Evidence of meeting #143 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cra.
A recording is available from Parliament.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
There's more of a practice under the private sector legislation to make press conferences.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'm sorry?
NDP
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We reported the private sector cases with press conferences because the private sector legislation gives me the authority to make matters public if I determine that there is a public interest in doing so. In the private sector—
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Excuse me, sir?
Conservative
The Chair Conservative John Brassard
We're having a tough time hearing you, Mr. Green. Just speak up a bit if you can, please, just quickly.
We're over time, but I'm giving you a chance here.
NDP
Matthew Green NDP Hamilton Centre, ON
I'm curious to know if he has the same mandate for public sector Crown agencies or departments.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
For the public sector, it's more restricted. The public sector legislation says that I have to keep things confidential, unless I'm presenting a special report to Parliament or an annual report to Parliament. Private sector legislation gives me more leeway, which is why we've been doing press conferences with the private sector legislation. For the public sector, we've been reporting to Parliament.
Conservative
The Chair Conservative John Brassard
Okay.
Thank you, Mr. Green. I allowed a lot more time on that one, because I thought it was an important response from Mr. Dufresne.
Mr. Chambers, I'm going to go to you for five minutes.
Conservative
Adam Chambers Conservative Simcoe North, ON
Thank you, Chair.
Commissioner, I just wanted to follow up on what I thought was a reasonable recommendation by my colleague Mr. Housefather with respect to comparing what happens in the United States, in particular with its tax service, the IRS, and the close coordination it has with industry in identifying, communicating and trying to plug the holes in the dike, if you will, and in shutting down some of what I'll call these “account takeovers” or whatever...privacy breaches in general. That same kind of coordination doesn't seem to exist here.
Do you think that it would be in your remit to make some recommendations to government to explore the opportunities it has to work with third parties to address these issues?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think so, and we've made recommendations in the past in terms of the public sector use of private sector service providers and what some of the parameters are. What you're referring to is coordination, participation and partnership with those and perhaps with other organizations. I think it's absolutely within my remit to make recommendations to say that these are some of the best practices we want to see.
Conservative
Adam Chambers Conservative Simcoe North, ON
Just to help me understand, if the privacy breach that occurred with respect to these 31,000 cases was a result of an individual company's policies, and if it was aware of that, then that company would have an obligation to report that breach to you. Is that correct?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Private sector organizations do have an obligation to report breaches to us.
Conservative
Adam Chambers Conservative Simcoe North, ON
Right. Just on that point, has any private sector organization made a report to you about this particular breach?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'll look to.... About this private sector—
Deputy Commissioner, Compliance, Office of the Privacy Commissioner of Canada
No.
Conservative
Adam Chambers Conservative Simcoe North, ON
Okay.
When the CRA says that it's a third party and when the company in question says that it's not aware of it, but if the company in question has an obligation to report these privacy breaches, then it would make sense to believe that it could be some other nefarious third party that had access to this information. Is that correct?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I don't want to speculate, because we're going to be investigating all of those things. This will be our opportunity to get to the bottom of it.
Conservative
Adam Chambers Conservative Simcoe North, ON
That's fair enough. We look forward to your recommendations.
Do you think that maybe this committee should make recommendations or that the CRA should consider changes to its performance pay and compensation structure with respect to privacy, given how great of a concern or how important it is for Canadians?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think that every tool that can improve privacy compliance is a good one. Performance management tools are good tools, because they focus the minds of executives, so I would be supportive of that.
Conservative
Adam Chambers Conservative Simcoe North, ON
Okay, thank you.
In this general scope of privacy, which I've written to your office about before, this is perhaps a slightly different question, but I feel it's on topic, and I haven't had a chance to speak with you about it. Do you think it's in the public interest for members of Parliament as legislators and for the public to have a full understanding of how many individuals received the private, personal, confidential details of individuals who had their bank accounts frozen as part of the Emergencies Act invocation?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Are you asking if it's in the public interest to...?