Thank you very much, Mr. Chair. Thank you for inviting me here to discuss this legislation. I'm accompanied by our general counsel, Patricia Kosseim, should there be any technical legal questions on my remarks.
As Privacy Commissioner of Canada, it's my role, as you know, to comment on the privacy implications of the bill as they relate, in this case, to the retention, accuracy, and disposal of personal information. I'd also be pleased to answer your questions from the perspective of my mandate as Privacy Commissioner.
I'd like to start by giving you a brief overview of the involvement of my office with the firearms registry program.
As many of you will know, my predecessors took interest in the Canadian firearms program because it involved the collection and use of significant amounts of sensitive personal information. My office looked at the firearms program in detail when it was first introduced and for about five years afterwards. For example, in 2001 we issued a document called a “Review of the Personal Information Handling Practices of the Canadian Firearms Program”. We also received over the years a number of complaints relating to this registry. More recently, in 2009 we carried out investigations concerning a survey of firearms licensees, where we concluded that the information disclosed by the RCMP to the survey research company was in fact properly safeguarded.
My office has reviewed Bill C-19, and I'll now present some specific observations related to the personal information implications for Canadians whose personal information is collected under the Firearms Act.
I will talk now about clause 29 and the legitimate power to dispose of personal information.
Federal institutions collect personal information as part of their programs and activities, generally in order to help make decisions about individuals to whom such information pertains. The Privacy Act contains a number of guidelines on the protection of personal information. Some of these guidelines, called fair information practices, are clearly and directly related to today's discussion.
One of these practices is retention. It's important to retain personal information as long as necessary to fulfill the purpose for which it was gathered. Just as important for the protection of personal information is the need to ensure the accuracy of such information. The retention of information means that individuals can apply for a disclosure of information and challenge the accuracy of the information if there are grounds for doing so. This is fundamental in the making of decisions about individuals.
I note that clause 29 of the bill establishes the obligation to dispose of all records pertaining to firearms that are not prohibited or restricted now found in the firearms registry. This requirement would also apply to related records held by chief firearms officers in the provinces and territories.
Clause 29 says that relevant information must be disposed of “as soon as feasible.” This seems to be consistent with one of the foundations for the protection of personal information whereby any personal information that is not used for the reason for which it was gathered must be destroyed.
This provision removes the destruction of records from the application of the Privacy Act and any relevant regulations. These regulations require that personal information should be retained for at least two years after its use by a government institution for administrative purposes. In other words, information must be kept for at least two years unless the person concerned agrees that it may be destroyed.
I acknowledge the government's authority to enact an exemption to these retention provisions under the Privacy Act. However, if clause 29 of the present bill considers “as soon as feasible” to be much shorter than the two-year requirement under the present Privacy Act regulations, there may be some situations where certain information that might still be relevant--for example, in a possible court action--is destroyed.
I'd like to talk about some challenges in personal information disposal. I would simply like to underscore that whatever schedule the government decides to follow in the destruction of personal information, it should allow enough time for properly and securely disposing of personal information in the main, secondary, and related registry databases.
In 2010 my office published an audit titled “Personal Information Disposal Practices in Selected Federal Institutions”. The report found that the selected departments did do a good job overall when it came to disposing of personal information. However, my office also uncovered inadequate control mechanisms and inconsistent practices. My office made recommendations, and improvement measures have been implemented. Disposing of data is indeed a complex process.
Let me conclude by underlining that appropriate safeguards and secure disposal are paramount in ensuring that information no longer required for government use is not misused or exposed to potential data breaches.
Thank you very much once again for your attention, Honourable Chairman. I look forward to your questions.