Information & Ethics Committee on Oct. 6th, 2016

Thank you, Mr. Chair.

First of all, I'd like to express what a pleasure and honour it is to be back before you today. It's a bit of a homecoming. I'm truly honoured to be able to help inform your debate on a topic of such importance.

I will be giving my presentation in both official languages. I guess 27 years as a public servant has made a lasting impact. So I will start in French, but continue my remarks in English.

I should tell you from the outset that I'm in total agreement with the recommendations of the Privacy Commissioner of Canada concerning the reform of the Privacy Act

To avoid exceeding my allotted time, I have chosen to expand on what I consider to be the priority recommendations. Naturally, during the question period, I will be happy to elaborate on any recommendations I have not mentioned due to time limitations. Without further delay, I will move on to the first point I wish to make.

My first recommendation is about the requirement for written agreements governing the sharing of personal information. In support of this recommendation, I refer you to two documents: Justice O’Connor’s report as part of the Commission of Inquiry into the Actions of Canadian Officials in relation to Maher Arar; and the special report entitled "Checks and Controls" that I tabled in Parliament on January 28, 2014, with the assistance of the wonderful staff at the Office of the Privacy Commissioner, and with input—this deserves to be emphasized—from five experts in national security.

Let's begin with Justice O'Connor's inquiry report in the Arar matter.

In his report, Justice O’Connor concluded that by sharing personal data about Mr. Arar with foreign authorities, Canadian government authorities had contributed to the torture of an innocent person. In the hope preventing this from happening again, he recommended that Canada better control the transfer of personal information to foreign agencies. This shows how topical the Privacy Commissioner's recommendation is.

In the introduction to the special report that I filed on January 28, 2014, the experts we consulted mentioned the levelling of territorial boundaries, be they national or international, as a decisive change in the public security context. This change necessitates the sharing of personal information.

Given this convergence of necessity and risk, I believe the requirement for written agreements to better govern this sharing is needed for two major reasons: the protection of fundamental rights, and the accountability of government agencies in protecting these fundamental rights. The Commissioner's recommendation is therefore very relevant, and even urgent, in this regard.

Let's move now to the second recommendation that I would like to underline in my list of priorities. It is restricting collection to a government program by relevance to activity.

On this front, I would actually like to go further than the Privacy Commissioner. I fully support his proposal; however, I would prefer to tie the requirement of necessity not to the program or activity, but to the Canadian Charter of Rights and Freedoms. The reason is that it would be stronger protection.

Indeed, let me show you through a concrete example in the work that I did for nearly six years how the linkage outside the program or activity is superior.

In 2009 at the OPC we received a privacy impact assessment from the RCMP to roll out a program whereby a camera mounted on the cars of the RCMP would pick up licence plates. Automatic licence plate recognition was the name, and it would retain information about, let's say, non-executed warrants or interventions that had to be effected and could not be effected, a suspended driver's licence, for example.

It would keep the data that did have a match in the police database for two years, and it would keep the data that did not have any match for six months. In other words, the data—meaning the licence plate recognition of Mrs. So-and-so, who happened to be doing her groceries at this time at this supermarket—would be held for six months, in spite of no contravention of the law whatsoever. We questioned that, and the RCMP said, “Well, it's part of the program”, to which we said, “But it does not meet the standard of necessity under the charter, and the charter has precedence over every other law”. The RCMP indeed took that out and did not retain the innocent person's information.

That, to me, truly shows that there is superior protection where you link it to the charter, rather than embed it in a justification of the program.

The third priority I will underline is to require federal institutions to consult the Office of the Privacy Commissioner on legislation and regulations with privacy implications before they are tabled. To me, the logic of this recommendation lies, first of all, in the role of the commissioner as an agent of Parliament, and second, in the fundamental nature of the right to privacy.

Let's look at the commissioner's role and status. The Privacy Commissioner is an agent of Parliament. What does that mean? That means that he has been invested with the protection of a value so important to Canadian identity and democracy that he is placed above political partisanship and reports directly to Parliament.

Because of this status, and the fact that privacy has been entrusted to an institution with this status, it is completely logical that the commissioner be consulted about legislation or regulations prior to their being tabled, to ensure they are privacy-compliant.

The example I will use here, which I feel clearly illustrates the advantage of this recommendation, can be found in a series of bills that either died on the Order Paper or were withdrawn or adopted with reservations regarding lawful access. These bills were so deficient in terms of compliance that they did not survive political wrath and proved to be untenable. They led to acrimonious debates and undermined public confidence in government institutions. Prior consultation with the Privacy Commissioner, I believe, would have provided for a dialogue between the internal proponents of the legislation and the Privacy Commissioner to find a correct balance in the bill prior to tabling, and therefore, could have led to legislation that was better balanced.

The Anti-terrorism Act of 2015, for example, might have struck a better balance between the legitimate needs of the state and the fundamental rights of citizens. Now, the current government has to redo it to make it balanced and satisfactory.

It is therefore my conclusion that in light of the increasing collection, use and sharing of personal information, the Privacy Act must be modernized so that its scope and effect are consistent with the realities of risk and the need for protection.

I will be pleased to answer any questions the committee members may have about all this, Mr. Chair.

Thank you, Mr. Chair and committee members.

My name is Maxime Guénette. I'm the Assistant Commissioner of the Public Affairs Branch, and Chief Privacy Officer of the Canada Revenue Agency.

With me today is Marie-Claude Juneau, Director of the Access to Information and Privacy Directorate at the Agency, whom you may remember from her appearance before this committee earlier this year in the context of its study of the Access to Information Act.

We are both pleased to appear before you today in support of your study of the reform of the Privacy Act.

With some 40,000 employees, the Agency is one of the Government of Canada’s largest institutions. Very few organizations interact with Canadians as much as we do. In 2014-2015 alone, 31 million individuals and corporate taxpayers interacted with the CRA.

As a result, we have one of the largest personal information holdings in the Government of Canada, as acknowledged by the Privacy Commissioner. Therefore, the Agency takes its obligations under the Privacy Act and related policy instruments very seriously.

This is because the trust Canadians place in the Agency to protect their information is the cornerstone of Canada’s system of voluntary self-assessment. In particular, section 241 of the Income Tax Act and section 295 of the Excise Tax Act prohibit the disclosure of taxpayer information by any employee of the Canada Revenue Agency, unless specifically authorized under these Acts. Breach of these provisions is a criminal offence and is subject to strong penalties, up to and including imprisonment.

Accordingly, recognizing the critical importance of sound privacy management, and in keeping with the recommendation of the Privacy Commissioner, the Canada Revenue Agency appointed its first Chief Privacy Officer in 2013, and I have the privilege of having been appointed to this role in two months ago, in August 2016.

As the chief privacy officer, I oversee all privacy management activities within the agency. This oversight is informed by ongoing performance measurement in key areas, including information technology, security, communications, and training.

As part of my duties, I am accountable for the provision of oversight, advice, and support to achieve compliance with legislative and policy requirements. In my capacity as chief privacy officer, I am required to brief the agency's management committee and our board of management on the state of privacy management at least twice yearly. I also chair a senior-level committee that addresses privacy issues as an integral part of the agency's business.

Over the past several years the agency has implemented numerous technological changes to further strengthen privacy management. We have enhanced front-end controls to our systems to ensure that employees have access only to the CRA computer systems that they require to perform their duties. We have also strengthened back-end controls to build on our automated systems for better monitoring of transactions performed by employees. These monitoring controls will be fully implemented next year, and these are as a result of a recommendation from the Privacy Commissioner in the audit from 2013.

Through a phased approach, the agency, so far, has implemented six of the nine recommendations stemming from the Privacy Commissioner's 2013 audit. Three of the recommendations involving multi-year investments continue to be implemented. We expect they'll be implemented in 2017.

Overall, the CRA has invested over $10 million and is planning further significant investment to enhance its identity and access management controls to improve the protection and confidentiality of taxpayer information and to reduce the risk of internal fraud.

We have also improved our procedures to address and manage privacy breaches so as to ensure more timely reporting of material privacy breach incidents to the Office of the Privacy Commissioner and to the Treasury Board Secretariat.

As you know, Canadians are technologically savvy and are avid consumers of online content. This makes them very sophisticated clients. They rightly expect from their government institutions the same high-quality and timely online interactions as they have become accustomed to receiving from service providers, such as Google or Amazon. For instance, we expect more than 86% of Canadians will file their taxes online next year. We expect that number to probably reach about 90% within three years.

The agency is continuing to invest in ways to improve our services to Canadians, largely through ongoing investments in IT-based solutions, such as My Account, Manage Online Mail, and MyCRA app. Yet as we work to keep pace with the latest innovations and with consumer expectations for faster, more user-centric, and more seamless service, we must ensure that appropriate measures are in place to safeguard the personal information we collect as part of our work.

The CRA assesses its new and modified technological advancements, programs, and activities from a privacy perspective by conducting privacy impact assessments, or PIAs. So far this year we have completed 16 PIAs, and we are on track to complete approximately 18 more by the end of the fiscal year. Our PIA plan includes 20 active PIAs at this time. This is one way we balance this fine line between meeting the expectations of Canadians with regard to service improvement, while ensuring new initiatives comply with privacy requirements.

The Agency also strives to ensure that its employees are well aware of their responsibilities in safeguarding the personal information within their custody. Our Code of Integrity and Professional Conduct, and our Integrity Framework, have been important tools to impart on employees the extent to which the protection of the privacy rights of taxpayers is central to their responsibilities, even after they leave the Agency.

Despite these measures and the many efforts to safeguard personal information, breaches do, unfortunately, occur from time to time. The CRA is keenly aware that, due to the nature of the information holdings we have, a breach of personal information can be seriously injurious to an individual or an organization. For this reason, all privacy breach incidents are assessed with a very high level of rigour. There is always room for improvement, and the Agency is continuously looking for ways to enhance its privacy management practices through program, policy and technological changes.

In fact, we regularly consult with the Office of the Privacy Commissioner and the Treasury Board Secretariat on the subject. The Agency has strong processes, policies and procedures to ensure compliance with the Privacy Act and its related policy instruments. Controls are in place, and we continue to assess and improve those controls on an ongoing basis. Our responsibility to protect Canadians’ information is fundamental to who we are and what we do. That is why we continue to dedicate significant efforts to meeting the expectations of Canadians in this regard.

I hope that I've given committee members a useful overview of the Canada Revenue Agency’s operating environment as it relates to the Privacy Act.

Ms. Juneau and I will be very pleased to answer your questions.

Thank you.

Thank you, Mr. Chair.

It's all relevant. This is exactly where I will have an opportunity to show you how the act is ill-fitting at times.

Let me start with the Cindy Blackstock case, because when I was preparing my remarks, I debated as to whether I would use the PIA—the privacy impact assessment—from the RCMP, or the Cindy Blackstock case. For this, I chose the RCMP, which had a positive result. The RCMP was extremely good and well understood, but it was important for us to arc back to the charter.

With Cindy Blackstock, this is what occurred. Two departments—the Department of Aboriginal Affairs, as it then was called, and the Department of Justice—had monitored Cindy Blackstock, a first nations children's rights activist.

I issued the report in 2013. It had occurred before that, so this was about two or three years ago.

At any rate, what is very important is that she saw they were monitoring her Facebook accounts, so she came to us. We went to the departments, who said, “Well, of course. This is public. She posted it on Facebook.” They were not being mischievous at all. They were acting in good faith, yet we came to the conclusion that they were violating the Privacy Act, because section 4 of the Privacy Act says that you cannot collect personal information that is not related to your activities or programs, and this was not related to their activities or programs. They replied, “But it's not personal information. She put it up on Facebook.”

The crucial question at this time of technology is “What is personal information on the net?” This has been clarified in R. v. Spencer, 2014, by the Supreme Court of Canada, which ruled that personal information on the net is not public. It remains personal because personal information is any information about an identifiable individual. Hence, the posts that Ms. Blackstock was sharing with her Facebook audience were personal information that she had not intended for the government, and that the government could not justify to pick up or collect as related to its mandate—either Justice or Aboriginal Affairs—and therefore it had violated the act.

Yes.

I'm searching for it. I assume that she must have had some indication. The fact that comes back to my mind is that I believe she started noticing that officials would show up at her speeches, so she connected the dots.

She's a very highly sophisticated person. She is very well respected, intellectually very strong and very astute, so I think that she had various clues that she put together. Sure enough, indeed, that's what it was.

It really started with a lack of legal clarity as to what the obligations of the departments were, which led me, in the report of January 28, 2014, to recommend specific Treasury Board Secretariat guidelines for departments about the issue you raised, social networks.

Yes.

What happened is that, as far as I know, there have been no changes. I have been looking for an announcement of directives on social media. I don't know if my colleagues in the public service, who are still my colleagues, have seen anything. I certainly have seen no announcement that the government was going to comply.

But I have to tell you that the case of Cindy Blackstock was the one that we made public, but we also had years before—and it is in one of the annual reports of the Privacy Commissioner of Canada—a privacy impact assessment from a government agency where they wanted to track the social networks of public servants to make sure that they did not have illegal, prohibited political activities. While the objective is commendable—yes, it's true, I'm so proud that we have a non-political public service—you cannot monitor employees. That's personal.

In my mind, it requires further clarification to provide the departments with a clear direction.