Information & Ethics Committee on Sept. 27th, 2016

The foundation should pretty well remain stable. I'm saying five years seems to be cautious and too often. I don't know what the formula should be: 10 years, 15 years, and let it work out. I don't see the urgency to do it every five years.

When we're talking about privacy, particularly within the Privacy Act itself, we've got to remind ourselves that privacy is a large mosaic, and the act is only looking at a very finite portion, which is information in records under the control of the federal government. That's it. It doesn't look at any personal, private, confidential information that's passed orally. It doesn't look at information covered by the health care professions, banking, or police forces. I could go on and on. Most of these all have something to do with the protection of, and disclosure of, personal information.

The part that doesn't really work within the federal government at the moment in its administration of the Privacy Act is the disclosure element of it, and what is referred to by the Privacy Commissioner as "consistent use".

I see abuses of that in my own practice. Once the government has this information, there is a tendency to use it and to disclose it for use by federal institutions, consistent with the consent that the person whose personal information has been provided has given to use it for different purposes. That's where problems arise. I see it particularly in some departments that have access to the health care information of individuals. They want to use that, and they do use it, for instance, in the settlement of a workplace grievance. I would question that, and I am questioning it, but at the moment, the Privacy Act allows a department to make that decision—to say they can use this information provided to them about a person's health care for other purposes.

You're referring to the U.S. border, I assume?

That's why I asked the question. For most countries in the world that have comprehensive data protection law, there's an agency similar to the Privacy Commissioner of Canada that the Privacy Commissioner can talk to and have discussions with. If there's any complaint by a Canadian, then there's a process in that other country for that complaint to be investigated.

The problem that we have in Canada is that so much of our information flows over the border to the United States. There isn't an equivalent institution in the U.S. The U.S. has a privacy act that predates our Privacy Act and is from 1974. It's similarly dated. That is administered not through one privacy commissioner, but through a variety of different regulatory agencies.

Your question also relates to the so-called Safe Harbour agreement that was invalidated by the European court. It's now been replaced by a thing called the Privacy Shield, which is mainly for commercial data.

That's all by way of saying that you've asked a very, very good question.

I come back to what I was saying about privacy impact assessments. If they're done properly on both sides of the border, PIAs can go a long way toward ensure that the principles in the Privacy Act are in fact complied with wherever that data goes. There have been some good examples of that. I give the example of the enhanced driver's licence processes, for example. There were PIAs done in Canada and in the relevant institutions in the United States that were reviewed by the Privacy Commissioners in Canada. I don't know whether Gary had something to do with that in his day.

PIAs do play a strong role in alerting the Canadian Privacy Commissioner to any issues that might exist on the other side of the border.

I might just add that if you refer to recommendation 12 of the Privacy Commissioner, you see that he talks about the need to enable him to have discussions with data protection authorities in other jurisdictions. That's frankly all about trying to coordinate enforcement to address the problems with data flowing outside the territorial borders of Canada.

How do you still ensure protection for Canadians? It's partly by having the kinds of agreements you referred to, but it's also by ensuring that data protection authorities can look at joint investigations. The Canadian office has been effective in a number of joint investigations with other national data protection authorities. I think that's a compelling reason that recommendation 12 warrants support.

You could do what British Columbia and Nova Scotia have done, which is enact legislation that in fact prohibits certain information sharing outside Canada. They've actually attempted to put restrictions at the front end. It's not always tremendously effective. What you may have is businesses relocating outside your jurisdiction because of some of those limitations in provinces like B.C. and Nova Scotia.

I'd say—I would just be repeating what I suggested earlier—that it's a question of putting in force the strongest and most effective information sharing agreement you can and ensuring that you have a high level of co-operation between international data protection authorities.

I guess the governments need to monitor that information. Privacy commissioners need to monitor those agreements and whether or not they are being complied with in practice.

If you look at the Canadian experience, the fact is that this committee is meeting to discuss legislation that was developed in 1983 and has not been substantially changed in over 30 years.

I hear Mr. Drapeau's question about whether five years is too short a time. If you look at Alberta and British Columbia—which for sure have, I think, five of your provisions—they have had requirements for five-year reviews of access and privacy legislation. In both provinces, it has typically resulted in all-party legislative committees looking at it and coming up with a set of recommendations.

The bigger problem in those provinces has been that many of the recommendations aren't acted on. You have the five-year review, some public attention, and a set of recommendations, but the bigger issue is that governments, for one reason or another, often don't implement those kinds of recommendations.

I think five years is appropriate, though, because it not only lines up with a number of Canadian provinces that provide for that statutory review but also ensures that this kind of material doesn't get forgotten. If you rely on a department of justice, or some other department, doing an internal review, it just doesn't attract that kind of attention. When you're dealing with quasi-constitutional laws and rights of all Canadians, the Canadian Bar Association thinks that requires a high level of transparency.

We certainly value the notion of more public reviews done on a regular basis. If there hasn't been a lot of change, then there may be no need for huge amendment. However, it ensures that in a world where technology is changing and so many new risks to privacy keep on developing and appearing, there is an attempt to stay current.

Excellent read.

Yes.

I'd like to think I was fair, measured, and moderate in all of my recommendations.

I guess the one observation I can share is that there's always a difficulty with access and privacy oversight becoming too complex, too technical, and too formal a process.

When the first parliamentary ombudsman was created in Alberta back in 1967, it was all about providing citizens with a readily available, accessible tool that didn't require a lawyer at your side to trigger an investigation if you thought the government had been unfair or done something improper.

All of my experience drives me to a point where we always have to work harder to ensure that both the systems we put in place and the processes don't become so complex and so time-intensive that we end up not providing the measure of service that Canadians are entitled to and that was envisaged when these laws were initially created and enacted.

It requires work on the part of commissioners, legislators, and people involved in these systems to keep asking themselves if they're being as accessible as they need be, and if they have processes and so on that make this relatively easy for Canadians to use. To the extent we fail to do that, we are failing to meet the purposes of both access to information legislation and privacy legislation.

With that, I'll get off my soapbox.

The first one is our proposal to take the enhanced ombudsman model and run with that. I think there are certainly strengths with the order-making model and I've worked in those jurisdictions that have it, but in terms of providing the highest measure of service to Canadians and the most successful kind of service, I think the enhanced ombudsman model best fits the bill.

Beyond that, the other process is ensuring that the commissioner has a broader range of powers. Parliament has provided the commissioner with diverse powers in PIPEDA, which are appropriate, and we see them being used frequently. The Privacy Commissioner needs a similar arsenal of remedies, tools, and resources when he's dealing with matters under the federal Privacy Act.