Information & Ethics Committee on Feb. 23rd, 2016

You said “access to information”, but I think you meant conflict of interest.

Basically there are rules set out in both the act and the code as to when you may be in a conflict of interest, so of course the first thing is to see whether any of those particular provisions applies. Basically I must follow the wording of the code or the act in applying it. I generally have a pretty good framework within which to make that decision.

There are a few provisions in my act that talk about improperly doing something or other. That's the one area where I do have some flexibility in determining what's improper. Usually in trying to determine that, the first thing I look at is whether there are rules somewhere else—rules that are not in my act—that are not being followed. In such a case, I would inevitably find that improper, and then I would look at, in the odd case, general sorts of understandings of people as to what is just unacceptable. As I say, I'm guided largely by the wording of the act or the code.

One area, for example, that includes the word “improper“ is on post-employment activities. Certainly if something was not proper when someone was a member, the likelihood is that it will not be proper when they're in a post-employment situation.

Maybe that gives you a little bit of a sense of it.

There's nothing in the Lobbying Act in terms of conflict of interest, but there is in the Lobbyists' Code of Conduct. As I was saying in my opening remarks, the reason it's in the code and was in the previous code as well since 1997 is to assure Canadians of the integrity of the decisions being made by the government.

There are a number of ways that a public office holder could be placed in a conflict of interest. This is why I've specifically broken them out in the rules in terms of whether preferential access is being given because of the relationship of the lobbyist to the public office holder.

There is the issue of gifts. For example, is a gift being given by a lobbyist to a public office holder whom they are lobbying, or will lobby, a gift that the public office holder cannot accept? As my colleague was saying, one thing I would be looking at is whether an individual can or cannot receive a gift.

Political activities is also an area that has been broken out, following a court case in 2009. If that's of interest to the committee, I can share the details with you, but basically it involves the notion of it being not a real conflict of interest but only an apparent conflict.

There is that tension that exists between the private interests of a political office-holder and their duty to serve the public interest. That standard test, as I mentioned, is what I and my investigators would use to determine whether a conflict of interest had been created.

Let me say that most of the provisions in my act envisage a perception one way or another, but not all of them. If the mandate letters talk about perceptions, that may be a slightly broader set of rules than my act or my code might cover. However, as I said, most of the rules whereby there could be a perception aspect are framed in one place or another.

The other thing I observe is that there is an accountability guideline that the Prime Minister has put out. In many instances, that accountability guideline also goes beyond the rules of the Conflict of Interest Act. It's a serious thing to find somebody to have contravened the Conflict of Interest Act, so I don't go out of my way to make up things that aren't at least envisaged to some extent.

When I speak of the accountability guideline, I'm reminded that it's another area where I could find an impropriety. If a section used the word “improper”, I would base myself on that.

I don't know if that answers your question.

Thank you for this question.

In my remarks I spoke to transparency, which is one issue, and to what extent companies and government should disclose to the public, in broad statistical terms, how often there is a sharing of information between companies and government for law enforcement purposes.

Now you're asking the substantive question of what ought to be shared by telecommunication providers, for the most part, and law enforcement. The first place to look at on this issue, of course, is what the Supreme Court said in 2014 in the case of Spencer. In that case, the court set out excellent guidelines. In terms of companies sharing information with law enforcement, it set out that the principle is the principle of warrants. These communications should as a rule be authorized by a court, on the principle that courts are well placed to balance the interests of the police in getting that information and the interests of individuals in having their privacy protected.

The court did outline three very narrow exceptions to the rule. One in particular has to do with emergency situations. If the police are investigating a crime that is about to be committed and they need personal information, that is one exception to the warrant rule. However, the rule is clearly warrants, with very narrow exceptions.

There's a lot in your question.

In general terms, in order to have effective protection for human rights and privacy, you need two things: oversight and review.

Oversight by Parliament will be debated according to what we see in the mandate letter. That would be an improvement over the current system.

It is also necessary that there be what I will refer to as administrative review. The review would be conducted by bodies such as SIRC, the commissioner for the Communications Security Establishment, etc. You need oversight and review, both parliamentary and administrative. This is one set of protections.

It's also necessary to have clear, substantive, legal rules as to how national security or law enforcement is to collect information. For instance, there was a question about when warrantless access is permissible by law. Normally warrants are required, except for very defined circumstances. I think you need both oversight and review, parliamentary and administrative, but it is equally important to have substantive legal rules that create the right balance between security and human rights.

This is also a recommendation in the report.

We've had the triple-delete incident in B.C., but before that there were the gas plant emails in Ontario. We also conducted a special investigation into the use of PIN-to-PIN communications in the federal government. There's documented evidence that there is information that should be preserved and be accessible to Canadians for accountability purposes that is either being destroyed or is not being created.

This is a key issue. It's particularly easy in the context of new technology, and that's part of the challenge that we have to deal with. In my view, the duty to document does not provide more cumbersome obligations to the government and to public servants than they already have, because they already have an obligation to document their decisions and their key actions and to preserve the information that needs to be preserved. That obligation exists in policy.

I put that into the report, but also my colleagues across Canada also did a joint resolution on that issue. We need a proper legal duty to document, so we need to heighten the level of the obligation from a policy obligation to a legal obligation. My colleagues and I are recommending to also have proper consequences for non-compliance with issues. This would apply to people who go into a meeting and don't take notes or to people who say not to document this information or to PIN them so that there is no lasting record. This is now becoming a way of conducting business in governments, and it needs to be addressed properly in a modern piece of access to information legislation.

This particular recommendation came to light because it has happened in my office that an institution came to us and said, “We will no longer be able to respond to access to information requests for the coming several months because we have had a massive technology incident.” We were grateful to have this information, because we were aware of what was going on. If we had complaints come in, we knew what had happened in the institution. It wasn't something the institution had control over. It was a security breach, and they had to shut down their computers, in simple terms.

That led us to realize that in some instances institutions have unauthorized destruction of records or data, and there's no obligation to report that to anyone. If there is a privacy breach, it is reported to the Privacy Commissioner, but if there is a non-authorized loss of data, there's no obligation anywhere to report it. That struck us as a gap in this day and age, with all of our information essentially stored in the digital world.

There are measures that are in place within each government institution, IM and IT procedures, and everyone has to abide by these measures. It's a challenge for all organizations. It's a challenge when we have consolidation of email and when we have small institutions having difficulty funding and having oversight and control over their IM and IT.

There are also a lot of challenges across the federal government in terms of information management and IT management. I think the Auditor General's report of Shared Services Canada shed some light on some of these difficulties. It's something that exists at the federal level and it's something that needs to be addressed. We cannot have access to information without having proper information management practices, and proper information management practices in 2016 have to be supported by the proper IT management. That means proper funding, proper training, proper controls, and proper obligations to report when something amiss occurs.