Evidence of meeting #34 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was audit.
A recording is available from Parliament.
NDP
The Chair NDP Pierre-Luc Dusseault
Good morning, everyone.
I want to thank Ms. Stoddart and Ms. Bernier for joining us today.
As you have seen, based on today's agenda, the first hour will be set aside for the two reports. The first is the 2010 annual report on the Personal Information Protection and Electronic Documents Act, and the second is the Privacy Commissioner of Canada's 2010-2011 annual report.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
Mr. Chair, I would like to take a moment to announce to the committee and the clerk that today I will put forward a motion I would like us to debate next Tuesday. The motion asks that Claude Benoît, President and CEO of the Old Port of Montreal Corporation, appear in order to justify the corporation's expenditures and the way its budget is managed with regard to a number of aspects—including travelling and meals. I just wanted to inform the chair, the clerk and the whole committee that this motion will be moved today.
NDP
The Chair NDP Pierre-Luc Dusseault
Thank you. You can submit your notice of motion to the clerk if you have it with you, and we can discuss it eventually, given the required 48-hour notice.
So, we will spend the first hour of our meeting discussing the two reports produced by the commissioner. The second hour will be used to discuss the main estimates.
I yield the floor to Ms. Stoddart for a ten-minute presentation on the two reports.
Jennifer Stoddart Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you very much, Mr. Chair.
I want to begin by congratulating you on your recent election as chair of this committee.
Mr. Chair and honourable members, good morning. I'm very pleased to have the opportunity to speak with you first about the two annual reports that we lay before the House of Commons every year.
I'm joined here today by Assistant Privacy Commissioner Chantal Bernier. Madam Bernier is in charge of our day-to-day operations, and she's also a specialist on national security questions, so I appreciate her presence with me today.
I will focus my opening remarks largely on our public sector work, although there were certainly interesting developments on the private sector side as well. The principal focus of our annual report on the Privacy Act for the 2010-11 fiscal year was the federal government stewardship of the personal information of Canadians. In particular, we looked at privacy in the context of law enforcement and aviation security. The report examined whether departments and agencies collected, used, and disclosed personal information in a way that complies with the Privacy Act. This is of overwhelming importance, given the highly sensitive nature of so much of the personal data that the state needs in order to govern. Indeed, we're talking here about information related to people's income, their taxes and benefits, their travel patterns, and so many other aspects of their lives. This is not information that individuals would necessarily want to turn over. It is simply collected to fulfill the requirements of various government programs or activities.
In the main, I'm happy to say that we found that the Government of Canada has solid policies and practices in place to safeguard the privacy of Canadians, but we also said that the government is obliged to handle the personal information of Canadians with an uncompromising level of care, not some of the time or even most of the time, but all of the time. The fact is that over-collection, misuse, or inappropriate disclosure of sensitive personal information could carry grave consequences for individuals.
Our annual report summarizes two audits that our office conducted during the year. I'm going to summarize them briefly.
In terms of the auditing, we assessed whether the policies and practices of the Canadian Air Transport Security Authority, better known as CATSA, complied with the Privacy Act.
That audit concluded that the agency collects too much information about air travellers and does not always safeguard it properly. In particular, we found that CATSA collected personal data about traveller activities that do not relate to aviation security and that, in some cases, are perfectly legal and legitimate.
For example, CATSA will note when a passenger on a domestic flight is found to be carrying large sums of cash, even though there is no law prohibiting that. The over-collection of data is worrisome because it can result in undeserved suspicion being cast on an innocent person. In addition, our audit turned up gaps in the measures used to safeguard such records.
Indeed, in our spot checks of several major Canadian airports, incident reports were found on open shelving units and on the floor, in the same location where passengers are taken for further screening.
I'll talk a bit now about the RCMP audit. Our other audit looked at the Royal Canadian Mounted Police's management of two operational databases that are widely shared with other police agencies, government institutions, and other organizations.
You may have heard of CPIC, the Canadian Police Information Centre, and PROS, the police reporting and occurrence system. CPIC has been described as the backbone of the criminal justice system. It provides computerized storage and retrieval of information on crime and criminals and is widely used by the law enforcement and criminal justice community. PROS, meanwhile, is the RCMP's police records management system. It contains information on individuals who have come into contact with police, as a suspect, a victim, a witness, or an offender.
Our audit found that, in general, the RCMP has policies and procedures in place to properly govern access to and use of data in CPIC. However, one-third of the agencies that use CPIC were unable, for technical reasons, to implement the necessary protocols that ensure CPIC is accessed only by authorized users.
With respect to the PROS database, we also discovered that some outdated and erroneous personal information was being retained when it should have been sequestered or purged. Specifically, we found that police and other agencies with access to PROS could continue to view records related to cases that had resulted in a wrongful conviction or a conviction for which a pardon had been granted. This contravenes the data retention provisions of the Privacy Act. It also makes it harder for people to get on with their lives, free from the taint of unfair suspicion.
Both CATSA and the RCMP agreed to address our recommendations. We'll follow up to see how these recommendations will be implemented.
Our last annual report to you discussed follow-up work on three audits we conducted during 2008 and 2009. We wanted to see how many of the 34 recommendations we made in those audits had been implemented. We were happy to find that 32 of those recommendations had been fully or substantially implemented in the intervening years.
The results were, in some cases, significant. For instance, a follow-up to an audit on the RCMP's exempt data bank found that tens of thousands of surplus files had been purged to comply with our recommendations.
I will now turn to our 2010 annual report on the Personal Information Protection and Electronic Documents Act, the PIPEDA. The major issues in that report were online privacy and the disposal of personal information.
We highlighted our audit of a major retailer, Staples Canada Inc.—Bureau en Gros Ltée.
What we found was that Staples Business Depot stores fail to fully wipe customer data from returned devices such as laptops and USB hard drives, which were destined for resale.
That was a particularly disappointing finding, as we had already conducted two earlier investigations involving returned data storage devices at Staples and received assurance that the company would fix the problems we identified.
Although some steps have been taken, the audit showed that those procedures and controls were not consistently applied, nor were they always effective.
As a result, consumers' personal information was at serious risk.
At the end of our audit, we asked Staples to provide a report from an independent third party confirming compliance with the recommendations by the end of this June.
We look forward to hearing about how the company has addressed our recommendations.
The report also describes our investigation into Google's collection of highly sensitive data from unsecured wireless networks in neighbourhoods across Canada. The investigation found that Google's Street View cars had inappropriately collected personal information, such as e-mails, user names, passwords, phone numbers, and addresses.
Google's explanation for this serious violation of Canadians' privacy rights was that an engineer had developed code that included lines allowing for the collection of payload data, but failed to flag this to the company lawyer reviewing the project.
We were concerned about Google's lack of control over processes to ensure that necessary privacy protections were followed. We recommended that Google ensure it had a governance model in place to comply with privacy laws. We also recommended enhanced privacy training for Google employees.
There have been significant developments on that file since we published our annual report. Last year we examined the remedial measures Google had put into place following the investigation. We found the company was well on its way to resolving serious shortcomings. However, we did request that Google undergo an independent third-party audit of its privacy program.
We asked Google to share the audit report with our office within a year. We look forward to reviewing the results in the near future.
We've also started to use the approach of requesting third-party audits of companies with other organizations as well.
In conclusion, I've touched on only a very few of the many issues discussed in our two annual reports. I think both reports illustrate the very broad range of privacy issues that can have significant consequences for all Canadians, and the importance of having strong legislation in Canada to protect our privacy rights.
I thank you very much for your attention. I and any members of my staff who may be able to assist me look forward to answering your questions.
NDP
The Chair NDP Pierre-Luc Dusseault
Thank you very much, Ms. Stoddart.
Mr. Angus has seven minutes to ask questions about your presentation.
Charlie Angus NDP Timmins—James Bay, ON
Thank you, Mr. Chair.
Madam Stoddart, thank you for your excellent reports. In our business we read many reports. Often it seems reports are just data, but sometimes we come across a report like yours, which has a clear vision of the issues of privacy, the state's role, and the rights of the individual. I think it's a very powerful statement.
You state that security and privacy are not opposing values. You also state:
...the state also has an obligation to treat individuals with respect—to preserve their dignity and to safeguard their personal information.
This is not a mere frill or a “nice-to-have”; it is fundamental to the trust relationship that must exist between citizens and their government.
I think that's a very clear and powerful manifesto with which Canadians would agree. The question is how to ensure that this trust relationship is not eroded.
I'm particularly concerned, for example, with Bill C-30 and the lack of protocols that will exist in terms of being able to collect and hold personal data. People have raised concerns about Bill C-30. I know that you've raised concerns. The minister, Vic Toews, said that people who raise concerns are on the same side as the child pornographers, which I find to be a very offensive statement about the issue of privacy.
What are your concerns about the lack of protocols in Bill C-30 to protect the privacy rights of citizens?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you very much for that question, honourable member.
In fact in the last few years we've been focusing increasingly on matters of national security and the maintenance of privacy rights because of the various new programs that have been developed.
We published a document that's available on our website called “A Matter of Trust”, which sets forth the principles that we apply and that have been approved over the years within our country and by our courts, in terms of privacy principles and to the extent to which they have been respected. We hope that's a kind of blueprint or a series of suggestions for developing programs on the one hand and for telling Canadians what they can expect on the other hand.
In terms of C-30—in fact, I recently noted in going back over some material—I believe this was introduced under another name and title as far back as April 2009. So for not less than three years we have been commenting on this, both formally and informally. We've been meeting with department officials, and we remain very concerned with the architecture of the bill. Notably—and we have not changed what we've been saying for the last three years—it's with the ability to get personal information of Canadians without authorization, the fact that there is not a proper oversight framework, and that Canadians would remain largely unaware of what is going on.
While we do understand that technology and the access to very complex and efficient technology on the part of people who wish to do no good has complicated the work of our law enforcement forces in Canada, we think we need to see a clear explanation to the public to understand why new enhanced powers would be needed. Once that explanation has been done, we expect to see in any further iteration of the law—or we would hope to see—a more complete supervision framework as well as a role for independent authorization of access to personal information.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you.
You state in your report that “Personal information is available...in unprecedented amounts, and the state's appetite for it is voracious.” It's a very strong statement, so I think with the issue of Bill C-30 there's a concern. But the appetite of private companies for our personal information is equally voracious. I'm concerned about the protocols around how that privacy information is collected, and I see it from your audits of Google and Staples.
But I'm looking at Bill C-12 and the issue of security breaches and the provisions that exist right now—or the lack of provisions—and then the very loosey-goosey provisions the government is bringing in. If someone's data has been compromised, right now under this bill they say if there's significant harm they're obliged to tell the consumer. Significant harm seems to me to be an extremely high bar to set, given that a company is not going to really want to tell consumers that somebody was peeking at their data; they're going to quit the account.
How do you feel Canadians should be protected? Should the breaches be reported to you so that you can set the bar? Should we allow private industry to decide whether or not there's been significant harm? How do we ensure a balance? Is this something that should be reported back to you so you can make that declaration?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes. That's another important question that my office is looking at. In fact, I've expressed my concerns with those parts of Bill C-12 that deal with data breach protection. I think in the time that we've been aware of the magnitude of the data breaches that are happening—both within Canada and outside of Canada—to Canadians' information as it circles the globe...we need stronger provisions in C-12.
I'm concerned if Canada does not set a higher bar—including looking at sanctions for companies that do not take necessary steps to protect personal information—we will have fallen well behind the actual practice in many American states, of countries abroad, like the U.K., where fines are imposed for data breaches. They're mostly to public sector organizations, it seems.
I think we have to send a strong signal—and I sent this a year ago to companies—that data breaches are not acceptable. Some may be almost unavoidable because of the cutting-edge technology and so on, but many just seem to be lack of attention, lack of training, and lack of investment in data breach procedures and equipment.
NDP
The Chair NDP Pierre-Luc Dusseault
Mr. Angus, unfortunately, your time is up.
I now yield the floor to Mr. Del Mastro for seven minutes.
Conservative
Dean Del Mastro Conservative Peterborough, ON
Thank you, Mr. Chairman.
Thank you to the witnesses today for very interesting testimony.
I was interested in the statement you made with respect to CATSA. Whenever I talk to law enforcement—and CATSA certainly is a law enforcement agency—what they indicate to me is that the more information they have, the better. They'll never turn down information; they will collect every piece of information they can get.
My question for them is why they need this. You said they were over-collecting data. What was their stated rationale for this? Did they have one? Did they have a reason for why they were asking questions that they weren't actually duty-bound to ask and collect?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I don't think so, Mr. Chair, but could I ask Assistant Commissioner Chantal Bernier, who is closer to the details of that audit, to answer your question?
Chantal Bernier Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you.
Indeed, the relationship we have with CATSA is excellent. In this audit, when we did put to them that finding, they accepted to change the practice, recognizing that indeed they did not need that information, that it was beyond their mandate to collect it.
Conservative
Dean Del Mastro Conservative Peterborough, ON
So it really was a situation where if they could get it, they'd take it, whether they needed it or not.
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes.
Conservative
Dean Del Mastro Conservative Peterborough, ON
Okay.
You indicated that only one-third of the users of CPIC were meeting the required privacy guidelines. Is that as a result of, for example, small-town police stations and so forth not having the resources, or is it their not really understanding what their responsibilities are with respect to privacy, or some combination? What did you find with respect to the non-compliance with respect to privacy and CPIC?
It would seem to me CPIC should be pretty closely guarded.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, you're absolutely right. But with the range of organizations across Canada that are attached to CPIC, I don't know if there's one simple response. I don't know if the assistant commissioner does. We have the head of audit and review, if you'd like to hear the answers that were given back.
We're talking about people who plug into CPIC who are not necessarily under federal jurisdiction—municipal or provincial police forces. So I don't think it was really our business to go and say.... We did CPIC and we noted with some concern that a third of those accessing CPIC didn't have designated users.
Conservative
Dean Del Mastro Conservative Peterborough, ON
So it's a third that are non-compliant, not a third that were compliant.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, a third were non-compliant. That's my understanding.
Conservative
Dean Del Mastro Conservative Peterborough, ON
It's still a significant number. You're talking about a significant number of people who are using that system who aren't meeting guidelines for the use of it.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Exactly. It wasn't the RCMP; it was those that are partners with the RCMP, which may be much smaller organizations.
Conservative
Dean Del Mastro Conservative Peterborough, ON
Okay, thank you.
I'm pleased that 32 of the 34 recommendations that you made previously were fully or substantively instituted. That's good news.
I'm also pleased to hear that Google is cooperating so well. I'm not meaning to give props to Jacob Glick and Google here in Canada, but I can't remember the last time I used another search engine online. I'm glad to hear that they're returning the loyalty that Canadians have extended to them with a cooperative spirit. That's good to hear.
I wanted to ask another question. Mr. Angus talked a little bit about Bill C-30. I know that's not what you're here specifically to address. Of course, notwithstanding the fact that I don't believe Canadians should be providing any more information than what they absolutely are required to by law, I think...as you said, governments have a duty to protect that information; they require it for the operation of government. At the same time, I'm always concerned that there is an element within society that uses rules like privacy laws to hide illegal activity, to hide themselves amongst otherwise law-abiding citizens, and to use those protections that we fight for, that I think all parties fight for and have always fought for. They utilize those protections, those privacy laws, to do criminal acts.
It's never going to be easy to determine...and I think it's true to say there are sacrifices we all must make in order to make sure our law enforcement officers and so forth have the ability to track down those who would otherwise seek to exploit our privacy laws to break the law. You talked about having a conversation with Canadians—I'm paraphrasing—to justify why these changes need to be made. Have you been approached by groups or police and law enforcement that have talked to you about some of that rationale, about some of the things they're seeing? My local police chief came and talked to me, and it was very disturbing what he indicated to me about the challenge they're having tracking down, specifically, people who are trafficking in child pornography.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you. These are really important questions and important concerns.
If I may, Mr. Chair, I'll ask Assistant Commissioner Chantal Bernier, who has a background in national security and can answer that better than I can....
Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
Indeed we agree with you that privacy cannot stand in the way of public safety and cannot be used to shield illegal activities. That is our starting point. We have consulted widely, I would say, with chiefs of police, the RCMP, and CSIS, as well as with civil society, to truly make the distinctions that are appropriate in consideration of this legislation.
The commissioner earlier referred to the document called “A Matter of Trust”. You would find if very helpful, I believe, in that it puts forward an analytical framework, precisely to make the distinctions that you suggest must be made.
That analytical framework calls, first of all, for empirical evidence of the need for certain powers that do indeed call for breach of privacy in certain circumstances. Secondly, it calls for the justification to keep the personal information that is collected, and then of course an oversight mechanism to ensure that all the rights that must be upheld are upheld.
NDP