Information & Ethics Committee on Nov. 1st, 2016

Absolutely.

We would say that judicial review would be an appropriate remedy. I would say that this type of discretion exists with many tribunals. It may raise issues of access to justice, or access to a response on the merits of the complaint. I recognize this. However, many tribunals, administrative or judicial, are given the authority to balance access to justice with certain limitations where giving access to one individual might actually impede access by others. That's essentially the concept. It exists elsewhere. We recognize that there's an issue in respect of access to justice. We would not use this frequently. I think our record under PIPEDA shows that we use this infrequently, and that's essentially what we're recommending.

I don't see that our recommendations would increase judicial remedies, but if your question is what is the net effect of all our recommendations on government resources, with the chair's indulgence, I could spend a minute or two on that, or we could come back.

That's an excellent question.

We think order making may actually lead to efficiencies because in the process that I've described currently with recommendation making, there is quite a bit of back and forth between us and departments during the investigative process and there's no real incentive for departments to respond to us quickly and completely. We think that amount of going back and forth would be reduced significantly with order making.

Concerning the requirement for privacy impact assessments, the obligation to have safeguards and breach notification, we recognize that this may increase costs for the government. Some departments actually have these practices, so for them, there would be no cost. However, for many, there would be an increase in costs. I don't think these increased costs would be large, but they would not be marginal. I would urge you to consider these costs as an investment to ensure that the public has trust in how the government deals with their personal information in a digital world.

You refer to the example of the incident involving Canada's Communications Security Establishment. I would start by saying that the government claims—and I have no reason to dispute that claim—that metadata, particularly in a foreign intelligence context, is necessary to identify threats. I don't dispute that. The issue with the incident in question was that metadata was then shared with partners, with Five Eyes, in a way that was found by the CSE commissioner, the oversight body, as being unlawful, inconsistent with the statute.

What that tells me is that we have an activity that is legitimate, that pursues a legitimate goal, but is currently regulated in an insufficient way. What I'm looking for—to answer your question—is not a very prescriptive list of conditions necessarily, but currently we have extremely broad provisions that authorize certain institutions to collect and share metadata. I'm looking for some framework, some statutory provisions that would set out certain principles, according to Parliament, according to our elected officials, as to when government institutions would be able to collect metadata, when they would be able to share metadata, under what principles or under what conditions generally speaking, and under what conditions they should retain that information. I'm not looking for something very prescriptive; I'm looking for some basic rules.

For companies, we have seen that a number of them do publish transparency reports when they are the subject of lawful access or warrantless access requests by the police, so there is improvement. I think all companies involved in that area should publish transparency reports.

My main point would be that it's not enough that companies do that. Government departments, which are at the receiving end of this information, should also be more transparent and issue transparency reports. After all, it is the departments that are asking for that information for law enforcement purposes. It's one thing for companies to do it, but the ones who should really be transparent are those who ask for and use the information. I'm not asking them to reveal law enforcement secrets, things that would impede lawful investigations, but there is a way for departments to be more transparent.

I'm sorry, I lost your last question.

Yes.

The chiefs of police, including the RCMP commissioner, make the point that the Supreme Court's decision in Spencer, which reinforced the need for warrants for access to the sensitive personal information of Canadians, is essentially creating important impediments that make their lives, if not impossible, extremely difficult, and that Parliament should provide for more cases of warrantless access if the police are to do their jobs. I need to be convinced of that. I think we all need to be convinced of that.

I don't question in any way the difficulties, in the past, of the police and national security agencies, but I think it would be important that they demonstrate what conditions in Spencer make their lives impossible. One of the conditions in Spencer is that if there is an urgent need to have access to information, it can be obtained without a warrant. If that's the case, why do they need to further liberalize the conditions?

On the order making, there are many recommendations that we make. With respect to the change to an order-making model, for that particular recommendation, I think it is quite possible that the system would become more efficient, including for departments.

There are other recommendations that would likely create costs. I recognize that.

It's a complicated issue.

One of our recommendations is to create a legal obligation for departments to safeguard information technologically, and there would be a breach notification provision. One would think—and there are policies in the Treasury Board and other departments that suggest a similar outcome—that departments need to do what is necessary to protect information that is given to them by individuals. At the same time, we see that there are breaches reported regularly and that departments do not always take the measures necessary to improve their systems.

On that issue, a lot of work is done in government to protect information that I think is insufficient, in terms of surpassing the bar for what would be required. What would be the cost of that? It's not as if you're inventing a new activity. It exists. We just ask that it be improved. We haven't quantified that cost, but it should be, I would say, not insignificant but not extremely important either. One would hope and one thinks that certain measures have already been taken by government to protect information.

This is something that we see in the discretionary regime currently. I think I'll ask my colleague Sue to expand on this, but this is something we see both under the privacy regime and the discretionary regime that we have currently and under PIPEDA.

Sue, do you want to expand on this?

Currently there is already a mandatory policy requirement for institutions to report privacy breaches to our office as well as to the Treasury Board Secretariat when there is a material privacy breach that is identified in an institution. Putting it into law would probably just expand a little bit on what's already in existence. Whether or not institutions are following their policy requirements fully, that's.... We don't know what we don't know.

That being said, you're right in that creating this obligation, whether by policy or by law, may create the risk for further increases in damages. We were consulted by the innovation department on the same policy in the private sector, and we actually made certain comments there on how to mitigate that risk. I recognize there is a risk, but it's possible to mitigate that risk.