National Defence Committee on May 1st, 2024

I don't have a specific area on this, other than to say that the process should be adapted to the circumstance and should be as user-friendly as possible. If you make a process and it's very challenging, or there are disincentives for individuals to use it, that's a concern. The processes should be looked at—there may be specific realities and specific departments—but the idea is to make this process easy to understand and easy to use, so those rights can be exercised.

Agreed.

In the case of our work, we're looking at a range. It's not entirely digital; we're doing a combination of both. We've designed and created a digital tool, for instance, for a breach, to assess whether a given privacy breach is a real risk of harm, and that's going to give an opinion on that and assist in that. There's a combination of that, but then you're going to have the assessment by the investigator, and you're going to have those decisions, so I think we always have to have that in mind. Digital tools and technology bring significant advantages. We need to harness those advantages, and we also need to manage them so there aren't implications that could harm privacy or other aspects.

We've moved forward in terms of information on the cloud, for instance, at the OPC. We are looking at technologies generally to see which ones could be used and how to use them. In terms of our strategic priority, we talked about staying ahead of technology in terms of legal compliance. What that means is that we have a role as a regulator to provide guidance and make decisions in terms of complaints on new technologies, including artificial intelligence.

However, also as an institution, we have a responsibility to be as efficient as possible. If there's technology that can help us do that work better, we have to consider that, but we have to consider that in a way that is protective of privacy, that can serve as an example that says if you're going to use this technology, here's the type of due diligence that you need to do before you use it. One of the messages we've been giving to government departments is that before they use new tools from a private sector organization, they should make sure they do that due diligence, that they have the privacy impact assessment and that they're satisfied that this technology is protective of the privacy of Canadians.

The tool we've developed is a tool where you will input the types of informational elements about the breach—what happened and in what context and so on—and then that tool will generate a score that will indicate that this looks like it's serious enough, that this looks like a breach you should be reporting. It's designed to help, but it doesn't replace the expertise and the human decision-making. It's an example of using technology for something that can help privacy.

Other examples of privacy enhancement technology would be synthetic data or other types of information where you can use technology to protect privacy. You can achieve the same benefits of data without being able to identify individuals.

We're looking at all of these fears, but, as you indicate, we have to make sure that, whatever we're using, we're doing it in a privacy-protected way.

In fact, the government is not violating its own law, because conducting such an assessment is not a legal obligation, but currently stems from a Treasury Board directive. Hence, a department that doesn't comply is violating a government directive, not a law. That's the problem we've identified. In our view, there should be a provision in the law that says that when a department develops a new program or uses new tools that may have significant consequences for privacy, it must carry out a privacy impact assessment.

We'll continue to encourage the departments to conduct those assessments, and we'll continue to advocate for legislation making them mandatory. In an ideal world, when the question is asked, the response would always be, “Yes, we carried out an assessment.” The media and parliamentary committees are doing important work by raising those issues.

The idea is not to ban those tools outright. Indeed, police forces must have the tools they need to do their jobs, but they need to be disciplined in their use of those tools, after conducting a privacy impact assessment.

We issued a decision on certain tools used by the Royal Canadian Mounted Police to fight crime. Of course, fighting crime is important and the RCMP has to be able to do so successfully, but we determined that the approach taken to protect privacy was insufficient. Therefore, we'll continue to do this work, but I think that there would be greater compliance if the obligation were enshrined in law.

I think that it's important that people be able to access legal recourse. If you have a legal right, if you're protecting citizens, employees, civil servants or otherwise, people need to be able to access the systems. People need to be able to file a complaint and not worry about repercussions or reprisals.

From my standpoint as a regulator, that's important. It's important that you're not creating these disincentives for individuals to file complaints, because, at the end of the day, this is all being done in the public interest and with the mandate of Parliament.

It was not PIPEDA. It was the Privacy Act.

That's right. The Information Commissioner was created under the Access to Information Act, and the Privacy Commissioner under the Privacy Act. More recently—I think it was 2017, but I may be wrong on the date—Bill C-58 amended the Access to Information Act to give the Information Commissioner order-making powers. That's something that has not been done yet for privacy.