Evidence of meeting #100 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was used.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Philippe Dufresne  Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Alexandra Savoie  Committee Researcher

11:15 a.m.

Conservative

Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON

Do you differentiate between the types of tools that government departments use when you consider something like the COVID app, where the government said they wouldn't use the app to track the movement of Canadians, but that's exactly what they did? It seems like the government attitude toward the right to privacy that Canadians have is lacking.

11:15 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

I think we have to strengthen that generally. More and more technology is being used with greater capabilities. That brings innovation and that brings opportunities, but we need to have that reflex of privacy by design and privacy at the front end. Often we'll see the situation where the tool is developed and used, and then we do a privacy impact assessment or we bring in those things.

It will always be more economical and more prudent to bring privacy at the front end. It's more important than ever in this day and age, when we have AI and we have technology that is ever more capable. We really recommend that this be a legal obligation for that purpose.

11:15 a.m.

Conservative

The Chair Conservative John Brassard

Thank you, Mr. Barrett and Mr. Dufresne.

Ms. Khalid, you have six minutes. Go ahead, please.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Thank you very much, Chair.

Thank you to our witnesses for being here today.

To clarify a couple of points that were pointed out by Mr. Barrett, these digital forensic tools are specific to employees within these departments. Is that correct?

11:15 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

In the cases where they're used for administrative investigation, these are not the only purposes. Some departments would use them for other types of investigations, but certainly if we're talking about administrative investigations, that would be the employees of the department.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

To be clear, is it all Canadians and all their devices that these departments are investigating or keeping an eye on, or are we talking specifically about government devices provided to government employees as they're conducting their work within our government?

11:15 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

We're talking about a range. Some of the departments will be using them to do investigations on breaches of the act by Canadians generally. Others will be using them to investigate their employees. In the case of the three that were using them for administrative investigations, that won't be all Canadians. It will be only their employees.

However, employees also have privacy rights. There are obligations. We've issued that guidance: Make sure your tool is used for a purpose that's linked to the one you've identified. Make sure it's transparent. Make sure it's proportional. Make sure you conduct a privacy impact assessment where appropriate.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Right.

Are we talking about accessing employees' devices, the ones that are provided by the departments, or are we talking about their personal devices where these digital forensic tools are being installed?

11:20 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

I don't have all the details of what they would be doing. That could be asked of them.

Generally speaking, you would be talking about the tools that are provided to the employee by the employer—the email, the laptop and these types of things. Again, nonetheless, there are some expectations of privacy vis-à-vis these tools, but it's contextual. Employers have legitimate reasons for obtaining certain types of information. We talk about that in our guidance and really highlight it: Make sure you've assessed the tool. Make sure you've assessed the necessity and proportionality of it. Make sure you are transparent about it and people know.

In our annual report last year, we talked about one of our investigations in the private sector where a trucking company was using a monitoring device for truck drivers. Even when they were not on duty, they were being filmed and recorded 24-7. We found that this was too broad. It was legitimate to do it when you were driving, for safety reasons, but it had to be limited to that. That was done.

This is the type of questioning that goes on with regard to the privacy impact assessment. When my office is consulted, especially before it's initiated, then we can raise these types of questions. Let's prevent these things. Let's prevent Canadians worrying about it so that they can feel like, “Okay, this is a tool and here's what it does. The Privacy Commissioner's office was consulted and provided input.”

That's what I'd like to see more of, especially in situations where we often learn after the fact that something was being used.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

I do find it concerning that this directive was not followed. Has there been any contact with these departments by you or by your office, either initiated by you or by these departments?

As well, you spoke about it being a policy of TBS. Can you just highlight the distinction between policy and a mandated process for privacy by design, especially in these departments?

11:20 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

The policy is an internal rule that the government imposes on itself, so it's a directive that would be issued, in this case, by the Treasury Board. It says, here are the expectations that we have of the department. It's certainly important but it doesn't have the same binding legal force, and it certainly doesn't allow me to conduct an investigation in the same way as if it were in the Privacy Act. That's why I'd recommend, and the office has recommended, to make it a legal obligation. I've recommended this for the private sector as well, especially vis-à-vis AI because I compare this to predeparture flight checks in airplanes. It's something that will bring comfort and reassurance when we're using powerful tools.

In instances like this we've reached out to the departments. We have regular consultation with departments, and we have a government advisory team that's always on standby to hear consultation from departments. Again, what we see sometimes is, “Okay, we will now do a PIA. We will now update it, and we have a program.” Sometimes we're told that this is authorized under their program legal authorities, or they are doing it under a warrant. We have to remind those departments that, even if you're doing it under a warrant or under a valid legal authority, the privacy impact assessment is a separate question. You may still need to do that if your legal use of that tool nonetheless impacts the privacy of Canadians.

It's an extra step, and if it were a legal obligation my belief is that we would see more compliance up front rather than situations like this, where sometimes people find out about it through important media reports. Again, it may well be that these tools are appropriate for their purposes. They're distinct from spyware. They're distinct from ODITs. Even ODITs in appropriate cases may be acceptable, but having that discipline and having those PIAs seen to be done builds on that trust that Canadians can have to say, “Okay, I don't have to watch over my shoulder constantly. The institutions themselves have these tools and these reflexes.”

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Can you distinguish the difference between spyware and ODITs, as you just mentioned that.

11:20 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

Generally, when we talk about spyware we're talking about these types of tools that will be covertly accessing phones, retrieving data, turning on cameras and turning on recordings. It's the broad category of spyware we recently referenced for illegal use and unauthorized use. When we talk about ODITs, on-device investigative tools, we're talking about those types of things that are used by law enforcement authorities. They're similar tools, but when they're used by law enforcement authorities, with legal authorization and with judicial warrants, it's appropriate and it's legal. Nonetheless, as a law enforcement authority, you also have to do a PIA before doing those things.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

I just have one last question, Mr. Chair. It's very short.

11:25 a.m.

Conservative

The Chair Conservative John Brassard

You're six minutes and 38 seconds into it.

I'm going to go to Mr. Villemure, and you'll have another opportunity in another round.

Mr. Villemure, you have the floor for six minutes.

René Villemure Bloc Trois-Rivières, QC

Thank you, Mr. Chair.

Mr. Dufresne, welcome back to the committee. We're always happy to see you again.

Were you surprised when you heard the news that 13 departments and agencies were using these kinds of tools?

11:25 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

What I would have liked, in a situation like this, is for my office to have been consulted beforehand in the 13 cases and for us to have all the necessary information so that, in response to the media, we could confirm to them what has happened, tell them that we have been notified, that we have given advice, that an assessment has been made and that we have no problem with it, or the opposite, and then present the recommendations we have made.

The surprise is that we finally have to follow up with the departments to find out what's going on.

René Villemure Bloc Trois-Rivières, QC

So the surprise is to learn that people don't necessarily have the reflex to consult the commissioner in this kind of situation.

Do departments and agencies have a good understanding of the Privacy Act or their privacy obligations?

11:25 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

I think there are all kinds of challenges, whether in terms of resources or the pressure on departments. They're in a better position to speak to that than I am.

The challenge is that privacy impact assessments are mandatory under the Treasury Board directive but not under the act. The directive makes distinctions, for example, between a new program and the update of a program, or between the assessment of a program and the assessment of the tool itself.

Given these distinctions, the department can say in good faith that it is of the opinion that an assessment isn't required, because the directive doesn't require it. And yet, perhaps it should be required. With technology becoming increasingly powerful, it could become even more important to reassure Canadians that we're doing all this in an even more proactive manner. So it would be preferable that it be a legal obligation.

Moreover, this is not an issue that concerns only Canada, obviously. My international colleagues, at the conference of the World Assembly for the Protection of Privacy, adopted a resolution on artificial intelligence in the area of employment. It calls on governments and parliamentarians to be aware of the need to set guidelines. If artificial intelligence technologies are used to recruit workers and assess their performance, that can have an impact on privacy. So we have to be transparent and take into account the notions of necessity and proportionality. These are fundamental questions.

René Villemure Bloc Trois-Rivières, QC

In its current form, the Privacy Act does not require departments and agencies to be exemplary when it comes to privacy. We've already discussed this.

11:25 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

This isn't a legal obligation for them, which would become a top priority. It's only an obligation under the directive.

René Villemure Bloc Trois-Rivières, QC

Rest assured that we'll do everything we can to ensure that it's included.

When I saw the list of 13 departments and agencies, I was surprised to see how much it covered. It wasn't just the policing agencies, such as the RCMP, the police, or Correctional Services.

Are we talking about glibness, laziness, negligence or mistakes? You talked about a lack of resources. However, when it comes to privacy, especially if it's considered a fundamental right, a lack of resources isn't an acceptable answer. Do these people treat privacy in an offhanded way?

11:25 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

Before setting up a program, they don't always have the reflex to check whether my office has been informed of it. There are improvements to be made in that regard. We're talking about departments that use this tool for a specific purpose: Some use it for internal investigations and others for investigations within their mandate.

The use isn't necessarily inappropriate per se, but that assessment has to be done. However, as we've seen, people sometimes say that they don't need to do that assessment because their legal mandate includes authorization to carry out those activities. My message to the departments is that it isn't enough. The privacy impact assessment is a separate topic that needs to be dealt with more proactively.

René Villemure Bloc Trois-Rivières, QC

A little earlier, you talked about proportionality. That's a concern I have. Sometimes you can get the result you want by using a less intrusive method, but we've seen in other areas that the most intrusive method is used, not because it's intrusive but simply because it's faster.

Is this proportionality included somewhere, in a directive, or would it be desirable to include it eventually in an act?

11:30 a.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

In terms of the public sector, again, this notion of proportionality is not included in the Privacy Act. We recommended, and this committee did as well, that the issue of necessity and proportionality be included. At this point, it is more a Treasury Board directive that this use is necessary to achieve the desired objective.

Currently, the act requires that the use be related to a mandate of the organization. For our part, at the Office of the Commissioner, we will implement that necessity and proportionality by raising questions about it in our investigations. We're talking about it now, just as we talked about it during the investigations into the measures taken during the pandemic, in particular. When we talk about this, though, we have to recognize at the outset that this is not a legal obligation and that, if it were not respected in a given situation, it wouldn't be a violation of the act.

This is a very important recommendation. The approach is very similar to how we proceed in the context of the Canadian Charter of Rights and Freedoms to determine whether there is discrimination or a violation of fundamental rights. We determine whether the objective sought is important, whether the proposed measure achieves the objective, whether the method used to achieve it is the least intrusive and, lastly, whether the method is proportional.

You're absolutely right: We may be tempted to use a tool because we find it very efficient and quick. Artificial intelligence comes to mind. Yes, it's effective, but we're talking about a fundamental right here.

Having said that, it's not an either‑or. Personally, I'm in favour of technology. In the office, we have made it one of our three strategic priorities recently. We want to use technology, but in a way that protects privacy. In that sense, the privacy impact assessment tools are essential. These assessments must not only be done, but also be seen to be done.