms of the Privacy Act, of the 633 complaints as of last week, 270 are less than a year old, and the majority—363 complaints—are over a year old.

We do have in place a strategy by which, at the end of this fiscal year, there should be only 320 complaints, and by 2010 the backlog should be eliminated in both acts. So we're on target for reduction.

Yes. Right now, over half of them are over a year old.

It is a very large number. Of the many challenges that my office has dealt with in the last few years, this is the last very serious challenge that is before us. It's a challenge of great magnitude. There's a similar backlog in PIPEDA.

Unfortunately, the backlog is kind of like an iceberg growing. It grows very slowly, but it grows imperceptibly over years, and once you have it, it's hard to get rid of.

The backlog grew over the last few years when there were great administrative challenges at the Office of the Privacy Commissioner. For years, up until now, we have never had a full complement of investigators for various reasons. One was that we couldn't get financing for more investigators until we put our house in order, and that took several years, as you'll remember. A second was that we got the financing for new investigators, but then we were in this turnover mode largely due to the rarity of investigators as a specialized occupational group in the very specific Ottawa labour market. This was combined with the issue of retirement in a certain cohort of people.

However, this fall we have been able to hire 20 investigators as a group, and I think we have a complement of about 42 investigators. We have a whole influx of new people that are being trained in January and February and will start working mid-March. The backlog grew in the past, but I think now, with a full complement of human resources, we can go ahead in the future and attack it successfully.

Thank you.

Standards, with respect to privacy and security issues, are the domain of the Treasury Board, which makes the rules. Our role is as a commentator: we file complaints, we conduct audits. From time to time, we state that there are problems in the management of personal information, but it is up to the departments and agencies to protect and manage their personal information.

Pardon me?

Practices vary somewhat among the departments and agencies. I can refer you—because it's more recent—to the special report that I made public last week together with the Auditor General. These are two concurring reports. Each commissioner's office has its own mandate, its specific mission, but one of the messages, which was the same in both cases, was the importance of Treasury Board's leadership as the central agency that defines and enacts standards with regard to privacy, training and resources to ensure that what happens to personal information is reported. We said that this leadership left something to be desired and that we expected the Treasury Board to take a firmer, more directive stance and to take a closer interest in what happens to the personal information gathered in the various departments under its responsibility.

We've worked together with Treasury Board in recent years. That's the specific role of the Assistant Privacy Commissioner. Under the act, we cannot stand in for the Treasury Board. I could draw your attention to the fact that, year after year, we say that training for Canadian public servants on privacy matters is inadequate. Staff appears to be overworked, overwhelmed by privacy issues. Authorities do not ensure that people are trained in this area. They don't ensure that a course on privacy is mandatory, as we request.

A number of critics of my office and of the Personal Information Protection and Electronic Documents Act have said before this committee that they thought the commissioner's office should be a tribunal, as in Quebec, Alberta and British Columbia. I've answered that the present model is fine with me for the moment. I haven't yet explored all I can do under this act. However, toward the end of my term, which is rapidly approaching, I intend to ask that we once again examine this issue of personal information protection in the private sector because Canada is currently the only major country that has a commissioner's office without power of order. However, we can appear in court. That's working very well for us for the moment. However, I think we should take another look at that issue.

No. In fact they were selected by the Office of the Auditor General, who was undertaking an audit for reasons of her own. Her office approached my office and said that given that these particular agencies also have a lot of personal information on Canadians, we might like to do an audit at the same time, from our point of view. Then we could publish a report jointly or together about what we see from two different points of view. That's how it came about.

My understanding is that this was it. That was what the Auditor General approached us with. I don't know how her office functions in terms of the audit. Certainly, from my office, we audit various government agencies every year on an ongoing basis. Those are audits we do alone as part of our regular functions.

I thought it was interesting, because it showed that even TBS agreed with our analysis that accountability for privacy needed to be strengthened in the government.

Yes.

Absolutely.

Treasury Board has our recommendations. We are waiting for the results of what is called a policy suite renewal, and we encourage Treasury Board to move on that. That's the continuous updating of privacy management guidelines for departments. Certainly if the government interested itself a lot more in the compulsory training on personal information protection, there would be fewer incidents or problems. There would be a heightened awareness by employees all through the government on this.

If it strengthened what are called its ATIP shops, which share the responsibility for access to personal information and access to other information, and where people—we met with them recently—feel under great pressure because of the interest in their personal information.... I can't speak to access--Mr. Marleau can do that. But certainly Canadians have a heightened awareness of personal information--where it's going, what's being done with it, and so on--and this creates new challenges for many of the workers in this area.

Yes. I think training is an overlooked key to improving personal information protection. Because a lot of this comes out of the use of technology, I think we tend to use and look for new technology to solve the problem, and of course there's always someone who comes and tells us that if we just buy this technology, it will solve the problem.

But if we look at, for example, the self-reported breaches that come to my office from private sector organizations, some 40% of them have to do with just human error. This happens often in institutions where there's a big turnover of employees, and they don't have enough training, so they just forget. They're doing too many things at once.

To come back to your question, yes, if you trained civil servants better, I think you would reduce the risk to personal information.

There is, shall we say, an ongoing dialogue, Mr. Chairman. We learned last week that the trial database, which was going to be shared with the United States, or situated in the United States just for the trial of those 500 people who've signed up, was being repatriated into Canada, with the firm assurance that henceforth all personal information of Canadians will be permanently housed in Canada and it will be queried at the border point for the screens of the agents.

But I don't think we have—and I'll ask my colleague to complete this, since she's much closer to this project—enough information for the moment about how the trial is working. There are issues concerning the distance at which you can read this information, how well the sleeve is working, and whether the suggestion of another of my colleagues--to have an on-off switch, so you turn the emitting function on or off at the border--can be taken up in a useful time.

Perhaps my colleague can add something.

I would simply add that indeed it is a work in progress. Last week the privacy commissioners of Canada were together in Ottawa and decided to create a working group precisely to systematically address these concerns together in a concerted fashion.

That's my understanding. It's going on in B.C; it involves 500 volunteers, and it is still being studied.

Yes, it is.

Doubtless there would be in many secure establishments, but I don't know offhand which ones; we haven't inventoried them. But it's getting to be a fairly commonly used technology.

It's an ongoing concern of ours. It was one of the big themes of our annual report about two years ago.

Certainly as RFIDs spread through the marketplace we will be monitoring them very closely. Right now we understand they're being introduced into the merchandise supply chain at the pallet level. That is acceptable to us, if it stays at the pallet level. Let's say goods come from Asia. A certain percentage of them are lost at the dock, in transit, in shipping, with the trucking and so on. They are damaged and can't be used. There's a fair amount of wastage to wholesalers and retailers. We've been told that the RFID would help to individually track each pallet. I also believe there are national security reasons for tracking pallets of goods because you don't know exactly what they contain. That is fine.

The problem is when you break the goods out of the pallets. Let's say there are shoes being sent from Brazil. Do you have an RFID in each shoe so you can account for theft, people walking into the store putting on new shoes and walking out? If so, the privacy implications are enormous. There is one unique identifier in every RFID that can emit your location to a reader. If there's not some way of either preventing the RFIDs going in at an item level or turning the RFID off at the point of purchase securely, you could track where people are going or link it up to the card they paid with.

The one coming up is going to look at how this system was administrated--for example, how many people went through it, the criteria on which they could fly or not fly, how many made use of the recourses in what I think is called the Office of Reconsideration. It's basically how the program is administered from a privacy point of view.

Mr. Chair, could I ask my colleague Lisa Campbell to talk to you about a case we're monitoring in the Federal Court on the do-not-fly list?

It's an interesting case. The name of the case is Hani Al Telbani against the Attorney General of Canada and Transport Canada. It's the first challenge in court, that we know of, to Canada's no-fly list. At the moment they're exchanging documents. An interesting side issue is that the applicant has asked for access to Transport Canada's documents. That's really what's at issue; he wants to know why he was denied boarding a plane. He asked that his name not be published, and the media and the Department of Justice intervened and said that because of the open courts principle his name should appear. He's in an interesting situation of perhaps never knowing why he couldn't get on a plane but his name is associated with this list.

I can't answer that question, Mr. Chairman. I've pointed out many times that the Government of Canada has a very opaque system for sharing personal information with governments abroad. It's one of the recommendations for reform of the Privacy Act.

I think the law talks about an arrangement or an agreement—that's a fairly informal way of agreeing to share personal information, as compared to, for example, placing before Parliament, even just for its notification, all the MOUs with foreign powers as to what kind of information we share. It's really impossible to tell exactly in detail what information is shared.

Yes, that is correct.

I don't believe the Privacy Act places any limits on the kind of information that can be shared abroad.

My report didn't include such a breakdown. Now, the passport office itself may have that kind of breakdown. We were looking at their practices, their approach to protecting privacy. Any particular incidents would be tracked by that agency.

Doubtless one could be by DFAIT. We simply did a sampling of a couple and found this, but we don't have an exhaustive list.

My understanding from the study we did, which focused on personal information protection, was that when we talk about security clearances we talk about them in terms of Canadian standards. This means meeting the independent standard the Canadian government sets rather than simply saying that in another country, if the other country says that they pass their security clearances, they pass Canada's. Again, I think DFAIT could give you the detail you're looking for.

I don't think my office has ever looked into that, no.

Yes, I think with regard to identity theft there's a consensus. What I'm saying is neither new nor original. Identity theft is really one of the huge, serious law-and-order issues facing Canadians. The cost of identity theft has now just skyrocketed. A lot of it is borne by the intermediaries that are the credit card companies and the banks, but I think we have to look at this, because all this adds to the cost of Canadians purchasing goods and services through the use of credit.

There are very few Canadians who have not been the victim of some kind of fraud. And we use the term “identity theft” loosely, from credit card fraud right up to having your house sold out from under you, which has happened to some people. This is, I think, a priority for governments to act on. I've raised this question for a couple of years, and I would hope that this Parliament could return to the necessary amendments to the Criminal Code to help the police crack down on those who collect personal information for wrongful purposes more easily. There was a bill that was introduced, and I think there's one that is being reintroduced. So that is something very concrete that could be done.

Certainly education is important, and we mentioned the brochure we're developing. You can give it to your constituents if you think it would be appropriate. It is about how to prevent identity theft, how to be wary about this. March is fraud prevention month, so we cooperate with fraud prevention, the RCMP, an organization called PhoneBusters, to do a couple of activities. We have things on our website to raise awareness about this phenomenon.

Yes. If I go to the children's online privacy issue, this has been a concern of many privacy advocates, many forward thinkers, for five or six years now, as we watch the Internet companies moving into the huge market representing our children and especially the group called “tweens”, who are about nine to twelve. Some of you may have tweens. They have their own websites that are very lucrative enterprises. They spend a lot of time on these websites. We had funded some research into the privacy implications for children and last June we launched an initiative with our provincial colleagues to really step up the information going to children and going to their parents about what to do and what not to do online.

So we've started our own youth privacy website, which is in conjunction with provincial commissioners, and we've also started a youth privacy blog. And then there's a section for parents on what to know when your kid first starts going online. I think I heard the other day that children are online now at two. As soon as they can recognize a letter, I guess they're online these days. So it has been a big priority for my office in the last year.

Yes, in the three provinces the commissioner administers what is called an administrative tribunal. For those who aren't from a legal background, it's like an informal mini-court specialized in that particular issue. In some of these cases, for example in Quebec, you will have lawyers appearing, arguing the cases. In others, such as in Ontario, most of the cases have what is called a paper hearing. They're done on paper. There can be a combination of both. The parties are named, so it would be Joe Blow against ABC Corporation in terms of how it handled his personal information, and then the decision is made public on the Internet, with “J.B. v. ABC Corporation”. That's how a tribunal works. The commissioner in the tribunal or an adjudicator to whom he or she delegates their authority can then make a binding order--do this with Mr. Joe Blow's information; stop collecting this; put in proper safeguards, things like that. That order can be appealed.

Okay, I can come back.

Yes, I certainly can.

First of all, the backlog is a very serious problem. It's our number one challenge now, and everyone throughout the Office of the Privacy Commissioner is turning their minds to overcoming this.

Yes, but as I indicated, the ways to make it disappear quickly are not there. If you look through the recommendations I made for both of our laws, I would like to have greater discretion as to which cases I have to take and which cases I don't have to take.

There are two phenomena. With respect to the Privacy Act, we have a certain number of people who come several times, who make a complaint every year because they want to know something in general. If we could simply direct them to our website to get the answer there, and so on, we could focus on something that would be of greater benefit to everybody.

This is a bit different from unemployment insurance claims. You either get your unemployment insurance extended or you don't. A lot of people simply want to know things. Some just want to complain about the government taking 31 days to process the complaint, even though they have the answer to the complaint. Those we have to touch with. That's for the public sector. I would like some streamlining of the law, because the administration of Canadian government is very different from what it was 25 years ago.

Yes, and I'm not the only privacy commissioner in Canada to have this problem. Unfortunately, even if you put in the delay at a year, if you don't have anybody to look at this....

I've told you some of the challenges in the public sector. In the private sector, the challenges on some of the issues are so technologically complicated that they will need five or six people and a tremendous amount of technical assistance.

Look at the Facebook complaint, for example. There are apparently seven million Canadians on Facebook. One organization made a complaint about some of its fundamental operations, its pretty basic operations. You can imagine that we have quite a few people on the Facebook complaint, because it's relevant to so many people. Those are just some of the challenges.

Unfortunately, I think we don't have the same indicators to measure them, but I think the Canadian government is doing fairly well.

When I make my reports, I focus, of course, and a lot of senior civil servants then get back to me, saying, “We did all these things well, and why are you just focusing on the part that we didn't do well?” Well, that's kind of my role. But overall I think the Canadian government has a good record in personal information handling.

Certainly senior civil servants are very aware of this issue and very sensitive to this issue. I think we're struggling a bit now because we don't have modernized approaches and modernized laws. We need, as I said, a little more leadership from Treasury Board, but then we remember that government and places like the income tax department have been dealing with confidentiality for years and years.

There are some places in the private sector, but not banks.... You can say that banks have been dealing with confidentiality, but they probably haven't been dealing with the sophisticated security issues the public sector has. That may be a bit ahead of them because of the strategic and military experience of the Canadian government.

I think the Canadian government stands up quite well when you look across the world at how various governments use their information, and it stands up well in comparison with our own private sector. It also stands up well in its respect for privacy rights of citizens generally. I'm not saying there aren't things that can be improved, but this traditionally has been an important part of Canadian life.

Mr. Chairman, I'll ask our general counsel to answer that. I think she may have seen more data on that than I have. Thanks.

That's a very good question. This is how it works: Data brokers have become an industry unto themselves. Personal information is now worth money, and it usually passes through many hands. There's not one identity thief, but several: there's the person who collects it, the person who sells it, and the person who makes money off of it. Ultimately you need to get to a valid piece of usually government-issued ID. But to get there, often what's collected is invalid, stolen, or borrowed pieces of personal information that can come from a wide variety of sources. The private sector is often where it originates, but usually identity thieves will need some valid piece or what looks like a valid piece in order to do a legitimate transaction. We have recommended a wide range of approaches, from better personal information handling practices to more restrained collection to disposing of information when you no longer need it, and then, ultimately, to criminal sanctions for the very worst case of identity theft.

Does that answer your question?

I would think it would. I'm looking at my colleague because she supervises the department. I haven't seen the details of it, but I would think if that kind of profiling was going on, it would come out in our audit.

Yes, it is. Now that we have it before the courts, and given that there are so many issues—we just talked about identity theft and other things—it will be interesting to see what happens to this court case. Before you do a review, maybe wait for our audit, and then you will have more information.

As far as I know, we haven't done one. We could go back to the annual reports. Certainly more of this has been reported in the last year. It's gone up in the last few years. But I've heard, anecdotally, for example, from people who were involved in writing the act--senior civil servants who were young civil servants at the time--who said that it had always been the case that the incarcerated population made use of the Privacy Act from its very beginning.

Well, we haven't looked into it. Given the challenges and particularly the backlog of complaints, we try to focus on our own work, but it might be an interesting study for someone to see what has changed in the life of those who are incarcerated such that they increasingly turn to the Privacy Act. However, that is not a question we've asked.

No, I wasn't aware that people were able to ask what information was on the chip and that people had refused to tell them. If we have received complaints on that matter, I am not personally aware of it.

Yes. And that's something they've been planning to do for a long time. It should be noted that the Europeans have had that card for a number of years now. The Europeans appear to have fewer problems with bank card or credit card fraud. They expect that will enhance privacy.

No.

No. I imagine there are unique identifiers because it has to be activated with a PIN, which makes it possible to confirm that it's indeed the person to whom the card was issued who is using it, as is done in Europe.

No.

I'm saying that, personally, I don't know, but I imagine the Department of Foreign Affairs and International Trade has an idea. There's also a publication entitled “Info Source”, which is a list of all government data bases. In my opinion, “Info Source” doesn't provide us with very useful information. It's simply a list of which we don't understand much.

I'm sure that someone in the federal government knows with whom we're exchanging personal information, country by country, but it's not me.

Certainly, but I suggested in the report I prepared on the need to improve the Privacy Act that these kinds of agreements should be submitted to Parliament.

No.

They are made party to party between the officials responsible for the files.

No, Parliament isn't aware of it.

Exactly, the two countries can enter into a party-to-party agreement to exchange certain lists of personal information, which is perfectly legal under the present act, and there is no obligation to publish details.

We are calculating right now, if all things stay equal in our model, we should be able to eliminate that backlog by the first quarter of 2010.

Thank you for that question.

In fact we're redoing our process, because we're trying to push the limits of the present legislation a bit. We don't have a lot of discretion, but we do have some. Given the number of privacy challenges for Canadians, we want to make sure we get to the most significant ones first, while not neglecting any and maybe giving a shorter treatment time to the ones that may be less significant in terms of a general privacy policy.

As for the human resources, I'm very grateful for the human resources that we have now and I'm very happy that we've been able to hire some very able people. However, as you know, Ottawa is a hot market for talented people, and there is a challenge in retaining very bright people in a small agency where the opportunities for promotion are not those of a large department. That's just one of the challenges I have to deal with.

Another challenge in terms of human resources is that it's not just the numbers. I think the number I have is fine; it's training them. It's also being able to classify them within a very rigid system of classification that dates back several generations, because you're looking at people who have radically new skill sets to understand the new technologies and then translate them into what should be government action.

Yes, I do.

Yes, we've completed that, and it's been piloted, as I understand, starting maybe a week or two ago. It's on its pilot runs.

This is part of our plan to maybe do a smarter handling of complaints, trying to give them the treatment they deserve in terms of their significance, their weight, of what they can add to our knowledge of privacy, trying to mediate complaints up front so that they don't go on and turn into a backlog, and do things, if we can, within 90 days.

We're doing some other things with the private sector. For example, if people have a complaint against a bank—and I'll use the bank because we all have several bank accounts and there are a lot of complaints against banks—we would ask if they have contacted the bank's chief privacy officer to see if they could settle this. Often the people have, so with the banks and other major respondents, like Air Canada and so on, we direct the people back to those organizations. That's now also increasing the rate of settlement.

Those are some examples of how we're putting this grid to work.

The other fixes? I'll just try to find them for you, because we have quite a few other ones. I'll just go down it, because this is a distillation of what is in a long paper that we published in 2006, and it's also a distillation of what some of the many expert witnesses say to you.

It says to look at clarifying in the Privacy Act government obligations regarding outsourcing and public-private partnerships, the delivery of service and programs, something that the Privacy Act doesn't speak to, outsourcing generally. And look at security arrangements. The Privacy Act per se does not obligate departments and agencies to make appropriate security arrangements. We say this is part of confidentiality and privacy. In PIPEDA we do talk about specific security arrangements. That would be another thing.

There are the questions some of the honourable members have been raising about the national security oversight framework. So what is the transparency, the accountability oversight over some of the national security agencies—the RCMP, CSIS, CSE, and so on. These were some of the recommendations we made to the O'Connor inquiry about oversight in the use of personal information in the RCMP, which have not been taken up for the moment.

I'm just going down the list to give you a flavour.

We believe that there may be other agencies and government bodies that should be subject to the Privacy Act. I was very happy that the Federal Accountability Act covered more agencies, but we think that there may be a few more that we could find if their activities were reviewed.

Access to people's personal information has come up in our dealings with the European Union. Actually, you have to be a Canadian citizen or present in Canada to avail yourself of your rights under the Privacy Act. This is a bit embarrassing when we're dealing with transborder data flow, API/PNR, agreements with the European Union. Now, we have—and I have been consulted on this—agreed that if European people, for example, flying into Canada had a complaint about the use of their API/PNR, CBSA would investigate, and then I would treat it as a complaint, although strictly speaking it doesn't fall within the Privacy Act.

Mr. Chairman, I picked the ten quick fixes on the advice of my staff because I thought they were important but also fairly easy and less multilateral; there were fewer multilateral implications of addressing them.

I know that the amendments to the Privacy Act are a long and contentious road to set out on, so if I could refer you to those ten recommendations, I think they still stand. They would be a net improvement, but they would be easier to implement than some of these others. You can imagine it for extending access rights and so on.

Yes.

Agreed.