Thank you very much, Mr. Chairman, honourable members.
I'm here as the Privacy Commissioner of Canada, and the relevance to the topic we're discussing today is that under the Privacy Act my organization has the authority to take complaints, to investigate, and to audit the personal information practices of more than 250 agencies and departments, including the RCMP, CSIS, and other national security agencies, such as FINTRAC.
Accompanying me today is Chantal Bernier, who is assistant commissioner for the Privacy Act. Madame Bernier was formerly assistant deputy minister in the Department of Public Safety and Emergency Preparedness. And with me as well is senior adviser Mr. Carman Baggaley, who accompanied me when I appeared before the inquiries of Mr. Justice O'Connor and Mr. Justice Major.
I believe all the honourable members have two documents that my office provided to you last week. The first piece is an overview, a backgrounder, of national security and surveillance laws passed in several countries since 2001, and it shows how much the social and political terrain has shifted dramatically after 9/11.
I'd like to talk a bit about how privacy laws apply to national security agencies.
In the various cases you were reviewing, this application is all too clear. The men who became the subjects of the inquiries that you were studying, as we just heard, suffered terribly, but as well as all the other harms they endured, the first violation was to their privacy.
To begin with, as Mr. Cavalluzzo has quoted, Justice O'Connor noted that inaccurate and misleading intelligence about them was compiled. That means their personal information, in terms of the Privacy Act, was shared inappropriately. Finally, this information was used to justify their detention, deportation, and subsequent torture.
Privacy rights under Canadian law are not simply about who is allowed to collect information. Privacy laws also set out who is accountable for protecting that information, ensuring it is accurate and limiting its disclosure to third parties. The findings of the O'Connor and Iacobucci reports call into question the practices of Canadian security agencies in all these areas. Both reports underscore how critical it is for officials in these departments to properly manage the collection, validation, sharing and careful review of the exchange of personal information.
Commissioner Iacobucci concluded in his inquiry that inaccurate information was collected on the individuals in question, that inaccurate information was shared with other states, and that safeguards for these files were not properly observed. Misleading, inaccurate, or out-of-date information was kept on file and shared too broadly, with few or no caveats on the use of that intelligence.
Privacy practices in government must be better defined, and sensitive information must be protected. This has never been more urgent than in light of the national security challenges we face. To address this question, the second piece that we have provided to this committee presents our views on how oversight, privacy practices, and data protection in government could be improved.
While I have several suggestions for your consideration, if I can leave you with one over-arching message, it would be this—in an era of networked intelligence and surveillance, Canada needs a networked approach to oversight and review. Proper oversight and accountability for national security provide a vital check for Canadians' privacy rights.
In our recent history, rights and security are often pitted one against another. Margaret Bloodworth, who was Canada's former national security adviser, noted this tension just prior to her recent retirement. She said that safeguarding the privacy rights of citizens while also securing their physical security is not simply a question for the Canadian intelligence community, it is the question. It is the question, the single greatest issue that they must confront. I'd also add that security and privacy are not, as we often say, mutually exclusive. We need not, nor should we not in Canada, trade one for the other.
As you have heard from other expert witnesses, a fundamental question for national security in the 21st century is data governance. In a fully wired, networked world, how does any organization exercise quality control and oversight? Given the complexity of inter-agency, inter-jurisdictional, international, inter-sector intelligence operations—who can exercise that level of global review?
A recent report from the Office of the Auditor General in March 2009 on intelligence and information sharing stressed this point, that review bodies “must look beyond individual agencies to reflect the integrated nature of national security activities”. These are the main points that I hoped to raise in our submission.
Now I'll just take you quickly through the recommendations. There are seven of them.
First of all, we recommend adopting an integrated approach to security review that allows for more coordination and more cooperation on investigations and reports across the system. This is the network approach recommended by Justice O'Connor. In my experience and in the experience of my office, this has worked to great effect. We do joint investigations with provincial privacy commissioners' offices. We do collaborative reporting with the Office of the Auditor General, for example. All of the review community, in my opinion, could benefit from similar powers.
Second, I think we have to address the privacy practices within security agencies. The approach of departments and agencies to information sharing and data management has to change. Without proper attention to internal controls, new layers of oversight will not address front-line problems. Enhanced training around the theory and the practice of privacy, fair information practices, and data protection could affect great change here.
Third, appoint chief privacy officers across the government, but in particular for departments and agencies where collection of sensitive personal information is widely required by their mandate.
Fourth, provide the Commission for Public Complaints Against the RCMP with the resources and legal authority required to exercise more meaningful review. I believe Mr. Cavalluzzo has spoken quite completely to this question.
Fifth, request that the Treasury Board and ministers issue new policy requirements for departments and agencies on privacy. Robust information-sharing agreements through privacy impact assessments, well-developed privacy directions, and guidance must become part of how these organizations operate. We cannot have the informal, unstructured, and basically ungrounded sharing of information anymore.
Six, reform—as I have said before several other committees of the House of Commons—the Privacy Act, which dates back to 1983. In light of all that we have learned, I believe government departments must be held to a higher standard of privacy protection, information handling and data protection. I have recently put forward 10 “quick fixes“ for government's consideration which could tighten controls on international information sharing, require departments to test the necessity of the information they collect and allow the Federal Court a wider role in reviewing violations of the act.
Seventh and finally, we urge Parliament to increase the resources and involvement of this House committee and its counterpart in the Senate. These bodies can provide active oversight of national security agencies and their operations. By pooling expertise, coordinating reviews, and sharing information, existing mechanisms for parliamentary review could be augmented.
Briefly, Mr. Chairman, I'd like to leave you with a few final thoughts.
While Canada's system of review and oversight functioned throughout the 1980s and 1990s, the stresses on the system after 9/11 have become tragically apparent. This needs to be addressed. When networks of intelligence sharing are global, oversight cannot remain rigid and localized. While I recognize that there's no silver bullet fix given these complex issues, I'm also keenly aware that there are very real human consequences that spring from poor information handling and governance. My office deals with them daily through our complaints process.
Thank you very much, Mr. Chairman, for your time and consideration. My office staff and I would be happy to answer your questions.