Evidence of meeting #100 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was used.
A recording is available from Parliament.
11:45 a.m.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
You've made these requests. What are the next steps after today as it relates to these 13 departments?
11:45 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
From our standpoint, we're going to continue to reach out to those departments. We're going to follow up to insist that the PIAs be completed where they have not been. We're going to continue to ask questions and work collaboratively with them.
I hope, as part of this committee's work and as part of the legislative process, that we see a modernization of the Privacy Act. I'd hope that the modernization includes a legal obligation to conduct PIAs in appropriate cases and also other elements like necessity and proportionality, which we have discussed. There's an opportunity for that.
Currently, the House is seized with private sector law reform. We hope to see that move forward with appropriate changes, but the Privacy Act is even older legislation. I really hope to see that come before the House soon.
11:50 a.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Bains.
Thank you, Mr. Dufresne.
Go ahead, Mr. Villemure. You have two and a half minutes.
11:50 a.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
The Privacy Act dates back to 1983, doesn't it?
Is the proactiveness you're referring to here something that should be included in an act? Is that going to make it easier?
11:50 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
I think when you have a statutory obligation, it emphasizes that obligation; that's always the case. It is indeed much easier to fall back on a directive or a policy, but an act really imposes pressure, constraints, the need to take the time, and to manage the situation differently.
The act should require that relevant details be provided to the Office of the Commissioner within a prescribed period of time before a program is established. Those details can be set out either in the act or in regulations. That proactiveness is important.
11:50 a.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Obviously, in 1983, it was perhaps not as urgent.
Would Bill 25 in Quebec have prevented that kind of surveillance?
11:50 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
I know that Bill 25 includes certain requirements for privacy impact assessments, particularly when data leaves Quebec or is related to the use of new data by the government or the private sector. The act has certainly codified the need for such assessments in some cases, but I would have to get back to you with details on that.
11:50 a.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
In the context of a possible review of the Privacy Act, are there any lessons from Bill 25 that we could learn?
11:50 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Bill 25 gave the Commission d'accès à l'information du Québec the power to issue orders and the ability to impose administrative monetary penalties. It may be less essential in the public sector context, but it can still help treat privacy as a fundamental right and make it a priority.
I think that, both for the private sector and for the public sector, we can certainly draw inspiration from comparable elements, including Bill 25.
11:50 a.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
I'm going at random here, but surely the act, as it was written in 1983, doesn't have any provisions dealing with artificial intelligence, does it?
11:50 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
That's for sure. The act was written before the advent of the Internet and social media. There have been a lot of changes that mean that the laws have to be modernized.
That said, I would like to take this opportunity to repeat that my colleagues, both in Canada and internationally, and I have made a number of statements on AI indicating that existing laws apply. They may not have factored in AI, but they are technologically neutral. We certainly interpret them as applying to artificial intelligence. We have ongoing complaints about that. We issued a joint statement on that. We work very closely with our provincial and territorial counterparts.
There's no doubt that modernizing these acts would clarify certain things, particularly this aspect of proactiveness. I specifically recommended it with respect to AI in the context of modernizing the private sector legislation. Among other things, we're talking about algorithmic assessments, and we're talking about all that, because it's very important.
The idea isn't to reject the technology, but to set parameters.
11:50 a.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Dufresne and Mr. Villemure.
I gave Mr. Dufresne more time so he could finish answering the question.
Mr. Green, you have two and a half minutes. Go ahead, please.
11:50 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you so much, Mr. Chair.
Looking at this, I think you referenced an important term when you talked about obligations under the Privacy Act and Canadians relying on institutions. Ultimately, would you agree that privacy is about trust?
11:50 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
I agree.
11:50 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
In that trust, we're looking at scenarios for our federal employees in a world where, increasingly, your cellphone is a reflection of almost every aspect of your life, whether it's your mobility or.... I think about the apps I have on my phone. I have health tracking apps and different things that are deeply personal to me. As a federal employee.... I think even about the watch I'm wearing, for instance, and the heartbeat. It tracks everything—finances and absolutely everything.
We've talked a lot about the technological aspects and context of this technology. We haven't spoken about the human context, which is ultimately on the other side. There's somebody who has access to this.
In your work, do you review who, precisely, has access to the information? Is there a level of clearance or security, or is this a mid-level IT guy who might want to check to see if I have pictures of or text messages to somebody they may or may not like?
11:50 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
That's a very relevant consideration in terms of management of information generally, as well as in terms of a privacy impact assessment. It's looking not only at what are you obtaining and why, and whether you need it, but also at how you are protecting it.
We're seeing more and more situations of privacy breaches, cyber-attacks and information being stolen, so the security of that information is very important and who has access and the need to know—
11:55 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Directly to the point, in the PIA is there a consideration for the level of clearance required to view what ultimately could be deeply personal information?
11:55 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
There is. There is a consideration of the retention practice and the safeguard practices. That would go to—
11:55 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
In your experience, who would have access to this information within the IT frameworks of these departments? What level of responsibility would they be given?
11:55 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
They would be best placed to answer that question, but certainly at the OPC we look at the information: What type of information is it? Is it protected A, B or C? Are there security risks to individuals if this is lost? Are there national security considerations?
There's a whole range of rules and criteria that have to be followed to protect. It's going to be—
11:55 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
I have a last question. Have you had any complaints, subsequent to this story breaking, from employees or the union based on the use of this technology? Have there been any complaints to your commission?
11:55 a.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
We have not received complaints on this that I'm aware of.
11:55 a.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Green and Mr. Dufresne.
We'll go to Mr. Brock for five minutes and then to Mr. Erskine-Smith.
We haven't done a test on Mr. Erskine-Smith. We'll see how that goes when he starts, and then we'll reset for six minutes after that.
Mr. Brock, you have five minutes. Go ahead.
11:55 a.m.
Conservative
Larry Brock Conservative Brantford—Brant, ON
Thank you, Chair.
I'd like to thank the witnesses for their attendance today. This is a very important and serious issue for not only Canadians but also the public service. I want to start by looking at some legal principles.
Every Canadian, and that includes every public service employee, has an absolute right under the Canadian Charter of Rights and Freedoms to be secure against unreasonable search and seizure, pursuant to section 8. Although you've testified, sir, that in some cases legal authorization was obtained, you can't say for certain that in all cases authorization was obtained. That raises charter considerations. A breach of a section 8 right is a serious violation that, hearkening back to my years as a Crown prosecutor, quite often was not met with success. There are strict consequences for the privacy rights of Canadians as upheld by courts across this country.
That backdrop was important for me to frame this question. When I look at the 13 institutions that were identified, there's no guarantee that these are the only 13 institutions that have been using this technology. Is that a fair assessment, sir?