Thank you, Mr. Chair, and thank you for the opportunity to address this committee on the issue of the reform of the Privacy Act.
I have had a chance to review the commissioner's recommendations for Privacy Act reform and I am generally supportive of these proposals. I'm going to be focusing my remarks today on a few specific issues that are united by the theme of transparency.
Greater transparency with respect to how personal information is collected, used, and disclosed by government enhances privacy by exposing practices to comment and review and by enabling appropriate oversight and accountability. At the same time, transparency is essential to maintaining public confidence in how government handles personal information.
The call for transparency must be situated within our rapidly changing information environment. Not only does technology now enable an unprecedented level of data collection and storage, but enhanced analytic capacity has also significantly altered the value of information in both public and private sectors. This increased value provides temptations to overcollect personal information, to share it, to mine it, or to compile it across departments and sectors for analysis and to retain it beyond the period required for the original purposes of collection.
In this regard, I would emphasize the importance of the recommendation of the commissioner to amend the Privacy Act to make explicit a “necessity” requirement for the collection of personal information, along with a clear definition of what “necessary” means.
The goal of this recommendation is to curtail the practice of overcollection of personal information. Overcollection runs counter to the expectations of the public, who provide information to government for specific and limited purposes. It also exposes Canadians to enhanced risks of negligence, misconduct, or cyberattack, which can result in data breaches.
Data minimization is an important principle that is supported by data protection authorities around the world and reflected in privacy legislation. The principle should be explicit and up front in a reformed Privacy Act.
Data minimization also has a role to play in enhancing transparency. Not only do clear limits on the collection of personal information serve transparency goals, but overcollection also encourages the repurposing of information, improper use, and over-sharing.
The requirement to limit collection of information to specific and necessary purposes is tied to the further requirement on government to collect personal information directly from the individual, where possible. This obviously increases transparency, as it makes individuals directly aware of the collection.
However, there are many exceptions to this general rule. These exceptions include circumstances in which information is disclosed to an investigative body at their request in relation to an investigation or the enforcement of any law, or when it's disclosed to government actors under court order or subpoena. Although such exceptions may be necessary, they need to be considered in the evolving data context in which we find ourselves.
Private sector companies now collect vast stores of personal information, and this information often includes very detailed core biographical information. It should be a matter of great concern, therefore, that the permissive exceptions in both PIPEDA and the Criminal Code enable the flow of massive amounts of personal information from the private sector to government without the knowledge or consent of the individual.
Such requests or orders are often, although not always, made in the course of criminal or national security investigations. The collection is not transparent to the individuals affected, and the practices as a whole are largely not transparent to the broader public and to the office of the Privacy Commissioner.
We've heard the most about this issue in relation to telecommunications companies that are regularly asked or ordered to provide detailed information to police and other government agents. It should be noted, however, that many other companies collect personal information about individuals that is highly revelatory about their activities and choices. It is important not to dismiss this issue as less significant because of the potentially anti-social behaviour of the targeted individuals. Court orders and requests for information can and do encompass the personal information of a large number of Canadians who are not suspected of anything. The problem of tower dump warrants, for example, was recently highlighted in a case before the Ontario Supreme Court. The original warrant in that case sought highly detailed personal information on about 43,000 individuals, the vast majority of whom had done nothing other than use their cellphones in a certain area at a particular time.
Keep in mind that the capacity to run sophisticated analytics will increase the attractiveness of obtaining large volumes of data from the private sector in order to search for an individual linked to a particular pattern of activity.
Without adequate transparency regarding the collection of personal information from the private sector, there is no way for the public to be satisfied that such powers are not abused. Recent efforts to improve transparency—for example, ISED's voluntary transparency reporting guidelines—have focused on private sector transparency. In other words, there has been an attempt to provide a framework for the voluntary reporting by telecommunications companies of the number of requests they receive from government authorities, the number they comply with, and so on. However, not only are these guidelines entirely voluntary, but they are limited to the telecommunications sector, whereas disclosures may be sought from any private sector company.
They also only address transparency reporting by the companies themselves. There are no legislated obligations on government actors to report in a meaningful way, whether publicly or to the Office of the Privacy Commissioner of Canada, on their harvesting of personal information from private sector companies. I note that the recent attempt by the OPC to audit the RCMP's use of warrantless requests for subscriber data came to an end when it became clear that the RCMP did not keep specific records of these practices.
In my view, a modernization of the Privacy Act should directly address this enhanced capacity of government institutions to access the vast stores of personal information in the hands of the private sector. The same legislation that permits the collection of personal information from private sector companies should include transparency reporting requirements when such collection takes place. In addition, legislative guidance should be provided on how government actors who obtain personal information from the private sector, either by request or under court order, should deal with this information. Specifically, limits on the use and retention of this data should be imposed.
It's true that the Criminal Code and PIPEDA enable police forces and investigative bodies under both federal and provincial jurisdiction to obtain personal information from the private sector under the same terms and conditions, and that reform of the Privacy Act in this respect will not address transparency and accountability of provincial actors. This suggests that issues of transparency and accountability of this kind might also be fruitfully addressed in the Criminal Code and in PIPEDA—the reform of which this committee is also considering—but this is no reason not to address it in the Privacy Act. To the extent that government institutions are engaged in the indirect collection of personal information, the Privacy Act should provide for transparency and accountability with respect to such activities.
Another transparency issue raised by the commissioner relates to information sharing within government. Technological changes have made it easier for government agencies and departments to share personal information, and they do so on what the commissioner describes as a massive scale.
The Privacy Act enables personal information sharing within and between governments, domestically and internationally—in specific circumstances for investigations in law enforcement, for example, or for purposes consistent with those for which it was collected. Commissioner Therrien seeks amendments that would require information sharing within and between governments to take place according to written agreements in a prescribed form. Not only would this ensure that information sharing is compliant with the legislation, but it would also offer a measure of transparency to a public that has a right to know whether, and in what circumstances, information they provide to one agency or department will be shared with another, or whether and under what conditions their personal information may be shared with provincial or foreign governments.
Another important transparency issue is mandatory data breach reporting.
Treasury Board Secretariat currently requires that departments inform the OPC of data security breaches, but the commissioner has noted that not all comply. As a result, he is asking that the legislation be amended to include a mandatory breach notification requirement. Parliament has recently amended PIPEDA to include such a requirement. Once these provisions take effect, the private sector will be held to a higher standard than the public sector unless the Privacy Act is also amended.
Any amendments to the federal Privacy Act to address data security breach reporting would have to take into account the need for the commissioner and for affected individuals to be notified when there has been a breach that meets a certain threshold for potential harm, as will be the case under PIPEDA.
The PIPEDA amendments will also require organizations to keep records of all breaches of security safeguards, regardless of whether they meet the harm threshold that triggers a formal reporting requirement. Parliament should impose a requirement on those bodies governed by the Privacy Act to keep and to submit records of this kind to the OPC. Such records would be helpful in identifying patterns or trends within a single department or institution, or across departments or institutions. The ability to identify issues proactively and to address them either where they arise or across the federal government can only enhance data security, something which is becoming even more urgent in a time of growing cybersecurity threats.
I'm going to stop my comments there.
Thank you very much, Mr. Chair.