Information & Ethics Committee on Feb. 23rd, 2009

Unfortunately, I think we don't have the same indicators to measure them, but I think the Canadian government is doing fairly well.

When I make my reports, I focus, of course, and a lot of senior civil servants then get back to me, saying, “We did all these things well, and why are you just focusing on the part that we didn't do well?” Well, that's kind of my role. But overall I think the Canadian government has a good record in personal information handling.

Certainly senior civil servants are very aware of this issue and very sensitive to this issue. I think we're struggling a bit now because we don't have modernized approaches and modernized laws. We need, as I said, a little more leadership from Treasury Board, but then we remember that government and places like the income tax department have been dealing with confidentiality for years and years.

There are some places in the private sector, but not banks.... You can say that banks have been dealing with confidentiality, but they probably haven't been dealing with the sophisticated security issues the public sector has. That may be a bit ahead of them because of the strategic and military experience of the Canadian government.

I think the Canadian government stands up quite well when you look across the world at how various governments use their information, and it stands up well in comparison with our own private sector. It also stands up well in its respect for privacy rights of citizens generally. I'm not saying there aren't things that can be improved, but this traditionally has been an important part of Canadian life.

Mr. Chairman, I'll ask our general counsel to answer that. I think she may have seen more data on that than I have. Thanks.

That's a very good question. This is how it works: Data brokers have become an industry unto themselves. Personal information is now worth money, and it usually passes through many hands. There's not one identity thief, but several: there's the person who collects it, the person who sells it, and the person who makes money off of it. Ultimately you need to get to a valid piece of usually government-issued ID. But to get there, often what's collected is invalid, stolen, or borrowed pieces of personal information that can come from a wide variety of sources. The private sector is often where it originates, but usually identity thieves will need some valid piece or what looks like a valid piece in order to do a legitimate transaction. We have recommended a wide range of approaches, from better personal information handling practices to more restrained collection to disposing of information when you no longer need it, and then, ultimately, to criminal sanctions for the very worst case of identity theft.

Does that answer your question?

I would think it would. I'm looking at my colleague because she supervises the department. I haven't seen the details of it, but I would think if that kind of profiling was going on, it would come out in our audit.

Yes, it is. Now that we have it before the courts, and given that there are so many issues—we just talked about identity theft and other things—it will be interesting to see what happens to this court case. Before you do a review, maybe wait for our audit, and then you will have more information.

As far as I know, we haven't done one. We could go back to the annual reports. Certainly more of this has been reported in the last year. It's gone up in the last few years. But I've heard, anecdotally, for example, from people who were involved in writing the act--senior civil servants who were young civil servants at the time--who said that it had always been the case that the incarcerated population made use of the Privacy Act from its very beginning.

Well, we haven't looked into it. Given the challenges and particularly the backlog of complaints, we try to focus on our own work, but it might be an interesting study for someone to see what has changed in the life of those who are incarcerated such that they increasingly turn to the Privacy Act. However, that is not a question we've asked.

No, I wasn't aware that people were able to ask what information was on the chip and that people had refused to tell them. If we have received complaints on that matter, I am not personally aware of it.

Yes. And that's something they've been planning to do for a long time. It should be noted that the Europeans have had that card for a number of years now. The Europeans appear to have fewer problems with bank card or credit card fraud. They expect that will enhance privacy.