Information & Ethics Committee on Oct. 4th, 2016

Good morning.

We really appreciate this opportunity, Mr. Murray and I, to appear before you. We know you've already heard from the statutory review committee: Clyde Wells, Doug Letto, and Jennifer Stoddart. They certainly addressed the rationale for the recent changes in Newfoundland and Labrador with respect to our access and privacy legislation.

I've been commissioner for just over three months now, and as a newcomer to access and privacy, I find it quite remarkable how the ability in our present society to collect, analyze, and unfortunately, abuse information has grown dramatically and continues to grow. However, I was surprised to learn that the federal Privacy Act had not really been amended for over 30 years.

The situation that we're in now in the digital age is that, formerly, being secure in your home and being secure in your life meant basically that your home was your castle, and now, with the proliferation of information, its storage, and its use, the keys to that castle exist out there in the digital world, and you can be deprived of your privacy and sense of well-being without anybody coming through your door. It's vitally important that all government institutions collect only that information that is necessary and then do their utmost to safeguard that from inappropriate uses and from being accessed by sources outside of government.

We are in a very enviable position here in Newfoundland and Labrador because of the Access to Information and Protection of Privacy Act, 2015. We believe it's one of the best pieces of legislation in the country. However, we recognize that the solutions we are using here and that were implemented here may not apply universally, and perhaps, in particular, may not apply to the federal system. Issues of volume and resources may dictate or require different solutions.

As an example, in regard to mandatory reporting of privacy breaches, we have all breaches reported to us, not just material breaches. However, again, based on our volume of reports, that may be more practical in a jurisdiction such as ours and less practical with an institution the size of the federal government.

The recommendations that have been made by the federal commissioner in terms of necessity for collection, public education, and public research mandate are all, we think, extremely positive. For the most part, I think we support all of the recommendations that have been made by the federal Privacy Commissioner.

We believe that our experience, in terms of now having had over a year to deal with our new legislation and responses to it and accumulate data, may be of some benefit to the committee. Between ourselves, Mr. Murray and I, we will hopefully answer any questions you have today to the best of our ability.

Thank you.

Thank you.

I haven't appeared before this committee before, so I thought I'd give you a bit of my background, which might give you some idea of the kinds of questions I might be good at answering for you.

I've been practising in the area of access and privacy law for 15 years. I've worked inside government. I administered the ATI, the access to information and privacy program, for the attorney general, the solicitor general, and the aboriginal relations departments in British Columbia for six years. My shop processed about 2,000 to 3,000 requests a year and we produced hundreds of privacy impact assessments. We administered the act inside a government department.

Then I switched to the oversight agency in British Columbia, where I was assistant privacy commissioner. In that capacity, my group of investigators and mediators investigated hundreds of privacy breaches and remediated thousands of complaints about access to information. British Columbia has an order-making power, so the small percentage of files that didn't settle moved over into the adjudication unit. So I'm familiar with that model of oversight.

I then spent a couple of years at Canada Post administering access and privacy on behalf of that federal institution under the Privacy Act and the Access to Information Act as the director of access and privacy. Now here I am in Nova Scotia, as the information and privacy commissioner. This is a recommendation-making authority in the province, so I've been inside and outside order-making and recommendation-making regimes.

I think you've heard from many people about the need to modernize the Privacy Act. In fact, I share the same concerns in terms of what's happening here in Nova Scotia. I'm in the process of developing a series of recommendations to modernize Nova Scotia's law, which was last significantly amended in 1993. It's 10 years newer but shares a lot of the shortcomings of the Privacy Act.

In preparation for this hearing, I looked at the submissions of my colleague Commissioner Therrien and I can say honestly that pretty much everything he is suggesting to your committee will be things that I'm suggesting to the legislature here in Nova Scotia. There's certainly a consistency in terms of where we see the need for these types of laws to go to be effective.

I thought I'd make three suggestions to you by way of introductory comments.

First, I would recommend that you try as best you can to make your changes as consistent as possible with private sector privacy standards, because from the citizens' perspective, what they don't get is that there would be different rules for the government as opposed to business. Often they find that the rules that businesses follow make more sense to them.

In terms of things such as collection of personal information, I know Commissioner Therrien recommended that you add a requirement of necessity. That's absolutely what's expected in the private sector. It makes perfect sense, of course, in the public sector and is a common standard across other jurisdictions, just not under the Privacy Act.

My second suggestion is that you consider adding a detailed purpose clause. I make that recommendation because Nova Scotia has a detailed purpose clause. It's one of the best parts of our old law. It's a very rich purpose clause and has served the courts well in their interpretation of the act. It has given a really good indication of what the legislature intended with the access to information and protection of privacy act here in Nova Scotia.

The third recommendation I would make to you has to do with breach reporting. Nova Scotia has a unique breach reporting requirement under the Personal Health Information Act. There is no breach reporting requirement under our old Freedom of Information and Protection of Privacy Act, but under the Personal Health Information Act, health custodians have to report minor breaches to my office. Real risk of significant harm or material breaches that you talk about at the federal level only require a notification to affected individuals, so I'm certainly recommending to the legislature that it include a notification of material breaches, much like Commissioner Therrien is recommending to you. I would also suggest that it would be worthwhile to require that institutions keep a list of all breaches, basically a privacy breach log.

That is something that the Europeans have done in the general data protection regulation in Europe. They must keep a log of all privacy breaches and keep it available should the commissioner wish to see it, and they must further report material breaches to the data protection authorities in Europe.

That seems to me to make sense, and I'll tell you why. Just looking at these minor breaches gives you an idea of what's going on and where the risks to personal health information are.

In Nova Scotia, for example, we had a 75% increase in minor breaches last year by health custodians. The patterns are really quite troubling. They give you very good intelligence about where training is required and where technical solutions are required in order to prevent the minor breaches, but also to prevent potential major breaches.

Those are three ideas that I thought I would suggest by way of introduction. I'm happy to address any other issues or any questions you might have.

My experience with this was back in B.C., and it compared to what's happening in Nova Scotia with the recommendations.

When matters reached the stage where it went to adjudication, there was a wall between the informal mediation and the adjudication. It was quite formal relative to recommendation-making. Parties tended to be represented by lawyers. They provided witness submissions. There was an exchange of submissions. The hearings generally, though, almost exclusively, were in writing before a single adjudicator, but it required the B.C. office to have a group of adjudicators separate from the rest of the staff who conducted these hearings and issued written reports.

On the recommendations in my jurisdiction now, what happens is that there is no separation between the initial informal resolution process and the recommendation reports that I write, so parties don't need to have a lawyer but the quality of the submissions then is reflected in that they are not generally that strong and there's a lack of evidence. It's quite a challenge to write these recommendations.

I'm sorry, but are you asking me?

I'm going to answer that one.

We are strongly in favour of section 112 of the act. We think it has worked out very well. We have been consulted a number of times since June 2015, when the ATIP of 2015 came in. We have provided input on draft bills and had an impact on the bill that was eventually tabled in the House of Assembly for debate.

Prior to that, there was an ad hoc occasional practice of consulting the commissioner's office. It was unsatisfactory because there were times when bills went before the House that we had not had notice of and were not aware of and that had a significant impact on privacy and access to information. There was a lost opportunity, then, to have that input. We think section 112 has been very helpful.

I can address that from the point of view of Newfoundland and Labrador.

The privacy impact assessment requirement in our ATIP of 2015 was a new requirement. It is limited in that the privacy impact assessment is only required to be provided to the commissioner's office for review in the case of “a common or integrated program”. Unfortunately, there's been some disagreement between us and the government on the definition of “common or integrated program”, so we haven't seen too many for review.

However, there is still a requirement that public bodies complete a privacy impact assessment or a preliminary privacy impact assessment and provide it to the minister. We believe that has been a useful process in order for public bodies to get a good handle on the risks to privacy and to be able to address or mitigate those risks. Certainly, that's going to help with better privacy compliance for all those programs and initiatives that are subject to it.

I can speak to it from Nova Scotia's perspective, and actually across those three jurisdictions I've worked in.

I'm a fan of consistent use. I think the tests set out in the laws tend to define either consistent or compatible, and those rules are helpful in allowing for secondary use in those limited circumstances. That gives the definition “incorporates necessity and proportionality” in some of those pieces of legislation. Certainly, trying to be as consistent as possible with secondary use across the two, PIPEDA and the Privacy Act, would be helpful.

I've applied the consistent-use test and found it really works well for secondary use.

I think Ms. Tully has captured it nicely.

From my perspective, that is not a use question; it's a disclosure question. If it's across two separate institutions, they would have to satisfy the disclosure requirement, so they'd first have to have an authority. The idea of also layering on top of that for any disclosure a consideration of proportionality and necessity, I think, is a very good idea and speaks to.... Those provisions tend to be discretionary provisions, so giving some guidance in terms of, even if you have the authority, what you should consider in exercising your discretion, especially sharing between government departments, would be an excellent idea.

This is Drew McArthur and Bradley Weldon.

Thank you very much for the invitation.

My office provides independent oversight and enforcement over B.C.'s access and privacy laws. The enforcement and oversight extends to over 2,900 public bodies, including ministries, local governments, schools, crown corporations, hospitals, municipal police forces, and more. They're subject to B.C.'s public sector privacy law, the Freedom of Information and Protection of Privacy Act or FIPPA.

It extends to over 380,000 private sector organizations, including businesses, charities, associations, trade unions, trusts, and more that are subject to B.C.'s Personal Information Protection Act or PIPA.

Today I am going to focus my comments on three areas that are part of the deliberations of this committee to which the B.C. experience may be informative: commissioners order-making powers, an explicit obligation to safeguard personal information, and mandatory breach notification. Under order-making power and mediation and consultation, in British Columbia the mandate of the office includes the promotion of access and privacy rights, public education, advice to public bodies and businesses, investigation of complaints, mediation, and independent adjudication. These functions are complementary, and in my opinion, best delivered under one roof. It would be extremely difficult for another administrative tribunal or court to attain the same level of expertise and provide for efficient and timely resolutions for citizens.

Privacy and access to information issues are dynamic in the modern digital world. It's in the interests of organizations, individuals, and public bodies that the individuals making legal and binding decisions have the requisite skills and up-to-date knowledge about what is happening on the ground. Having the responsibility for adjudication plus advocacy, education, and investigation ensures the necessary expertise in the law. Our adjudicators receive the same technical training and professional development as our investigators, and are routinely exposed to new technologies, emerging ideas, and global trends affecting privacy and access to information law.

Combining the investigation and adjudication into one office provides clear benefits to citizens. Combining those provides one-stop shopping for citizens. This clarity and convenience is important. There is no confusion about which oversight agency or tribunal citizens need to direct their complaint to. They need merely to address our office. Citizens don't feel as though they are caught in or bounced around an unnecessarily bureaucratic system.

We have not found that the public education or the advisory functions of a commissioner pose a risk of undermining the adjudicative function. We do take steps to protect the integrity of the adjudication process. For example, no information about investigative files or attempts at informal resolution are ever disclosed to the adjudicators. The adjudicators do not report to the same supervisor, and they are not located on the same floor as the investigators.

When providing the public with advice and consultation, we clarify that our view is based on the information provided at the time, and that it is not binding on the commissioner with respect to making a formal finding in the event that we receive a future complaint.

In our consultations, we communicate about general principles and recommend best practices without prejudging individual cases. We are able to perform these various roles effectively because our legislation also explicitly gives us these powers and spells them out in detail.

Adjudication enhances our ability to resolve issues through mediation. The adjudicative function lends greater authority to our investigators by focusing the minds of the parties, and it provides an incentive to both parties to avoid formal adjudication. As a result, we resolve 90% of our complaints and reviews in mediation. In the last year we had 1,056 complaints and requests for review, of which only 109 went to inquiry. Of those that went to inquiry, only a little over 1% were judicially reviewed.

The fact that we have public education and advisory functions, complemented by investigative powers, with the ultimate ability to order compliance through our adjudicative function, gives us a level of authority that can influence the public and the government. Without that complete suite of functions, we would not have that same level of influence.

B.C.'s public sector privacy law has an explicit requirement for public bodies to safeguard personal information. We consider this legislative requirement as being fundamental to a public body's responsibility for the personal information it collects from citizens. Given the negative repercussions that can occur to citizens in the event of a breach of their personal information, it's almost unbelievable that a privacy protection statute would not incorporate this requirement.

Section 30 of our act states:

a public body must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

Citizens rely on this section and expect that a public body is taking adequate measures to protect their personal information. It's the legislative requirement in most jurisdictions across Canada and internationally. Having this requirement in legislation is important from the perspective of public trust, as a clear and binding requirement on public bodies. It indicates the importance that governments place on this requirement.

While B.C.'s legislation does not explicitly address physical, organizational, and technological measures commensurate with the sensitivity of the data, our office has set out similar expectations in investigation reports and orders. In my view, placing this language explicitly in the legislation would be consistent with international standards regarding the protection of personal information.

Also, we have been clear that, as our province's regulator, we evaluate “reasonable security arrangements” on an objective basis, and that the determination of what is reasonable is contextual. The standard is not one of perfection but varies based on the sensitivity and the amount of personal information in question.

On breach notification, a privacy breach occurs when there is unauthorized access, collection, use, or disclosure of personal information. It is unauthorized if it occurs in contravention of one of our privacy laws. An important element of safeguarding personal information is ensuring that the privacy commissioner and affected individuals are notified when a privacy breach occurs.

Privacy breaches can carry significant costs. They put individuals at risk for identity theft and serious financial or reputational harms. They can also result in a loss of dignity and a loss of confidence in public bodies. We trust public bodies with some of our most sensitive and comprehensive personal information: social security records, tax data, health information, financial information, and the list goes on. We have no choice but to provide that information to the public bodies.

It seems every week that privacy breaches are reported in the media. We hear about laptops and portable storage devices being lost or stolen, human error resulting in disclosure, unauthorized access, or snooping as well as cyber-attacks.

Breach reporting in B.C. is currently voluntary in both the private and public sector. However, my office has recommended that it be made a mandatory requirement, and let me explain why. In British Columbia, we examined the government's privacy breach management process and we published those results in 2015. We learned that nearly 3,000 breaches were reported to government during the period of 2010 to 2013, but only 30 of those had been reported to my office. This told us that, under a voluntary reporting requirement, my office was receiving reports of only about 1% of all the breaches that occur within government ministries. Of those, the majority, 72%, were classified as “administrative errors”. The breakdown of other types of breaches included unauthorized disclosures at 16%, lost or stolen at 4%, unauthorized access at 3%, and cyber-attacks or phishing at less than 1%.

It shows that it's important to set out a clear threshold where notification must occur. We don't want to hear about every breach, but we need to know about the important ones. In B.C., we have recommended that the threshold be where the breach would be reasonably expected to cause harm to an individual, or where the breach involves a large number of individuals.

Mandatory breach reporting to a privacy commissioner also means that the commissioner's office can work with public bodies to learn from their mistakes and implement lasting preventative strategies. Mandatory breach notification also ensures that affected individuals are made aware of breaches without unreasonable delay, so they can take the important steps to protect themselves.

For these reasons, my office has recommended to the legislative committees reviewing B.C.'s privacy statutes that mandatory breach notification be added as a requirement. Both of these committees agreed and recommended in their final reports that the privacy laws for the public and the private sectors be amended to require breach notification to the commissioner and to affected individuals in the event of a privacy breach. The B.C. government has stated that it is committed to addressing mandatory breach notification at the next available legislative opportunity.

The federal Bill S-4 added breach notification requirements to Canada's private sector privacy law, and it is difficult for me to understand why the government would not hold itself to the same standard as it holds the private sector.

That concludes my remarks.

That is correct.