Evidence of meeting #100 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was used.
A recording is available from Parliament.
12:05 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Yes, the scope of the search matters, depending upon the context and what you're after and the seriousness of any allegation—if it's relating to employee harassment, for example.
Those are all my questions, but I will say, Commissioner, that if you do have examples that you feel have gone beyond reasonableness, have gone beyond necessity and proportionality, I would appreciate it if you would refer back to the committee on that.
12:05 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Thank you. It's noted.
12:05 p.m.
Conservative
The Chair Conservative John Brassard
Is that it?
Okay. Thank you, Mr. Erskine-Smith. You did have a little more time left. I appreciate that.
That concludes our first round. We're going to reset the clock now and go back to six-minute rounds.
We are going to start with Mr. Barrett.
Mr. Barrett, go ahead, please.
12:05 p.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
Can you explain to us the distinction between data or information that is stored on a device and information or data that is only accessible via the device in Canadian law?
The relevance of my question or the precision that I'm looking for is with regard to the regular use of cloud-based storage. While the physical device might be the property of the Government of Canada or a government department, for an individual who has logged in to cloud-based storage of their information, the information isn't stored on the government's device but is accessible via that device through the individual's personal log-in credentials. What's the difference in law?
12:05 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
We would look at that as personal information about the individual being personal information relating to them. Whether it's on the device, on the cloud or in some other form, among other things, we look to see the following: Is this information protected appropriately? Who is gaining access to this? Who has control over this information? Is it legitimate for the government to seize that information? What are the boundaries?
We wouldn't draw too much of a distinction on that in terms of whether it's on the cloud or on the device. What we would really look at is the basis for obtaining it, the technology being used and the expectations of the individuals. Those would all be questions we would ask in that context.
12:05 p.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
There's no limit, then, to the reach of the government in using this technology in spying on Canadians. Microsoft—lots of folks use Microsoft to store their documents—Dropbox and Google are all cloud-based. People store family photos in there. They store personal correspondence in there. They store confidential and private medical information in there.
Would it ever be appropriate for the government to use the guise of saying, “Well, it's a government device, and you once logged into your cloud-based account using that device. Therefore, we now have unfettered access to that”? Is the only measure after the fact: what they looked at and, “Oh, well, we only took certain things”?
Once they've viewed the information, the privacy of the employee has been violated. That Canadian's privacy has been breached. Is it ever appropriate?
12:10 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
There's a principle of limiting collection, again linked to necessity and proportionality. If you're the employer and you're going to be looking at the data of the employee, it's all part of the transparency. Make sure the employee is aware that this is their work device. If they're using it for personal things, is there a mix? What are the expectations in terms of what the employer will have access to? Why does the employer need to have access to those things?
It's all about making sure the employer or any other organization doesn't get to collect and use more information than they need. That means looking at the purpose and looking at the context. I gave the example of truck drivers being filmed on their personal time. That wasn't necessary for safety on the roads.
Similar types of questions would be asked. The more you're going to go and get my personal information, the more you should have to justify why that is. Again, that's what privacy impact assessments do, and that's what necessity and proportionality would do. We live in a time where that technology, as you described, is more and more invasive. Sometimes there's a mix between the personal life and the work life, so that raises privacy implications.
12:10 p.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
Will the PIA be used to approve the software or technology that the government plans to use, or is there a process? In advance of collecting the information, ought there not be a requirement for any government department to have the technology, that specific software, pre-approved? On this distinction that it's just employees of the Government of Canada, that's a pretty big employer in this country. The employees, by and large, are Canadians, and that's not to be glossed over.
We seem to be playing catch-up so often on privacy issues with government and government departments. Would your recommendation be that the software be approved even prior to procurement?
12:10 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
I'll read you 4.2.2 of the “Policy on Privacy Protection” from the Treasury Board. It says:
Notifying the Privacy Commissioner of any planned initiatives (legislation, regulations, policies, programs) that could relate to the Act or to any of its provisions, or that may have an impact on the privacy of Canadians. This notification is to take place at a sufficiently early stage to permit the Commissioner to review and discuss the issues involved.
It's that same point. Do it before, not after, so we can flag concerns.
12:10 p.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Dufresne and Mr. Barrett.
Ms. Damoff, you have six minutes, please.
12:10 p.m.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
Thank you, Chair.
Thank you so much for being here today and shedding light on this serious issue.
First, I want to ask you this: Is this spyware?
12:10 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
This is not spyware. The difference is that spyware is covert and remote. You don't have the device, and you're doing it. This is a digital forensic tool, so it's a different type of tool.
12:10 p.m.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
Okay. It's been referred to by my Conservative colleagues a couple of times today as “spyware”, so I just wanted to clarify that.
I remember back in 1996, before the days of these kinds of phones, I was working at Midland Walwyn in real estate investment banking. I knew that IT was monitoring what was on my desktop. I was told that. This was my work desktop. It was to be used for work. That extended to even when I had my House of Commons iPhone. I know it's a work phone that is supposed to be used for work.
I have an Apple watch like my NDP colleague. It's on my personal phone.
Why would the government have access to personal health information unless someone has chosen to put their private information on a work phone when they know that phone is only supposed to be used for work? I'm a bit confused by that.
12:10 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
We talk about that in our “Privacy in the Workplace” document that we revised in May 2023. It's really talking about the monitoring and the transparency. To your point, if you as an employee are aware—here's what the employer can and can't do, here's what the tools of the employer can do if you use this tool—then you have that awareness as the user. You have that transparency.
There may be circumstances where it's absolutely warranted for the employer to have access to certain things. However, even if the information is there on the phone, why would the employer need to have access to that health information of yours? You put it there, perhaps rightly, perhaps wrongly, but does the employer need to have that?
How do we balance that—limiting the use, limiting the collection, and that transparency? We have to modernize and apply these rules to evolving technology. It was much easier before, because, as you say, with these devices so much of our lives are so much easier to mix up.
We were talking about the RCMP's use of ODIT before, and that was really done because the wiretaps weren't working anymore. People weren't using landlines. However, the landline didn't give you nearly as much information as the phone. That's an example of a different tool, but it also is of a greater magnitude.
12:15 p.m.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
I've had those questions for the RCMP before. I used to be on the public safety committee.
I am a bit confused about that, because I think, if I'm not mistaken, Apple has won court cases not to provide passwords to access smart phones. I've heard from police services and the RCMP that they're stymied in cases, because they can't access that information, where legitimately it could be organized crime.
From what I'm hearing today, it makes it sound like the RCMP actually have access. We're talking about employees—are we not? We're not talking about the organized criminal out there they would like to have access to. I think the lines get a little bit muddied here about what exactly we're talking about when it comes to our police services.
12:15 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
In the context of the RCMP, in this instance they're using those tools for their investigations generally. They're not investigating their employees. Three of the organizations are doing them for internal investigations.
12:15 p.m.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
They have to have the phone, though. They would have to bring me in and I would physically have to provide them with my phone. Is that right?
12:15 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Right.
12:15 p.m.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
This isn't being done surreptitiously, where a Canadian is sitting in their home and the RCMP is surveilling their personal information.
12:15 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
That's right. It's not the same thing as spyware. It's done when you have the device, you're going on the device and you're retrieving information.
Again, in certain instances it may be perfectly legitimate for the RCMP or for an employer to have that information. The issue is that we need to make sure that it's done with privacy protection in mind. We need to make sure that there's transparency and that there are these guardrails. I don't want to suggest that the use of this is completely unacceptable and has to be stopped altogether. It's bringing this privacy lens to it so that we can have the benefit of the tool and at the same time protect our fundamental rights.
12:15 p.m.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
Have you found out what the departments were using this tool for? I mean, I've heard fraud, harassment.... Do you know of any other instances where this tool was used?
12:15 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
We do. We've obtained information. Some have used it for anti-spam legislation. Some have used it for cybercrime investigations or national security matters. Some have used it for income tax purposes or investigations. Some have used it for the Competition Act, environment, fisheries, conservation programs, transportation investigations—these types of things that fall under the authorities of the departments. Three of them were for internal investigations.
12:15 p.m.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
I have only 15 seconds left, so can you provide us in writing with any recommendations you have?
12:15 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
We can—certainly.