Information & Ethics Committee on Nov. 24th, 2016

Just to be clear then, you would support a five-year review of the Access to Information Act, but the Privacy Act not so much?

I look forward to your report. I'm saying that this is something we have proposed in terms of access to information. Again, my colleague, Minister Wilson-Raybould, is leading on the whole area of the Privacy Act.

I appreciate how many times you've said you're looking forward to our report. I hope we don't disappoint, Minister.

I hope so too. It's almost Christmas.

Okay. We'll target Christmas.

I have about 30 seconds left. Quickly, in terms of the timeline for reforming the Privacy Act, Minister, are you able to comment on the work you've been doing in parallel with our committee and how we can feed into some of that?

Sure. I wish I could give you a timeline, but recognizing that the act hasn't been updated for 30 years, I certainly think we all can appreciate the necessity of taking the time to ensure that we're doing a substantive review, certainly of the reports. As I've said, my officials are undertaking that substantive review. There is a working group that has been put in place.

Recognizing the mandate letter that I have from the Prime Minister, I will ensure that we've appropriately engaged with all stakeholders and Canadians and that we take account of the reports and recommendations from the Privacy Commissioner and move forward in a thoughtful and concentrated way to reform the act.

I have one quick comment. I hope you'll consider the work we're doing here. I think your side of the table would agree that we've done a substantial amount of outreach to stakeholders, and hopefully we're not parallelling a lot of that.

I appreciate your time.

Thank you very much.

We now move to Mr. Blaikie for seven minutes.

Thank you, Ministers, for being here with your staff, and thank you to Parliamentary Secretary Murray for spending some time with us today.

My first question is for the Minister of Justice. Recently, the courts ruled that CSIS had been gathering and retaining the personal information of Canadians for 10 years and failing in its duty of candour to the courts with respect to that collection of personal information and its retention. An assistant deputy minister of yours went so far as to provide an opinion that CSIS was in keeping with the rules. That opinion, the court stated, was not factual.

I'm wondering what it is that you're doing today to ensure that kind of incident is not going to be taking place again. I'm wondering what kind of changes you believe should be made to the Privacy Act or other acts in order to ensure that that doesn't happen again.

Thank you for the question.

Certainly, I recognize the judgment that came out with respect to CSIS and information. My department and the Minister of Public Safety take the judgment incredibly seriously, obviously have read it very closely, and will uphold the decision.

I work closely with the Minister of Public Safety in many different areas. I know that he has publicly spoken about this matter. I have the utmost confidence in him to ensure that he's working with CSIS to address what the judgment has said. He's gone so far as to speak to looking at the directives he has provided. Again, I will support him in that in any way. Our government is committed to ensuring that we are open and transparent.

Well, I think many Canadians outside of government also recognize that decision but are concerned in terms of knowing what in particular is going to be done to ensure this doesn't happen again. It's great to have a kind of general commitment to not having it happen again, but if it was a failure of law, then presumably there are legislative changes that ought to be made in order to ensure that it doesn't happen again.

Is it your opinion that the law wasn't right and should enable this collection? Or is it your contention that the law was good here and there was a failure at the staff level, either within CSIS or within your department, to interpret that law property? If so, what's the proper follow-up for that? What are you actually saying to staff in terms of ensuring that this doesn't happen again?

I think people want to know what concrete measures are being taken in order to ensure that it doesn't happen again. I think we agree at the high level that we need to recognize decisions that courts make here in Canada, but that doesn't tell us very much. What concretely are you doing within your department? Should we be considering changes to the Privacy Act here in order to help ensure that it doesn't happen again?

Again, I guess I would acknowledge your questions and your probing for details, and certainly I would expect that you appreciate, like other Canadians, that we have taken the judgment incredibly seriously and are following up.

In terms of concrete steps, as I've said, I will continue to work with the Minister of Public Safety. He certainly has engaged with CSIS on this and is reviewing their activity and his direction, and that's in the broader context as well.

Leaving aside the potential law reform with respect to the Privacy Act, together we are engaged in a substantive and comprehensive review of our national security framework, and the discussions contained within the green paper that we put out have 10 items for discussion. I would encourage people to participate and be involved in that consultation and certainly—

I'm going to jump in, because we only have seven minutes.

—that would and could be brought up.

On a specific legislative issue, one thing we've heard here is that there's some ambiguity—a kind of systematic ambiguity—about whether the Privacy Act trumps other acts. There's a provision in the Privacy Act that says it applies subject to any other provisions of any other acts of Parliament or regulations thereof, and we're looking at that, especially in the context of our other study of the Security of Canada Information Sharing Act.

In your opinion, where there's a conflict between those two acts, do you believe that the Privacy Act should take primacy over SCISA, or do you see the interpretive burden cutting the other way?

In terms of what we're speaking about, of the Privacy Act being a general framework to oversee something on the order of 240 government institutions, I think this is definitely a conversation that we're having today and that we're going to continue to have, recognizing that this broad framework in terms of the Privacy Act covers security agencies as well. In the context of having discussions around the national security framework, I believe in that, and I would encourage individuals and parliamentarians to engage in that consultation and provide input with respect specifically to the national security review.

That's part of the issue: whether subsection 5(1) of the Privacy Act provides a loophole so that, given SCISA, the broad Privacy Act framework doesn't apply to our security agencies in the way it should because they can bypass it if they're authorized under SCISA.

That's part of what's at issue here. I'm curious to know if you have a more specific opinion as to whether it's the view of government that the Privacy Act ought to apply in these situations first and foremost, or whether it's acceptable that other laws can bypass that broad privacy framework and allow agencies to disregard it?

My colleague has assisted in providing me with some of the words from the Minister of Public Safety in follow-up to the commissioner's comments and recommendations. He reminded ministers from 17 institutions that collect information under SCISA of their obligations relating to privacy impact assessments.

All right—

That's your time, Mr. Blaikie.

We'll now move to the last of the seven-minute rounds before we move to the five minutes.

Mr. Erskine-Smith, please.

Thank you very much.

Thank you, Ministers, for being here.

I want to pick up where Mr. Blaikie left off to some extent with respect to SCISA and bulk data collection and retention.

Why I mention SCISA in the context of the Privacy Act is that both in the context of SCISA and in the context of the Privacy Act we talk about standards of collection, retention, and disclosure, and specifically the necessity standard. We had the Privacy Commissioner before us, who said that the most important change you would make is a necessity standard for collection across all government departments.

I wonder, Ministers, if you could speak to the importance of that standard and whether we can see that standard becoming law within our mandate.

Maybe I could speak to that briefly and then hand it over to the Treasury Board president.

I know that this has been, as you've said, a recommendation coming from the commissioner. There are jurisdictions in the country that do have that necessity requirement: Alberta, Quebec, and Ontario. It's something that we're open to consideration and reflection on.

The government's policy is that government institutions ought only to collect information that is actually necessary or required. We want to ensure that—and the Privacy Commissioner has provided advice, as will your committee—we only collect and only retain personal information that is required but is also in accordance with the Privacy Act and all policies.

Again, the report from the committee will help guide us on that, but the general policy of only requesting information that is necessary is an important guiding principle.

Yes, although we had committee testimony with respect to that standard in the context of SCISA, and we had government agencies saying that disclosure on the basis of relevancy is important, but of course, there's the collection of the recipient agencies. It depends upon their mandate. CSIS has a “strictly necessary” mandate, but other agencies don't in fact have that necessity standard as recipient agencies. There's probably a problem there if we don't heed the Privacy Commissioner's words and import the necessity standard across the board.

Speaking of mandates, again this gets to Justice Noël's decision, but we had Professors Forcese and Roach come before us and say that it's very important that we make crystal clear that receiving recipients must operate within their existing mandates and legal authorities, and that agencies put in place protocols for ensuring the reliability of shared information, as per the Arar commission recommendations.

I wonder, Ministers, if you would have something to say in response to the professors.