Information & Ethics Committee on Feb. 1st, 2024

Yes...because these are the institutions that were identified by the CBC reporter. Is that correct?

When I take a look at this list, I might give some consideration to Fisheries and Oceans Canada, and perhaps the Competition Bureau, but when I take a look at Canada Revenue Agency, Global Affairs, Correctional Services, Canada Border Services Agency, National Defence and, most importantly, the RCMP, they all have great legal teams working behind them—in many cases the Department of Justice—who would certainly instruct not only management of those departments but its employees about the protection of privacy rights. To learn, then, that in many instances judicial authorization was not authorized, that a PIA was not submitted for your consideration and that data was collected, raises serious privacy concerns.

You mentioned earlier, sir, I think in your opening statement, that in many cases when this device was used on public sector employees it was with the consent of the device owner, but you can't say that in all cases the extraction of data pursuant to this software already had the consent of the device holder. Is that fair to say, sir?

Right—which again raises more privacy breaches.

The RCMP said after the fact that they submitted a PIA, I believe in December. Is that correct? Some organizations said they submitted it perhaps earlier. Can you tell us whether or not you have consulted with these departments that have not submitted the PIAs and asked them specifically why they circumvented the Treasury Board directive in these circumstances?

That is something that could be enhanced with an amendment to the Privacy Act. Is that correct?

As the Privacy Act is constructed, not surprisingly, there are no legal consequences or any penalties for non-compliance with the PIA requirements. Is that fair, sir?

Is that something that perhaps you would recommend as a possible amendment as well, sir?

Thank you.

Thank you, Mr. Brock.

Thank you, Mr. Dufresne.

Mr. Erskine-Smith, you have five minutes. We're going to make sure that your technology is working. Go ahead.

Which one said that it wasn't required?

Okay.

In terms of the other ones, it would be helpful if you put a timeline on them of, say, 20 to 30 days. Then you could refer back to us and let us know if you haven't had a response, because you may not have powers, but we obviously do have powers to compel attendance.

On the instances, you have one department reply to say they've never used it. What's the scale of use here, depending upon the department? Do you have a sense of how often this tool has been used?

Let's pull that apart.

Obviously they should do a PIA. I can't imagine anyone here disagreeing that they should do a privacy impact assessment. I take your point. It's well stated. There should be an obligation in law that these organizations, when they're using a new tool with impacts upon privacy, do a PIA.

Let's talk about appropriate use, though. In the CBC report, I saw an indication from agencies and departments that they use this tool separate to judicial authorization in some cases, and in other cases only on government-owned devices and in cases involving employees suspected of harassment.

Both of those instances, at a high level, sound quite reasonable to me. Are there other instances that you're aware of that we ought to be concerned about?

I know you're getting back to the need for a privacy impact assessment there, but even if there were a privacy impact assessment, you could imagine that the scope of a particular investigation either would be within that PIA or could go beyond what is contemplated by the PIA. There is no example or no instance that you've been provided, at least that you're aware of, where the use is obviously beyond the bounds of anyone's expectation of privacy.