Information & Ethics Committee on Nov. 24th, 2016

That's a fair point.

I was thinking more of putting it in the context of the Privacy Act specifically, rather than in SCISA per se. It gets to the final authority, as it were, between SCISA and the Privacy Act. Perhaps the Privacy Act would make it crystal clear for the recipient agencies that when information is shared, not only must it be necessary for their mandate, but they'd have to operate strictly within their mandate, given that we have seen, at the very least, some worrisome behaviour from agencies.

I want to get to the resources for review. We have a lot of information sharing among government agencies. We have the Office of the Privacy Commissioner, with respect specifically to SCISA sharing, which has had some difficulties in obtaining all information from departments. We talk about whether the Privacy Commissioner's office has sufficient resources to do an adequate review of information sharing. Should they have the power to compel the deletion of unreliable information? If not the Privacy Commissioner, should we be looking at, in the context of SCISA, as we have heard, a super-SIRC type of body that would be able to look at information shared among government agencies?

How do we tell Canadians and show Canadians that we have a review body that is seized with this and ensure that privacy is in fact being adequately protected?

Again, this is the same answer that I provided the last time. These are discussions that will be had and that we have heard in and around the round tables we've been conducting. I support Minister Goodalein terms of these reviews, but in terms of the information sharing now, if it is with respect to different institutions, I would look to my colleague to speak to that.

Also, broadly, on behalf of the government, one of the commitments we made and which Minister Goodale was helping to lead is the parliamentary committee to oversee all security activities. I think that parliamentary committee will bring us in line with other members of the Five Eyes, our partners in security globally. It will also have the power to oversee and to provide advice on some of these matters. It's important.

We mentioned technology earlier. Governments have technology, and international criminal organizations have technology, so the sharing of information needs to be done in a way that is consistently respectful of privacy—

To that point, Minister—

—but also recognizes the operational issues in facing high-security threats from time to time. That is a balance between security and liberty, and that is one that we take seriously as a government.

I was driving more at the resource question of the Privacy Commissioner. That is one body we have to review the adequacy of the protection of privacy with respect to the sharing of information. Does the Privacy Commissioner currently have adequate resources to do that job without a super-SIRC type of body and without the parliamentary committee currently up and running? Is there a gap in review that the Privacy Commissioner could fill with more resources?

I'll just confer with the officials.

The Privacy Commissioner is undertaking that review already. In the end, in responding to all of your comments, I would recognize that substantive oversight is important in the different circumstances you were speaking about. How that is going to manifest or be addressed, and the recommendations that are going to be provided from this committee and others that we're engaging with in respect to the Privacy Act, are ongoing, and we will consider all options about how the rule of appropriate oversight can be bolstered.

Thank you.

I appreciate the question and your seeking clarification. I recognize that the questions have been relevant to the national security consultations that are taking place and to the green paper that has been issued in that regard. That consultation is continuing. Obviously, that's incredibly important, and I'm supporting Minister Brison in that regard.

With respect to the specific review of the Privacy Act and the broad framework in terms of our government institutions and their relationship with individuals and information, I would very much welcome a focus on that, leaving aside the consultations we're undertaking with respect to the national security framework.

Very well. Thank you very much.

Now we'll move to Mr. Kelly for the five-minute round.

Start us off, sir.

Thank you, Mr. Chair.

Several of the Privacy Commissioner's recommendations include requiring government departments sharing information under the act to complete a privacy impact assessment and to conclude written agreements on how they're to use the information.

We're going to be talking about supplemental estimates in the later part of our meeting with respect to the Information Commissioner. Mr. Brison, as the guardian of the purse within government, can you address or comment on the costs of this, of what would be the requirement of privacy impact assessments? Has any thought been given to that?

I don't have what a specific cost of a privacy impact assessment would be, but it strikes me as being good governance that, as we're introducing legislation or changes in policy, this would be an outreach that could potentially save government money in avoiding errors in the future. I don't see that conducting a signal check, an assessment with the engagement of the Privacy Commissioner, would add to it significantly.

I would want to have a discussion with him and with his office about what an increase in the level of activity could mean for them. It strikes me that the level of activity may not increase, but that it would front-end-load his office's work. It may not increase the actual burden in their shop, but it would increase the efficacy of their intervention, because it would be earlier on.

There's a hope and an expectation that it will lead to lower costs, but there has been no real consideration yet.

Well, there are lower costs, but there is also better efficacy and better governance. We would consider both.

The commissioner's third recommendation is to make reporting of privacy breaches mandatory. Can either of you comment on both the cost and benefits of implementing mandatory reporting and what steps would be necessary to ensure that the act of reporting does not compound damages to individuals who have suffered a breach of privacy?

Just generally, I can speak to that. Certainly, I am open to that recommendation from the commissioner in terms of considerations around law reform, but I would look to the president to speak about how that works right now in terms of policies between different institutions and reporting.

Government institutions are currently required to report, in writing, material privacy breaches to TBS and to the Privacy Commissioner. We are open to suggestions in terms of whether to expand beyond that, but material breaches are ones that have a potentially harmful impact on people, and moving beyond that would be a significant increase.

For instance—I was asking this question when I was being briefed on this—what would be an immaterial privacy breach? As an example, if a citizen requests a Canada Food Guide and it's mailed to the wrong address inadvertently, that is, in some way, a breach of their privacy, but was there any material impact upon the individual? The incidence of those kinds of breaches dramatically outnumbers the incidence of material ones.

Always in government, we want to be focusing on activities that actually benefit people and to be getting better at those. Focusing on strengthening our response to material breaches and reportage of material breaches strikes me as an area where we still can do better.

Thank you very much, Mr. Kelly.

We now move to Mr. Bratina.

Thank you.

That leads me to my question. It has to with the seriousness of the Privacy Act, because legislation that has serious consequences.... You could say that in some places you're liable to be hanged for treason, whereas for singing the wrong words to the anthem, the punishment probably wouldn't be as bad.

As a municipal councillor and mayor, the most serious thing I was confronted with was about drinking water. Let me read to you the consequences for a municipal councillor:

The Safe Drinking Water Act, 2002 includes a statutory standard of care for individuals who have decision-making authority over municipal drinking water systems or who oversee the operating authority of the system. This can extend to municipal councillors. There are legal consequences for not acting as required by the standard of care, including possible fines or imprisonment.

What I'm looking for is strong wording in the Privacy Act that relates to breaches and consequences. I'm hoping that the government will be open to a review of how seriously we take these breaches and what consequences ultimately might be applied.

I'd be interested in your comments on that.

I appreciate the question and the comments.

Certainly, I think that in looking broadly at the review of the Privacy Act and reflecting on some of the comments I made in my opening remarks, the integrity of the Privacy Act and the review we're undertaking is dependent on, and wants to bolster, the trust that personal information data will be held in a secure manner, and that where there are breaches of the act, there is consideration of the appropriate remedies.

I'm certainly open to.... Again, not to sound like a broken record, but we really are at the investigative stage in understanding what's available in terms of the overview, renewal, and modernization of the Privacy Act as to what would be most appropriate. I'm very happy to receive feedback in that regard. To underline that, I think we need to ensure that individuals have trust that the governing institutions are appropriately managing and securing the data they acquire and have vis-à-vis the individuals.

That's my point. You said it well at the beginning. You said that trust is the underpinning of all of this. Technology is going to change, and there could be technological lapses and inadvertent sharing of information, because someone wasn't clear that we shouldn't really be telling this other country about this person.... I think it's a requirement of their understanding of their mandate to know that there are serious consequences. You had better be very careful when you move this information around, because if you do the wrong thing, there will be a consequence.

I'm not even suggesting what the consequence should be, but I'm wondering whether we have the strength in language currently, or whether that's something that we should approach in our deliberations, as to how to move the Privacy Act to the next generation.

You're talking beyond just the policy, but in terms of the enforcement of the policy, of it having the teeth, with real accountability for those who have the personal information of Canadians and what they do with it. We're open to that.

The other thing I would hope is that as a committee, when you're doing your report, you're looking at other countries and best practices. We can sometimes benefit from that, as well as with regard to protocols around how to deal with not just the reportage of breaches, but also how you hold people accountable for this.

That's my question. Thank you.