Thank you very much, Mr. Chair.
I want to begin by congratulating you on your recent election as chair of this committee.
Mr. Chair and honourable members, good morning. I'm very pleased to have the opportunity to speak with you first about the two annual reports that we lay before the House of Commons every year.
I'm joined here today by Assistant Privacy Commissioner Chantal Bernier. Madam Bernier is in charge of our day-to-day operations, and she's also a specialist on national security questions, so I appreciate her presence with me today.
I will focus my opening remarks largely on our public sector work, although there were certainly interesting developments on the private sector side as well. The principal focus of our annual report on the Privacy Act for the 2010-11 fiscal year was the federal government stewardship of the personal information of Canadians. In particular, we looked at privacy in the context of law enforcement and aviation security. The report examined whether departments and agencies collected, used, and disclosed personal information in a way that complies with the Privacy Act. This is of overwhelming importance, given the highly sensitive nature of so much of the personal data that the state needs in order to govern. Indeed, we're talking here about information related to people's income, their taxes and benefits, their travel patterns, and so many other aspects of their lives. This is not information that individuals would necessarily want to turn over. It is simply collected to fulfill the requirements of various government programs or activities.
In the main, I'm happy to say that we found that the Government of Canada has solid policies and practices in place to safeguard the privacy of Canadians, but we also said that the government is obliged to handle the personal information of Canadians with an uncompromising level of care, not some of the time or even most of the time, but all of the time. The fact is that over-collection, misuse, or inappropriate disclosure of sensitive personal information could carry grave consequences for individuals.
Our annual report summarizes two audits that our office conducted during the year. I'm going to summarize them briefly.
In terms of the auditing, we assessed whether the policies and practices of the Canadian Air Transport Security Authority, better known as CATSA, complied with the Privacy Act.
That audit concluded that the agency collects too much information about air travellers and does not always safeguard it properly. In particular, we found that CATSA collected personal data about traveller activities that do not relate to aviation security and that, in some cases, are perfectly legal and legitimate.
For example, CATSA will note when a passenger on a domestic flight is found to be carrying large sums of cash, even though there is no law prohibiting that. The over-collection of data is worrisome because it can result in undeserved suspicion being cast on an innocent person. In addition, our audit turned up gaps in the measures used to safeguard such records.
Indeed, in our spot checks of several major Canadian airports, incident reports were found on open shelving units and on the floor, in the same location where passengers are taken for further screening.
I'll talk a bit now about the RCMP audit. Our other audit looked at the Royal Canadian Mounted Police's management of two operational databases that are widely shared with other police agencies, government institutions, and other organizations.
You may have heard of CPIC, the Canadian Police Information Centre, and PROS, the police reporting and occurrence system. CPIC has been described as the backbone of the criminal justice system. It provides computerized storage and retrieval of information on crime and criminals and is widely used by the law enforcement and criminal justice community. PROS, meanwhile, is the RCMP's police records management system. It contains information on individuals who have come into contact with police, as a suspect, a victim, a witness, or an offender.
Our audit found that, in general, the RCMP has policies and procedures in place to properly govern access to and use of data in CPIC. However, one-third of the agencies that use CPIC were unable, for technical reasons, to implement the necessary protocols that ensure CPIC is accessed only by authorized users.
With respect to the PROS database, we also discovered that some outdated and erroneous personal information was being retained when it should have been sequestered or purged. Specifically, we found that police and other agencies with access to PROS could continue to view records related to cases that had resulted in a wrongful conviction or a conviction for which a pardon had been granted. This contravenes the data retention provisions of the Privacy Act. It also makes it harder for people to get on with their lives, free from the taint of unfair suspicion.
Both CATSA and the RCMP agreed to address our recommendations. We'll follow up to see how these recommendations will be implemented.
Our last annual report to you discussed follow-up work on three audits we conducted during 2008 and 2009. We wanted to see how many of the 34 recommendations we made in those audits had been implemented. We were happy to find that 32 of those recommendations had been fully or substantially implemented in the intervening years.
The results were, in some cases, significant. For instance, a follow-up to an audit on the RCMP's exempt data bank found that tens of thousands of surplus files had been purged to comply with our recommendations.
I will now turn to our 2010 annual report on the Personal Information Protection and Electronic Documents Act, the PIPEDA. The major issues in that report were online privacy and the disposal of personal information.
We highlighted our audit of a major retailer, Staples Canada Inc.—Bureau en Gros Ltée.
What we found was that Staples Business Depot stores fail to fully wipe customer data from returned devices such as laptops and USB hard drives, which were destined for resale.
That was a particularly disappointing finding, as we had already conducted two earlier investigations involving returned data storage devices at Staples and received assurance that the company would fix the problems we identified.
Although some steps have been taken, the audit showed that those procedures and controls were not consistently applied, nor were they always effective.
As a result, consumers' personal information was at serious risk.
At the end of our audit, we asked Staples to provide a report from an independent third party confirming compliance with the recommendations by the end of this June.
We look forward to hearing about how the company has addressed our recommendations.
The report also describes our investigation into Google's collection of highly sensitive data from unsecured wireless networks in neighbourhoods across Canada. The investigation found that Google's Street View cars had inappropriately collected personal information, such as e-mails, user names, passwords, phone numbers, and addresses.
Google's explanation for this serious violation of Canadians' privacy rights was that an engineer had developed code that included lines allowing for the collection of payload data, but failed to flag this to the company lawyer reviewing the project.
We were concerned about Google's lack of control over processes to ensure that necessary privacy protections were followed. We recommended that Google ensure it had a governance model in place to comply with privacy laws. We also recommended enhanced privacy training for Google employees.
There have been significant developments on that file since we published our annual report. Last year we examined the remedial measures Google had put into place following the investigation. We found the company was well on its way to resolving serious shortcomings. However, we did request that Google undergo an independent third-party audit of its privacy program.
We asked Google to share the audit report with our office within a year. We look forward to reviewing the results in the near future.
We've also started to use the approach of requesting third-party audits of companies with other organizations as well.
In conclusion, I've touched on only a very few of the many issues discussed in our two annual reports. I think both reports illustrate the very broad range of privacy issues that can have significant consequences for all Canadians, and the importance of having strong legislation in Canada to protect our privacy rights.
I thank you very much for your attention. I and any members of my staff who may be able to assist me look forward to answering your questions.