Evidence of meeting #102 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pia.
A recording is available from Parliament.
11:30 a.m.
Conservative
The Chair Conservative John Brassard
Thank you Mr. Villemure, Ms. Rogers and Mr. Walker.
Ms. Idlout, you have six minutes. Go ahead, please.
11:30 a.m.
NDP
Lori Idlout NDP Nunavut, NU
Qujannamiik. Uplaakut.
Thank you, Mr. Chair.
I am honoured to sit here at the moment to replace my colleague Matthew Green. I'm finding this study quite interesting. It's an area that I wasn't really interested in, but I'm finding the responses fascinating.
To both agencies, based on some of the responses to questions raised by the Liberals about the use of the PIAs, can you confirm whether you had to use them and at which point?
I'll start with Donald.
11:30 a.m.
Chief Enforcement Officer, Department of the Environment
Our understanding of the program is that, when it was first inaugurated in 2013, the view at the time was that the protections in place to avoid the collection of personal information and simply focus on the evidence of non-compliance under a court order would not, under the decision tree, necessitate a privacy impact assessment. However, in 2020, as we were going through a modernization exercise with respect to implementing a risk-based approach to our enforcement activities and a periodic review of our directives, we felt that it was prudent to engage in new privacy impact assessments to cover not just a specific tool but also the activities we undertake so that it takes into account the context in which different tools are used.
11:35 a.m.
Acting Director General, Conservation and Protection, Department of Fisheries and Oceans
To echo much of what was said, the other part for us is that there's reasonable belief that an offence has been created. It's not simply during an inspection or just to comb the area. We have a situation where we have reason to believe that an offence has been created. Now we're into the investigation stage of it, where we bring in a judicial authority. It's very clear at that stage. We have to present our case and we have a judge who says, yes, this is the type of information we're allowed to take and what is reasonable. At that stage, we execute.
In terms of your question on a PIA, again, the mechanics on evidence collection have not changed; the tools have. For our purposes, we're not focused on the tool. We're focused on the process. I think it is warranted at this stage to review those processes to ensure that we are protecting privacy. We feel that there are safeguards, significant safeguards, in place, but we have, ourselves, voluntarily agreed to go ahead with the PIA process. We have, ourselves, engaged with the Privacy Commissioner in December. We are executing that process as well, but on the process and not the tools.
The tools will change over time. They come out with new versions and new tools, and all of these tools are not the same. Some are designed to allow access to cellphones and technology. Others search deleted items and allow us to recover those files. There's a series of different tools for each of the different jobs, but again, they're strictly defined by a court order, or a warrant, in terms of what we're able to take.
Again, it's evidence. It's not the privacy part. Where there is private information, that is set aside, protected and destroyed once the investigation has concluded.
11:35 a.m.
NDP
Lori Idlout NDP Nunavut, NU
Thank you.
This is for each of you as well, and maybe in the same order.
When it comes to doing privacy impact assessments, focusing, of course, on the processes, understanding what your responses are, have you seen the need for updates in legislation or regulation in order for the work you're doing in privacy impact assessments to be completed in a more efficient way?
11:35 a.m.
Chief Enforcement Officer, Department of the Environment
I'm not certain that we would see it as our place to comment on the Privacy Act itself. As an enforcement organization, we are responsible for taking the laws and regulations as they are written and making sure that we are acting accordingly.
I think what we have found is similar to what the Privacy Commissioner said during his testimony, that it is a resource-intensive activity to undertake a privacy impact assessment. We're prepared to put the appropriate resources against it. From our perspective, it's a matter of making sure we have the right expertise in place to help us identify places where putting a better written assessment around our procedures that are in place or refining our procedures is valuable for us to ensure that we have the confidence of the public in how we're using information.
11:35 a.m.
Acting Director General, Conservation and Protection, Department of Fisheries and Oceans
I believe the mechanisms in place within the government, within the act, within the law and within the policy are appropriate. I think departments can use those. A PIA is an identified tool to assess risk and to support and inform process change as necessary. We heard from other members about the proportionality of it. It allows us to assess that as well.
In the case of Fisheries and Oceans, it's about managing a public resource, allowing access to a certain group to be able to use the sustainable resource and ensuring that it's being done appropriately on behalf of Canadians. These tools are put into place to ensure and verify compliance for that very important reason.
11:35 a.m.
NDP
Lori Idlout NDP Nunavut, NU
I think I still have some time.
To each of you, what measures have you taken to ensure the privacy of the data and to prevent misuse of that software?
11:35 a.m.
Conservative
11:35 a.m.
Director General, Environmental Enforcement, Department of the Environment
We keep a wall between what our forensic investigators find within the use of these tools and the actual investigation that is being completed, so they do not share anything that is not relevant or should not be included in the warrant with the actual investigators. That is one rule.
Also, we destroy any private information that we might discover when we are going through any equipment that we find. We follow international standards for that. As well, our officers are highly trained on exactly how to deal with private information when they do come across it.
11:40 a.m.
Conservative
11:40 a.m.
Acting Director General, Conservation and Protection, Department of Fisheries and Oceans
Regarding people processing tools, we have safe storage. We have individuals who are trained. We restrict access and have a process and policy, and we make sure that information is safeguarded.
It's treated as evidence. It's coupled to the same process, which is a very strict process, to allow us to take it to court in a successful way.
11:40 a.m.
Conservative
The Chair Conservative John Brassard
Thank you for that, Mr. Napier.
That finishes our first six-minute round. We're going to start with our second round of five, five, two and a half, and two and a half.
Mr. Kurek, you have five minutes. Go ahead, please.
11:40 a.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Thank you very much, Chair.
It's been very enlightening to hear the comments from our witnesses here today, and even that ECCC would consider themselves just another law enforcement agency. Certainly I think that conflicts with what most Canadians would expect of the Department of the Environment.
First to ECCC, have tools capable of extracting personal data ever been used in a situation where there was not judicial authorization? Is there ever an instance where they have been used where there was not judicial authorization?
11:40 a.m.
Chief Enforcement Officer, Department of the Environment
Not at Environment and Climate Change Canada.
11:40 a.m.
Conservative
11:40 a.m.
Chief Enforcement Officer, Department of the Environment
These tools have never been used at Environment and Climate Change Canada without a court order.
11:40 a.m.
Conservative
11:40 a.m.
Acting Director General, Conservation and Protection, Department of Fisheries and Oceans
It is the same at DFO.
11:40 a.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Okay, so you're both saying there has never been an instance where there was not judicial authorization to use these tools.
11:40 a.m.
Acting Director General, Conservation and Protection, Department of Fisheries and Oceans
I'm sorry.... Maybe I'll have my colleague comment on an outside the enforcement use of the tool, because there might....
February 8th, 2024 / 11:40 a.m.
Director General, Information Technology Operations, Department of Fisheries and Oceans
Again, for administrative investigations...and we're not talking about doing something without the knowledge of the employees. Within an administrative investigation that comes through the chief security officer, we have the terms of reference and then the actual employee is fully aware and part of that process, so if there is an investigation they may provide their laptop and their phone with their passwords as well.
Again, it is not used to break into the phone if that's the heart of the question, and no, we do not break into someone's phone. It is done with the understanding and the aid of the employees involved.
11:40 a.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Just to give a chance to ECCC, in the course of administrative investigations of employees, has there ever been an instance?
11:40 a.m.
Chief Enforcement Officer, Department of the Environment
It is not currently possible for this tool to be used for administrative investigations at Environment and Climate Change Canada. It is not attached to the network, and it is used exclusively within the enforcement branch.