Information & Ethics Committee on Feb. 1st, 2024

I think we have to strengthen that generally. More and more technology is being used with greater capabilities. That brings innovation and that brings opportunities, but we need to have that reflex of privacy by design and privacy at the front end. Often we'll see the situation where the tool is developed and used, and then we do a privacy impact assessment or we bring in those things.

It will always be more economical and more prudent to bring privacy at the front end. It's more important than ever in this day and age, when we have AI and we have technology that is ever more capable. We really recommend that this be a legal obligation for that purpose.

In the cases where they're used for administrative investigation, these are not the only purposes. Some departments would use them for other types of investigations, but certainly if we're talking about administrative investigations, that would be the employees of the department.

We're talking about a range. Some of the departments will be using them to do investigations on breaches of the act by Canadians generally. Others will be using them to investigate their employees. In the case of the three that were using them for administrative investigations, that won't be all Canadians. It will be only their employees.

However, employees also have privacy rights. There are obligations. We've issued that guidance: Make sure your tool is used for a purpose that's linked to the one you've identified. Make sure it's transparent. Make sure it's proportional. Make sure you conduct a privacy impact assessment where appropriate.

I don't have all the details of what they would be doing. That could be asked of them.

Generally speaking, you would be talking about the tools that are provided to the employee by the employer—the email, the laptop and these types of things. Again, nonetheless, there are some expectations of privacy vis-à-vis these tools, but it's contextual. Employers have legitimate reasons for obtaining certain types of information. We talk about that in our guidance and really highlight it: Make sure you've assessed the tool. Make sure you've assessed the necessity and proportionality of it. Make sure you are transparent about it and people know.

In our annual report last year, we talked about one of our investigations in the private sector where a trucking company was using a monitoring device for truck drivers. Even when they were not on duty, they were being filmed and recorded 24-7. We found that this was too broad. It was legitimate to do it when you were driving, for safety reasons, but it had to be limited to that. That was done.

This is the type of questioning that goes on with regard to the privacy impact assessment. When my office is consulted, especially before it's initiated, then we can raise these types of questions. Let's prevent these things. Let's prevent Canadians worrying about it so that they can feel like, “Okay, this is a tool and here's what it does. The Privacy Commissioner's office was consulted and provided input.”

That's what I'd like to see more of, especially in situations where we often learn after the fact that something was being used.

The policy is an internal rule that the government imposes on itself, so it's a directive that would be issued, in this case, by the Treasury Board. It says, here are the expectations that we have of the department. It's certainly important but it doesn't have the same binding legal force, and it certainly doesn't allow me to conduct an investigation in the same way as if it were in the Privacy Act. That's why I'd recommend, and the office has recommended, to make it a legal obligation. I've recommended this for the private sector as well, especially vis-à-vis AI because I compare this to predeparture flight checks in airplanes. It's something that will bring comfort and reassurance when we're using powerful tools.

In instances like this we've reached out to the departments. We have regular consultation with departments, and we have a government advisory team that's always on standby to hear consultation from departments. Again, what we see sometimes is, “Okay, we will now do a PIA. We will now update it, and we have a program.” Sometimes we're told that this is authorized under their program legal authorities, or they are doing it under a warrant. We have to remind those departments that, even if you're doing it under a warrant or under a valid legal authority, the privacy impact assessment is a separate question. You may still need to do that if your legal use of that tool nonetheless impacts the privacy of Canadians.

It's an extra step, and if it were a legal obligation my belief is that we would see more compliance up front rather than situations like this, where sometimes people find out about it through important media reports. Again, it may well be that these tools are appropriate for their purposes. They're distinct from spyware. They're distinct from ODITs. Even ODITs in appropriate cases may be acceptable, but having that discipline and having those PIAs seen to be done builds on that trust that Canadians can have to say, “Okay, I don't have to watch over my shoulder constantly. The institutions themselves have these tools and these reflexes.”

Generally, when we talk about spyware we're talking about these types of tools that will be covertly accessing phones, retrieving data, turning on cameras and turning on recordings. It's the broad category of spyware we recently referenced for illegal use and unauthorized use. When we talk about ODITs, on-device investigative tools, we're talking about those types of things that are used by law enforcement authorities. They're similar tools, but when they're used by law enforcement authorities, with legal authorization and with judicial warrants, it's appropriate and it's legal. Nonetheless, as a law enforcement authority, you also have to do a PIA before doing those things.

What I would have liked, in a situation like this, is for my office to have been consulted beforehand in the 13 cases and for us to have all the necessary information so that, in response to the media, we could confirm to them what has happened, tell them that we have been notified, that we have given advice, that an assessment has been made and that we have no problem with it, or the opposite, and then present the recommendations we have made.

The surprise is that we finally have to follow up with the departments to find out what's going on.

I think there are all kinds of challenges, whether in terms of resources or the pressure on departments. They're in a better position to speak to that than I am.

The challenge is that privacy impact assessments are mandatory under the Treasury Board directive but not under the act. The directive makes distinctions, for example, between a new program and the update of a program, or between the assessment of a program and the assessment of the tool itself.

Given these distinctions, the department can say in good faith that it is of the opinion that an assessment isn't required, because the directive doesn't require it. And yet, perhaps it should be required. With technology becoming increasingly powerful, it could become even more important to reassure Canadians that we're doing all this in an even more proactive manner. So it would be preferable that it be a legal obligation.

Moreover, this is not an issue that concerns only Canada, obviously. My international colleagues, at the conference of the World Assembly for the Protection of Privacy, adopted a resolution on artificial intelligence in the area of employment. It calls on governments and parliamentarians to be aware of the need to set guidelines. If artificial intelligence technologies are used to recruit workers and assess their performance, that can have an impact on privacy. So we have to be transparent and take into account the notions of necessity and proportionality. These are fundamental questions.

This isn't a legal obligation for them, which would become a top priority. It's only an obligation under the directive.

Before setting up a program, they don't always have the reflex to check whether my office has been informed of it. There are improvements to be made in that regard. We're talking about departments that use this tool for a specific purpose: Some use it for internal investigations and others for investigations within their mandate.

The use isn't necessarily inappropriate per se, but that assessment has to be done. However, as we've seen, people sometimes say that they don't need to do that assessment because their legal mandate includes authorization to carry out those activities. My message to the departments is that it isn't enough. The privacy impact assessment is a separate topic that needs to be dealt with more proactively.

In terms of the public sector, again, this notion of proportionality is not included in the Privacy Act. We recommended, and this committee did as well, that the issue of necessity and proportionality be included. At this point, it is more a Treasury Board directive that this use is necessary to achieve the desired objective.

Currently, the act requires that the use be related to a mandate of the organization. For our part, at the Office of the Commissioner, we will implement that necessity and proportionality by raising questions about it in our investigations. We're talking about it now, just as we talked about it during the investigations into the measures taken during the pandemic, in particular. When we talk about this, though, we have to recognize at the outset that this is not a legal obligation and that, if it were not respected in a given situation, it wouldn't be a violation of the act.

This is a very important recommendation. The approach is very similar to how we proceed in the context of the Canadian Charter of Rights and Freedoms to determine whether there is discrimination or a violation of fundamental rights. We determine whether the objective sought is important, whether the proposed measure achieves the objective, whether the method used to achieve it is the least intrusive and, lastly, whether the method is proportional.

You're absolutely right: We may be tempted to use a tool because we find it very efficient and quick. Artificial intelligence comes to mind. Yes, it's effective, but we're talking about a fundamental right here.

Having said that, it's not an either‑or. Personally, I'm in favour of technology. In the office, we have made it one of our three strategic priorities recently. We want to use technology, but in a way that protects privacy. In that sense, the privacy impact assessment tools are essential. These assessments must not only be done, but also be seen to be done.