Information & Ethics Committee on March 10th, 2016

The first thing I'll say is that our recommendations before you have to do with substantive legal rules as opposed to mechanics and architecture. We don't have recommendations before you on architecture. In large part this is because this act is so old that we need to cut to the chase and get to having improvements on a dozen or so very important substantive issues. We haven't looked in great depth at the issue of architecture.

I will say, though, that I would not be inclined to regroup the two institutions under one roof, in part because I'm responsible for the Privacy Act with respect to government. I'm also responsible for PIPEDA with respect to the private sector. So all the telcos, all of the manufacturers such as Apple and so on, Google.... I have quite a bit on my plate and we don't have infinite resources.

At the end of the day I think it is a good thing for the protection of the privacy rights or access rights of Canadians that they have two commissioners, two offices, with different responsibilities, although they share similar rules. I think Canadians are better served that way.

I'll start by saying we're not asking for order-making powers at this time. I'm not opposed in principle to order-making powers. At the end of the day I think we can get to the same place differently in a way that would satisfy all concerns and without creating certain risks potentially. Why order-making powers? Madame Legault and I agree on many things, and we're not that far apart. I think she testified—and that is the situation with us as well—that when there are complaints either to her office, or to my office, government departments ultimately agree to act in the way we recommend them to act.

Order-making powers are not empirically required to change the way that government departments respond to our complaints, because ultimately they do. The issue is more the time it takes for government to reach that stage. Part of her argument, and I agree with her, is that currently the process is quite long. I said that in my remarks as well. There is an exchange of correspondence with government departments that sometimes takes two, three, or four iterations before we get to the right place. That may be in part because all we can do is to recommend, and there is no sanction for government not to act promptly in responding to our investigations.

An order-making power would create the right incentive for departments to act promptly and respond to our requests, but I think the Newfoundland model that I'm suggesting to you gets to the same place by amending legislation. I would continue to make recommendations and not orders, but according to the Newfoundland model these recommendations have to be complied with by government, unless they take the matter to court and challenge the recommendations made.

We get to the same place, just to finish on the question of the potential risks of an order-making power. Over the years there has been much discussion around the fact that order-making powers mean a more formal process. That certainly has the potential to be costlier, to involve more in terms of procedural rights, and so on. There's the potential for that, and that's one factor.

Another factor is that if there are order-making powers in a body that also has a responsibility, which I'm recommending here, to promote privacy rights, can you have in the same place a body that promotes privacy and the same body adjudicating impartially on the rights of Canadians vis-à-vis a government institution? I'm not saying it's incompatible. It's possible perhaps in terms of structure to build Chinese walls and to make these distinctions.

The order-making model is a legitimate model, but it's not the only model out there. In Canada I think there are eight jurisdictions without and five with. It's a very legitimate model, but it's not the only one.

I think we're getting to exactly the same place, addressing the same concerns, through this legislation that was adopted in Newfoundland after very serious consideration by a committee that included the former chief justice of the Newfoundland Court of Appeal and my predecessor, Madam Stoddart. It also, I submit, is a very prudent model that gets to the same place without some of the risks.

It's a question of judgment. In my judgment, prudence is in favour of the Newfoundland model. I'm not saying the other model is imprudent, but I think overall, looking at all of the considerations I've put before you, prudence is in favour of that model.

I'm recommending that all of the executive branch be covered by the Privacy Act, including the PMO and ministers' offices. Why? The Privacy Act is intended to provide access by citizens to information that government holds about them. That relates to service delivery, to conferring rights. There is personal information held in ministers' offices and the PMO that is extremely relevant to service delivery and how rights are delivered.

Many statutes provide statutory responsibilities to ministers, who then delegate them in the bureaucracy. A lot of the information that relates to these questions is in the bureaucracy, and that's currently accessible. But ultimately it's the minister who's responsible to make these determinations, and in some cases the ministers personally do make these decisions. It shouldn't matter whether the information rests in the bureaucracy or in a minister's office if it's the same kind of information that can potentially be used for the same statutory purposes.

Yes.

At the end of the day, the commissioner issues a recommendation, which obviously has a lot of weight, because it needs to be heeded. Otherwise, the government needs to go to court. But it is a recommendation. I think the procedural way in which these recommendations are made potentially would be lighter, less formal, less costly, and less open to challenges that it is potentially inconsistent with the promotion roles of the commissioner.

They are not far apart, I totally agree, but I think it's a distinction that matters. As I say, I agree with my colleague on what the ills are. The ills are mostly in terms of the length and duration of the process. I'm just suggesting a different way to get to the same place with fewer risks, in my view.

My starting point, again, is that we've not looked at this question of architecture in great detail. I'm not philosophically opposed to this; I'm just being pragmatic. I'm looking at our responsibilities and the responsibilities of the Information Commissioner. There may be a distinction between the situation federally and provincially, in that federally the mandate is somewhat broader than it is in provincial jurisdictions. But at the end of the day, I'm looking at this pragmatically, and I want to make sure Canadians are well served.

Is it possible to regroup the two institutions under one roof, with the same resources the two have? Would it work? Potentially.

This act has not been amended for 30 years. I'm not sure the thing to do is to look at architecture. I think the thing to do is look at substantive rights, and fix that. There's more time to look at architecture.

I'll deal with that in two stages: first, before the legislation was adopted; and then after.

Before the legislation was adopted, this recommendation followed a review by a committee or commission presided over by Mr. Wells, the former premier and chief justice, and Madam Stoddart, with a third commissioner. They did a thorough review of the legislation in place in Newfoundland.

On this question of order-making versus not, we can provide you with a summary of that report. Those are the considerations I'm putting before you. Order-making could be more formal and more costly. It could create risks in terms of conflict of roles with the promotional role. They came up with this model. That's what they recommended. That's what the legislature adopted in Newfoundland.

On the second phase, the legislation was adopted in June of last year. It's recent.

I spoke with my Newfoundland colleague, the commissioner. He said it had exactly the impact that was desired, i.e., submissions by government are more prompt and they are of better quality. To date there have not been judicial challenges of recommendations, so the government has followed all the recommendations made under that model.

It works. I'm not saying the other model cannot work, but this model, so far, has shown it can work.

There are provisions under the current Privacy Act authorizing sharing of information between federal departments. Some of these provisions are quite broad. For instance, information can be shared for “consistent purposes”. What is consistent in a given context depends on the context of the relationship between the two departments that are sharing information.

What I'm suggesting is not to change the rule about consistent use, but to add a layer of protection on top of that, whereby there would be a requirement that the departments enter into a written agreement to give more meaning to what is consistent in the context of the activity that they're undertaking together. That would better protect rights; it would be transparent; it would provide more clarity; it would allow us, as we recommend, to express certain views on whether indeed the sharing would be for a consistent purpose; and it would allow us to audit the activity after the fact.