Thank you.
I haven't appeared before this committee before, so I thought I'd give you a bit of my background, which might give you some idea of the kinds of questions I might be good at answering for you.
I've been practising in the area of access and privacy law for 15 years. I've worked inside government. I administered the ATI, the access to information and privacy program, for the attorney general, the solicitor general, and the aboriginal relations departments in British Columbia for six years. My shop processed about 2,000 to 3,000 requests a year and we produced hundreds of privacy impact assessments. We administered the act inside a government department.
Then I switched to the oversight agency in British Columbia, where I was assistant privacy commissioner. In that capacity, my group of investigators and mediators investigated hundreds of privacy breaches and remediated thousands of complaints about access to information. British Columbia has an order-making power, so the small percentage of files that didn't settle moved over into the adjudication unit. So I'm familiar with that model of oversight.
I then spent a couple of years at Canada Post administering access and privacy on behalf of that federal institution under the Privacy Act and the Access to Information Act as the director of access and privacy. Now here I am in Nova Scotia, as the information and privacy commissioner. This is a recommendation-making authority in the province, so I've been inside and outside order-making and recommendation-making regimes.
I think you've heard from many people about the need to modernize the Privacy Act. In fact, I share the same concerns in terms of what's happening here in Nova Scotia. I'm in the process of developing a series of recommendations to modernize Nova Scotia's law, which was last significantly amended in 1993. It's 10 years newer but shares a lot of the shortcomings of the Privacy Act.
In preparation for this hearing, I looked at the submissions of my colleague Commissioner Therrien and I can say honestly that pretty much everything he is suggesting to your committee will be things that I'm suggesting to the legislature here in Nova Scotia. There's certainly a consistency in terms of where we see the need for these types of laws to go to be effective.
I thought I'd make three suggestions to you by way of introductory comments.
First, I would recommend that you try as best you can to make your changes as consistent as possible with private sector privacy standards, because from the citizens' perspective, what they don't get is that there would be different rules for the government as opposed to business. Often they find that the rules that businesses follow make more sense to them.
In terms of things such as collection of personal information, I know Commissioner Therrien recommended that you add a requirement of necessity. That's absolutely what's expected in the private sector. It makes perfect sense, of course, in the public sector and is a common standard across other jurisdictions, just not under the Privacy Act.
My second suggestion is that you consider adding a detailed purpose clause. I make that recommendation because Nova Scotia has a detailed purpose clause. It's one of the best parts of our old law. It's a very rich purpose clause and has served the courts well in their interpretation of the act. It has given a really good indication of what the legislature intended with the access to information and protection of privacy act here in Nova Scotia.
The third recommendation I would make to you has to do with breach reporting. Nova Scotia has a unique breach reporting requirement under the Personal Health Information Act. There is no breach reporting requirement under our old Freedom of Information and Protection of Privacy Act, but under the Personal Health Information Act, health custodians have to report minor breaches to my office. Real risk of significant harm or material breaches that you talk about at the federal level only require a notification to affected individuals, so I'm certainly recommending to the legislature that it include a notification of material breaches, much like Commissioner Therrien is recommending to you. I would also suggest that it would be worthwhile to require that institutions keep a list of all breaches, basically a privacy breach log.
That is something that the Europeans have done in the general data protection regulation in Europe. They must keep a log of all privacy breaches and keep it available should the commissioner wish to see it, and they must further report material breaches to the data protection authorities in Europe.
That seems to me to make sense, and I'll tell you why. Just looking at these minor breaches gives you an idea of what's going on and where the risks to personal health information are.
In Nova Scotia, for example, we had a 75% increase in minor breaches last year by health custodians. The patterns are really quite troubling. They give you very good intelligence about where training is required and where technical solutions are required in order to prevent the minor breaches, but also to prevent potential major breaches.
Those are three ideas that I thought I would suggest by way of introduction. I'm happy to address any other issues or any questions you might have.