Thank you.
Good morning, Mr. Chair and members. My name is Stefanie Beck. I am the assistant deputy minister of corporate services at Immigration, Refugees and Citizenship Canada.
I'm joined by Audrey White, the director of our access to information and privacy division.
We've been here before to talk about access to information, and we are very happy to be back to talk about privacy as well. Thank you very much for welcoming me and my colleagues here today. We're very happy to provide IRCC's input into this important matter.
We congratulate the committee on its study. It has been more than three decades since the Privacy Act came into play. I know we all agree it's time for an update. As the Privacy Commissioner has pointed out to this committee, developments in technology have made it possible to collect and retain enormous amounts of information. We must make sure that our ability to safeguard this information reflects this reality.
Mr. Chair, before I take questions from the committee, I would like to provide an overview of how Immigration, Refugees and Citizenship Canada deals with the challenges of protecting the personal information entrusted to it. It's a duty my colleagues and I take extremely seriously.
Our department has an access to information and privacy division with approximately 70 staff and a network of 85 liaison officers across the many branches and regions of the department.
Immigration, Refugees and Citizenship Canada receives more privacy requests than any other federal institution. In 2015-16, our most recent reporting year, we received 15,292 privacy requests. This year, we expect to receive over 16,000 requests.
I had the opportunity to appear before this committee earlier this year. Today, I will focus my comments on the Privacy Act.
Due to the nature of our work, which involves the processing of over 2.8 million applications for permanent and temporary residence every year, we receive an enormous amount of documentation containing personal information every day. This comes in every format—digital, print, and even photographs.
At IRCC, protecting privacy and personal information is paramount. The department has named a chief privacy officer to provide strategic leadership and direction on privacy. IRCC will hold its first annual privacy day next month. We plan to bolster privacy awareness and to champion the protection of personal information among staff. IRCC runs mandatory and voluntary online and in-person training activities such as workshops and awareness sessions. This is an ongoing process, not just once a year when it happens to be privacy day.
We have also adopted a widely disseminated privacy framework that promotes best practices for the handling of personal information all across the department. The privacy framework outlines key responsibilities and establishes a common set of standards and procedures. It identifies key privacy principles, such as limiting the collection, use, disclosure, and retention of information. The framework also provides employees with tools to ensure they are meeting their responsibilities and following the appropriate practices in line with Treasury Board Secretariat and departmental policies.
Just as a couple of examples, the privacy framework provides employees with information to ensure they are fully aware that personal information can be collected only as set out in IRCC's enabling legislation, primarily the Immigration and Refugee Protection Act, the Citizenship Act, and the Canadian Passport Order. It emphasizes that only employees with the appropriate security clearance should have access to personal information, and furthermore, that access to personal information should only be granted on a need-to-know basis. It's not sufficient just to have clearance, you have to need to know the information.
These principles that are at the heart of IRCC's privacy practices closely reflect many of the concerns raised by the Privacy Commissioner.
IRCC’s privacy practices are in line with most of what is contained in the commissioner’s recommendations for changes to the Privacy Act.
For example, as recommended by the commissioner, IRCC follows the Treasury Board Secretariat's policies, as well as its own privacy breach guidelines, which require all privacy breaches considered material in nature to be reported to the Privacy Commissioner and to the Treasury Board Secretariat.
The commissioner also recommends that government institutions be required to conduct privacy impact assessments for new or significantly amended programs, and to submit these assessments to the Office of the Privacy Commissioner before implementing the programs.
Again, Mr. Chair, this is something IRCC already does by following the privacy policies of the Treasury Board Secretariat and our own internal ones. Furthermore, in certain complex cases, IRCC officials will meet with the Privacy Commissioner's office to inform them in advance of the initiative and to provide a detailed briefing on potential impacts regarding privacy. We find that seeking feedback at an early stage enables us to develop better products.
These are just a couple of examples, Mr. Chair, of how the majority of the recommendations put forward by the Privacy Commissioner align with our practices for managing and handling personal information.
I should mention that there is one recommendation that could have a significant operational impact on our work. As you know, Mr. Chair, the Privacy Act currently affords access rights only to Canadian citizens, permanent residents, or people physically present in Canada. Currently, foreign nationals and those outside of Canada can obtain access to their personal information by hiring a Canadian representative and filing a request under the Access to Information Act. We discussed this the last time I was here, and as you know, they pay a fee when they make a request under the Access to Information Act.
The Privacy Commissioner has recommended that foreign nationals and those outside Canada should be able to submit a request for their personal information under the act. Our concern with this proposal is that, because of IRCC’s lines of business and international mandate, the proposed recommendation could lead to an enormous increase in privacy requests that would place an undue burden on our resources and create considerable operational constraints. This could seriously compromise our ability to meet the deadlines for responding to requests as set out in the act.
Mr. Chair, I would like to thank you again for the invitation to provide IRCC’s views on this important subject.
I'm happy to answer your questions.