Thank you, Mr. Dufresne and Mr. Villemure.
Mr. Green, you have six minutes. Go ahead, please.
Evidence of meeting #100 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was used.
A recording is available from Parliament.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Dufresne and Mr. Villemure.
Mr. Green, you have six minutes. Go ahead, please.
Matthew Green NDP Hamilton Centre, ON
Thank you very much.
You know, I'm thinking back to the work that we conducted on the RCMP, and my hope is that, at the time, these departments may have been tuned in, knowing that they were actively engaged in similar activities. My disappointment is that it took them this long to kind of come clean. There are 13 departments. Certainly, there are many more federal departments, some that may or may not be declared. I won't impugn what the other departments are doing.
I do note that in the language of the directive on privacy impact assessment, in paragraph 3.3, it states that the Privacy Act requires “assessing the privacy implications of new or substantially modified programs and activities involving personal information”. I believe you just referenced this, sir. Then the next line says, “However, if not properly framed within an institution's broader risk management framework, conducting a PIA can be a resource-intensive exercise.”
How resource-intensive is it?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
It requires the discipline. It requires that you look into your program, that you answer some questions. That's why they're not going to be required in all cases. It's legitimate that there are criteria. They are not so resource-intensive that they're not worth doing.
NDP
Matthew Green NDP Hamilton Centre, ON
It seemed like a weird condition to me. In the language of a directive to put that “However” and associate it with resources. Given what I think we've determined at this committee in terms of the importance of democracy and the importance of our privacy, it seems like a weird one. That's my opinion; it's not yours.
I think you said that the Treasury Board encourages PIAs. I would put to you that under section 5.1, the Treasury Board directive specifies that PIAs are conducted on “new or substantially modified programs”.
If it's under the language of a directive, in your opinion—I'm just asking for your opinion—a directive is different from encouragement. Is it not?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
I would say yes.
NDP
Matthew Green NDP Hamilton Centre, ON
Is it fair to say, then, that the Treasury Board doesn't encourage...? They actually, in fact, through the directive, specify that this should happen.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
I agree.
NDP
Matthew Green NDP Hamilton Centre, ON
Given that this is section 5.1 of the directive on the Privacy Act and these departments did not...is it fair to say, on the face of it, that they were in breach of section 5.1 of the Treasury Board's directive?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
A number of the departments, in this instance, that have not done those PIAs are not compliant with this directive.
NDP
Matthew Green NDP Hamilton Centre, ON
Presumably there are others, at this point, that we might not have knowledge of. When you look at section 5.2.1 of the directive, you see that it provides that “PIAs are conducted in a manner that is commensurate with the level of privacy risk identified prior to establishing any new or substantially modified program”. Not only are they derelict in their application of a PIA, but the fact that they even started the program without the PIA.... Based on my reading of this subsection, it states that they're in a pretty considerable breach.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Yes, there's that element of “do it before the fact, not after the fact”.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
That's the directive.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
That's correct.
NDP
Matthew Green NDP Hamilton Centre, ON
However, these agencies went ahead and did it anyway.
In that, I think there's an important distinction to make, because I don't want Canadians to leave feeling like the federal government has this ability on all devices across the country. We certainly studied, to our chagrin, the use of movement-tracking technologies over the course of COVID. I think we did a pretty good job of unpacking that. In this case, this is for federal employees, and if I'm to understand your testimony, those who are under investigation of being in contravention of the act.
Is that correct?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Yes.
NDP
Matthew Green NDP Hamilton Centre, ON
When we look at Fisheries and Oceans, CRTC, Environment and Climate Change, the Competition Bureau, the CBSA, RCMP, National Defence, it could include civilians. Is that correct?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Yes.
NDP
Matthew Green NDP Hamilton Centre, ON
In the case of its including civilians, I would assume, based on your testimony, that this technology needing to be in the possession of government.... Would that require a warrant?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
In some cases it would. In some cases it wouldn't. In a situation where you're doing an internal investigation of employees, it wouldn't.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
In many instances you would need a warrant in those cases. The departments have indicated that. As was the case for the study on the RCMP's use of ODITs, those also require warrants. However, that's a separate question from the privacy impact assessment. The warrant may be based on criteria that are distinct from the privacy considerations that are at the heart of the privacy impact assessment.
NDP
Matthew Green NDP Hamilton Centre, ON
I am concerned that there wasn't a definitive “yes, they would need warrants when applied to civilians.”
In what situations would it be the case that warrants would not be needed for civilians who are not federally employed?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
That's a question that would be best placed to the specific department, because it's their use of their—