Information & Ethics Committee on March 21st, 2024

Thank you very much, Mr. Chair.

Before I begin, I'd like to acknowledge that the lands on which we are standing and gathering constitute unceded territory of the Algonquin Anishinabe peoples.

Thank you for giving me the opportunity to emphasize the government's commitment to ensuring privacy.

I'm joined today by Dominic Rochon, chief information officer of the Government of Canada.

Let me begin with this. Our government takes the privacy rights of Canadians and federal public servants extremely seriously. It is one of our top priorities.

The government manages personal information holdings through a series of policies and directives that align with the legislation. As President of the Treasury Board, I'm the designated minister responsible for administering the Privacy Act, which sets out the privacy requirements for federal institutions. This legislation also gives individuals the right to access and correct the personal information held by federal institutions.

The Treasury Board of Canada develops and implements policies, directives and guidance to assist government institutions in meeting their obligations under this act. However, it is important to note that heads of government institutions, or their delegates, are responsible for the proper implementation of the act as well as overseeing TBS's privacy policies within their institutions.

One of these TBS policies is the directive on privacy impact assessment, which sets requirements for institutions to complete privacy impact assessments, or PIAs. A PIA is required when personal information is used for, or intended to be used as part of, a decision-making process that directly affects an individual. The directive requires that institutions undertake a PIA when implementing a new program or activity, and when substantially modifying an existing program or activity and that involves the creation, the collection and the handling of personal information.

Mr. Chair, it is important to note that the responsibility for privacy impact assessments rests with the institution responsible for the program.

My department is committed to renewing privacy policies. We'll update the directive on privacy impact assessment. This update includes a commitment to streamline privacy impact assessments and look for ways to improve the directive.

We've undertaken government-wide action, we've consulted with privacy experts on changes to the directive on privacy impact assessment and we are engaging with the Office of the Privacy Commissioner. We intend to publish the updated directive this summer. Heads of government institutions or their delegates are accountable for adhering to those rules that are set out in the Privacy Act and TBS privacy policies.

Institutions will be best placed to provide context regarding the use of digital forensic tools in their respective environments. I am happy to be here alongside Mr. Rochon to discuss how TBS policy can be made more clear, streamlined and easier to follow for those institutions on a day-to-day basis as we continue to respect the Privacy Act and privacy laws that are so important for the protection of personal information.

With that, Mr. Chair, I will close my opening remarks. I'm open to your questions.

Thank you.

Thank you, Minister.

We're now going to start our six-minute rounds. For the first round for today, I'm going to Madame Kusie.

Mrs. Kusie, you have six minutes. Go ahead, please.

Thank you, Mr. Chair.

Welcome, Minister, to the ethics committee.

This is, of course, our second day together in a row. Yesterday, in the government operations committee, I expressed my disappointment in your handling of the public purse—the $40-billion deficit and the $500 million. It was indicated that you would make the commitment to try to find out how the majority of those funds are from lapsed funds and reserves, not new amounts of savings.

Of course, you put out the second edition of the managerial guidelines yesterday, since clearly the managerial guidelines of October were not effective in the six-month period. We didn't even have an opportunity to touch on your role in the oversight of the privacy of information. There was so much to cover yesterday. Frankly, I shudder at the thought of having to take over your role, if necessary, because of the incredible amount of work to do.

Let's talk about PIA compliance today, privacy impacts assessments.

When the news broke about the lack of privacy impact assessment compliance across 13 different federal departments and agencies, you stated that each federal institute—as you did today—is responsible for enforcing the laws and policies. I feel this ignores the responsibility of the Treasury Board to provide oversight and ensure departments are enforcing these policies.

After more time for reflection, and I was previously making this point, would you not agree that it's a responsibility of the President of the Treasury Board to ensure that federal departments and agencies are protecting the privacy of your primary constituents, the public service?

The Privacy Commissioner has received no complaints relating to a violation of the Privacy Act. The Privacy Commissioner has engaged in no investigation and has stated that there was no breach of the law.

The role of the Treasury Board is to promulgate rules and policies relating to the governing of the public service, and those rules need to be enforced by deputy heads. That is what is continuing to happen. We play a coordinating role across government to ensure they have what they need in terms of information relating to government policy.

I believe the term the commissioner used was that it was “an insult” that this sentiment was felt.

Throughout the testimony of the departments accused of not following the Treasury Board privacy policies, we received a number of different responses. Some stated they have the tools and are using them, but are now completing a privacy impact assessment. Others stated they completed a general PIA that covered the tool, rather than specifically analyzing the security concerns of this invasive technology.

Is it concerning to you that 13 departments using the same tool have completely different definitions of what “compliance” means when it comes to following the PIA?

To be clear, as the designated minister under the Privacy Act, I'm responsible for the administration of the act. However, the deputy heads are responsible for implementing Treasury Board policies. I am currently updating the directive on the privacy impact assessments.

I will say that programs and activities require a PIA, not the forensic tools themselves. In fact, a majority of those departments are conducting a PIA. We have reached out to them numerous times, as well as to the Privacy Commissioner.

My CIO, Dominic Rochon, can add to this.

Thank you, Mr. Rochon, for that.

Madam President, you say that you're responsible for the administration of this, but I just don't understand how this doesn't imply that you have complete responsibility and oversight. How can one have responsibility for the administration yet not have the responsibility to ensure that the proper documentation is completed for the protection of Canadians' privacy?

I'll try to get another question in briefly, Mr. Chair. I know my time is coming to an end.

We've heard in this committee that mobile forensic devices, the forensic tools being used by numerous federal departments, are not necessarily spyware but have the same capabilities and are provided by the same suppliers. Do you agree, Minister, that this technology is invasive and violates the privacy of the public servants and the Canadians it is used on?

I'm going to need a quick response.

There was no violation of the Privacy Act, and the Privacy Commissioner did not launch an investigation or receive any complaints. There was no violation of the Privacy Act.

Thank you, Minister.

Thank you, Ms. Kusie.

Ms. Khalid, you have six minutes. Go ahead.

Thank you very much, Chair.

Thank you, Minister, for being here today.

Minister, when did you first find out about this issue, and what steps have you taken since to rectify it?

The issue relates to the use of PIAs relating to privacy law that departments are undertaking. A PIA is like a checklist: It ensures that the protection of personal information of Canadians continues to occur on a department by department basis.

When I was first sworn in, of course I received numerous briefings relating to my obligations as minister, and I will continue to make sure that Treasury Board policies are understood and distributed across government. It was the end of November when the article was released.

Of course, I was briefed by my team at the time, and I will now ask Mr. Rochon if he could elaborate on the steps we took thereafter.

I will just add that I don't know if it is clear, but there are statutory obligations to undertake investigations, in which case these forensic tools are required, but before they are used in the collection of any personal information, a warrant is required from a judicial standpoint, so there is a very high threshold before these instruments are utilized. It is not taken lightly. Obviously, there are legal parameters that must be respected, including the Privacy Act, the governing legislation, as well as judicial authorization relating to a warrant. The threshold is high.

Thank you. I really appreciate that.

You spoke about the privacy impact assessments in your opening remarks. Why are privacy impact assessments important, do you think?

Institutions are required to undertake a PIA for a program or activity in order to protect the privacy of Canadians. When personal information is being used or is intended to be used as part of a decision-making process, that directly affects the individual. When personal information is intended to be used in modifications to existing programs or activities, privacy impact assessments enable the department and department heads to mitigate privacy risks. That is one of the advantages of the PIA, and I am going to revise the PIA directive. I'll be issuing it this summer, and I will be updating it to ensure that it will be well understood by all departments.

I appreciate that.

Are departments required to provide PIAs, based on the Privacy Act?

They are not. PIAs are not mandatory.

As I said, it's a checklist of items to make sure that Privacy Act considerations, and the protection of individual personal information is paramount. It enables that assessment and risk analysis to occur. Because those investigations are required under statute.... For example, whether it is the CRA to prevent fraud or to investigate fraud, these forensic tools can be useful, but they can't be implemented without legislative and judicial oversight.

Do you think there should be legislative oversight in the way PIAs are conducted within different departments?

I spoke with Minister Virani last night. I know he is examining the Privacy Act as a whole from a Minister of Justice standpoint. We are updating our own directive, which is solely within Treasury Board's authority. That is my realm, so I want to make sure that the checklist of items—the PIAs and the risk analysis that will be done by departments—will occur.

Consultations are ongoing. We need to make sure we do this right. That is a systematic process, and I will come forward this summer with more to say on an updated directive.

Thank you, Minister

Thank you, Ms. Khalid, and thank you, Minister.

Mr. Villemure, you have the floor for six minutes.

Thank you, Mr. Chair.

Good morning, Mr. Rochon and Ms. Anand. Thank you for being here this morning. I hope that you can shed light on some of the remaining grey areas.

Ms. Anand, were you surprised to find out, in the article published by Radio‑Canada in December, that 13 organizations weren't carrying out privacy impact assessments?