Evidence of meeting #5 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was privacy.
A recording is available from Parliament.
9:55 a.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
Mr. Therrien, you mentioned on February 23 that the digital world has impacts on privacy, leaving some populations vulnerable, and you referred to youth and seniors. We see the vulnerability of not understanding credit card interest rates or payday loan charges, and that's because some of us just struggle with math. But in the question of the digital world for youth and seniors, could you tell me exactly what you're looking at in terms of that vulnerability and how it might be addressed?
9:55 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes. Again, this is mostly a PIPEDA issue, as opposed to the Privacy Act, but I didn't mention these risks in my remarks a few weeks ago.
The risks may not be exactly the same for youth and seniors. Youth are, of course, very adept at using technology. There are many privacy considerations, but one of them is to make sure that young people are prudent in their use of technology so that information they put out there cannot be used by others against their interests. In part our strategy is to better inform youth through teachers, for instance, on the risks of the new digital world.
Seniors, of course, are less adept, but more and more older people are using these technologies. Identity theft and fraud are often considerations. Again, essentially we want to better inform various populations of the benefits of technology but also of the risks.
10 a.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
On the notion of “better inform”, that's the education part. Perhaps you could speak to how you envision the education part of this taking place.
10 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
With respect to seniors and youth, we already have a public education mandate under PIPEDA. It's a question of how we would do this, and we have various means. We attend conferences and outreach activities. We want to improve our website, for instance, and give tips to populations, vulnerable populations in particular.
Going back to the Privacy Act, we do not have a statutory mandate to do public education for information held by the government, and it would be as important to undertake these public education measures.
10 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Mr. Bratina really asked a very similar question to what I was going to ask, which was just dealing with the vulnerable groups that have been identified and the extent to which the commissioner might recommend or embrace a mandate to educate the public about how to manage their privacy.
10 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I've answered in large part. In relation to the government, let me give you a specific example of how it would be useful to have a public education mandate under the Privacy Act vis-à-vis government. On the question of encryption that Mr. Blaikie raised, currently we have a public education mandate under PIPEDA, which means that our research, for instance, and our public education efforts are focused on how consumers relate to private companies.
We don't have a similar mandate vis-à-vis citizens in relation to the state. It would be useful under the public education mandate under privacy to have some research done on the question of the tension between the desirability of encryption and the legitimate needs of law enforcement power, what steps could be taken by citizens in that context, and how to educate them so that they know what the issues and are better able to protect themselves.
10 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Going beyond education, do you see a role in co-operation with law enforcement on the issue of fraud?
People need to take care to guard their privacy and understand their privacy issues in relation to the government. Fortunately, government doesn't typically actually try to defraud people, unlike the private side with spam email and scam-type pieces that explicitly try to defraud citizens through unwise disclosure of their personal information.
How do you see your role as Privacy Commissioner in co-operation with law enforcement over fraud?
10:05 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We co-operate with government, for example, on advice to citizens on how to protect themselves against cybersecurity threats or other risks of a privacy nature. We do that with Public Safety on different issues. We do that with the innovation department, which is responsible for PIPEDA. We already do that. Should we do more? Potentially, but this is something that already occurs.
10:05 a.m.
Liberal
Joël Lightbound Liberal Louis-Hébert, QC
I have two quick questions.
The first one you mentioned. You touched upon metadata in your answer regarding Bill C-13, and as far as I know, metadata is not defined in any way, shape, or form in our legislation. I was wondering if your office had any recommendations pertaining to metadata, and if it should be defined and where it should be so defined. Do you have any take on this?
My second question is regarding a recommendation that your office made back in 2008 that recommended to provide greater discretion to the Office of the Privacy Commissioner to report publicly on the privacy management practices of government institutions. That's a recommendation that was made in 2008 and I was wondering if this still stands and if your ability to report publicly on privacy issues is in any way hindered at this moment and what could be done.
10:05 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'll start with the second question. Yes, it is still one of our recommendations.
Currently we can inform the public and parliamentarians only in the context of reports to Parliament, which are either annual reports or special reports. Otherwise we're bound by a confidentiality provision under the Privacy Act not to reveal our investigative activities. We continue with that recommendation.
On the question of whether we should legislate metadata, we have put on our website two research papers that seek to inform the public and others as to what metadata is. We have one on IP addresses and another on metadata more broadly, which is an operational, practical description of what metadata is.
Should it be legislated? I would have to give some serious thought to that because it's a difficult beast to define. If you're interested in this, we could get back to you on that point.
On the issue of metadata, I refer to the Spencer case. The Spencer decision of the Supreme Court in 2014 helped a lot in regulating what law enforcement can do with metadata in the context of investigations. There have been recommendations, discussions, or wishes expressed by law enforcement to perhaps change or nuance what the Supreme Court has said. Clearly, I would not be in favour of reducing the protection that comes from the Spencer decision, and if anything, if there was legislation to adopt on that point, my recommendation would be to codify and confirm the principles of Spencer. Would it be a good thing to define metadata? I'm less certain of that, but to confirm the principles of Spencer would be useful.
10:05 a.m.
Liberal
Wayne Long Liberal Saint John—Rothesay, NB
I want to go back to one of the earlier things I think we discussed as a committee.
You said that several recommendations have been made to amend the Privacy Act over the past 30 years, but there really hasn't been anything substantial done. That certainly goes beyond whether it was a Conservative government, a Liberal government, NDP, or whatever. I'm looking for your opinion as to why there haven't been changes to the act.
10:05 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I don't have a precise answer to give you. As you say, several parties were in government. The act was adopted in the 80s. I honestly don't know. In part, policies were adopted short of legislation to address some of the privacy risks, but in my view, this is no longer sufficient. I'll leave it at that.
10:10 a.m.
Liberal
Wayne Long Liberal Saint John—Rothesay, NB
Can you tell me how the office is set up? I'm a business person. How many staff do you have? When were you were appointed and by whom? What is your budget? Have you requested budget increases? Has that been successful for you? Could you just give us a bit of a background on that, please?
10:10 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
The office has approximately 180 employees responsible for administering the Privacy Act with respect to the public sector and PIPEDA with respect to the private sector. We have approximately 50% of our employees working on enforcement or investigation of one kind or another, in relation to either the Privacy Act or PIPEDA, and that includes a group that does audit and review.
Madame Lajoie is director general of investigations with respect to the Privacy Act. There is a similar group responsible for investigations under PIPEDA. There is a policy group, of which Madame Kosseim is the director general and senior general counsel. We have a policy group. We obviously have certain corporate services, legal services, finance, and human resources. We have a communications branch, which is responsible in large part for our public education effort. We have a small but efficient technology branch with technologists who are very helpful in giving us a technological grounding for our investigations or our policy recommendations. That's the structure. The number of employees is 180. The budget is roughly $24 million.
There have been budget asks over the years, some of which were successful. In 2008 there was a successful budget ask, which led to some increases in the complement. That was eight years ago now, and as I say, technology continues to evolve, and there are many more issues we have to deal with. Currently, we are struggling to meet our responsibilities with the resources that we have.
10:10 a.m.
Conservative
The Chair Conservative Blaine Calkins
Mr. Long, I appreciate the nature of the questioning. I'll just advise the committee that this path of discussion might be better served when we discuss the estimates. I know we have those coming forward in very short order. That will be a great opportunity for those questions.
We're now very much approaching the time that's allocated, but Mr. Massé has not had an opportunity yet today to ask a question and get on the record.
Mr. Massé, if you have a quick question, I think that would wrap up our committee business for this witness.
March 10th, 2016 / 10:10 a.m.
Liberal
Rémi Massé Liberal Avignon—La Mitis—Matane—Matapédia, QC
Thank you, Mr. Chair.
I might take a different approach. Given that Canadians want to have access to effective and efficient programs, how can we balance the collection and sharing of information by various departments when service delivery programs are increasingly complex and targeted? How can the government balance the collection, sharing, and protection of information to keep providing effective service delivery to Canadians?
10:10 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That is an excellent question.
Since the beginning of my term, the questions I have been asked about information sharing have often had to do with police forces or national security. However, you are quite right to look at the situation more broadly.
The government has initiatives to increase information sharing among departments, in part to improve program effectiveness. That is a legitimate and commendable goal. I think that the purpose of the Privacy Act is not to prevent that kind of activity, but to regulate the sharing of personal information in order to ensure that Canadians' privacy is respected.
For example, when I recommend that there be written agreements for information sharing, I recognize that information may be shared to achieve commendable and legitimate goals. However, it is also important to have rules to govern and protect privacy.
10:15 a.m.
Conservative
The Chair Conservative Blaine Calkins
Thank you very much, Mr. Therrien, for coming in today. I'm sure we'll hear from you again at some point in time during the study. It's usually appropriate at the end of the study after we've heard from a number of other witnesses.
I know you've given us a list of proposed and prospective witnesses that I'll be sharing with our analysts and of course with the committee. I'm sure at the end, when we've had a chance to talk to a wide range of folks from across Canadian society, we'll have an opportunity to bring you back in and tie up any loose ends and questions that we might have.
I want to thank you very much for your time. I'm very optimistic about the feeling around the table. Hopefully when somebody in the future asks you why it hasn't been done for 30 years you won't have to say I don't know, because we'll get some legislation that will update and modernize the Privacy Act.
10:15 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We will assist the committee in any way during your study.
10:15 a.m.
Conservative
The Chair Conservative Blaine Calkins
Very good.
We'll now stay in the public portion of the meeting.
Mr. Blaikie, you wanted to move your motion.