National Defence Committee on May 1st, 2024

Thank you, Mr. Chair and members of the committee, for this invitation to appear as part of your study of transparency within the Department of National Defence and the Canadian Armed Forces.

I'm accompanied by Isabelle Gervais, deputy commissioner of compliance, from my office.

As this is the first time I have appeared before this committee, let me begin by discussing my role as the Privacy Commissioner of Canada and the role of my office, which we refer to as the OPC.

As Privacy Commissioner, my mission is to protect and promote individuals' fundamental right to privacy. This includes overseeing compliance with both the Privacy Act, which applies to federal institutions' collection, use, disclosure, retention or disposal of personal information, and the Personal Information Protection and Electronic Documents Act, or PIPEDA, which is Canada's federal private sector privacy law.

As an agent of Parliament, I report directly to Parliament. Through written submissions and appearances such as this one, I provide analysis and expertize to help inform Parliament’s review of evolving legislation and recommendations on privacy issues.

The Privacy Act defines personal information as any recorded information about an identifiable individual, including a person’s national or ethnic origin, colour, religion, age, marital status, as well as medical, criminal or employment history, and social insurance number.

The Privacy Act provides individuals with the right to access the personal information that the government holds about them, and to request corrections to that information where necessary.

My office investigates complaints that are made against federal institutions under section 29 of the Privacy Act, which includes cases when individuals have been refused access to their personal information or instances when the institution is taking too long to respond to a request.

My office also investigates issues relating to the protection of personal information, such as allegations of improper collection, use, disclosure, retention or disposal of personal information. This includes matters involving privacy breaches.

While I am responsible for oversight of the Privacy Act, my colleague Caroline Maynard, the Information Commissioner of Canada, who has also appeared before you on this study, administers and enforces the Access to Information Act. The two pieces of legislation were enacted together in 1983 and are intended to be a “seamless code” of informational rights that carefully balance privacy and access.

The Privacy Act has not been significantly updated since it was passed 40 years ago. The justice department published a consultation paper in 2021 and is still consulting on Privacy Act reform. One of the issues it discusses is the government's approach to transparency.

I support the enhancements to transparency that are proposed in the paper, and my office has made recommendations for future improvements. Transparency is important in empowering citizens with the knowledge they need to exercise their rights and in requiring the government to be accountable for its handling of personal information. These are critical aspects of a meaningful data protection framework.

With respect to this committee’s study being discussed today, my office has had ongoing engagements with the Department of National Defence. In the past five years, the department has consulted the OPC on a wide range of privacy-related issues such as biometrics, open-source intelligence, staffing and recruitment.

My office has worked with the department and Canadian Armed Forces to provide advice on compliance with the Privacy Act.

My office has accepted nearly 300 privacy complaints against the Department of National Defence and the Canadian Armed Forces over the last five years. More than half of these were related to the time that it was taking them to process requests for access to personal information.

In the same five-year period, the OPC received 10 breach reports from the organization, which were primarily related to unauthorized access, unauthorized disclosure and the loss of personal information.

I welcome the efforts the Department of National Defence and the Canadian Armed Forces have made towards privacy protection, and my office remains available to provide support and advice. I encourage them to prioritize timely responses to requests for access to personal information and also to undertake privacy impact assessments before onboarding new programs and processes.

With that, I will be happy to answer your questions.

It's all context-based. The legislation talks about a 30-day period for a response, and then there is the possibility of an extension for another 30 days. We would look at those cases on a case-by-case basis.

As I've indicated, I think the bulk of the complaints we receive deal with delays to the process in terms of personal requests.

What we see is that there are many cases in which the delays are greater. We work with the departments. We deal with the complaints. We've found that departments are collaborative in the complaints process as they work with us, but that is an important part of the number of complaints and volume of complaints we receive. We try to resolve them as early as possible through resolution and expedited complaints mechanisms.

I agree that leadership is important, and I agree that access to information and privacy are fundamentally important legislation, so they should be prioritized.

I think the department should make efforts to make the system as user friendly as possible. One of the themes I've been pushing in terms of privacy in all aspects is really making sure we are not delegating to individuals and to citizens.

I think what we're seeing in the system is lengthy periods of time, so that's something that....

That work really is done by my office and by the Treasury Board Secretariat. The Treasury Board Secretariat will be providing guidance and information to the departments themselves. In terms of best practices and expectations, one example of that is the directive on privacy impact assessment, which I hope will be made a legal requirement. Right now, it's something that is in Treasury Board policy, but it's not in law. They play very much that education role with the departments. We work with Treasury Board and we are consulted by Treasury Board, and we would want that to continue and increase so our perspective informs the Treasury Board directives and the training Treasury Board will do.

We have government advisory services within my office that are available to assist and provide input to departments for new programs and initiatives and to be consulted on privacy impact assessments. Certainly, we are doing that in tandem with the Treasury Board Secretariat.

One of the improvements, certainly, that I would like to see in the privacy legislation, for both the public and private sectors, is order-making power. That is something Parliament has given now to the Information Commissioner in terms of access requests, which was a positive step in Bill C-58. It is something that is currently proposed in Bill C-27 for private sector privacy legislation, and I would want this to be part of public sector privacy legislation. That was one of the recommendations in the Justice Canada paper.

Specifically with respect to access matters, I would want this to be expanded to all matters. I think this is an area in which some of our provincial counterparts and, indeed, our international counterparts are ahead, with the authorities to make not merely recommendations but also orders. That's one area.

I would be remiss if I didn't highlight the very strong collaboration I have with my federal, provincial and territorial counterparts in this space. That collaboration has led to joint investigations and joint statements and resolutions, so we're going to continue to work very closely with them.

A privacy impact assessment is really a due diligence tool whereby the organization thinking of putting in place a new program or tool that can have privacy impacts is required to assess the impacts and look at the risks and document them, and think of solutions to mitigate those risks, in consultation with my office. It's a very powerful tool that is a good practice and is good for everybody. It's good for citizens, who are going to have better privacy protections, and it's good for the departments, because they get advice and are seen to be getting advice from a neutral regulator. This is absolutely something that should be done in all cases and before new tools and new programs happen. In reality, that doesn't always happen, which is why it should be a legal requirement, in my view.