Public Safety committee  One way would be to build in the test stipulating that the activity be necessary and proportionate. The second one is missing. The necessity component is covered in the act. For example, certain provisions stipulate that, if the minister is of the view that it is necessary to do something, the minister has the power to do so.

Public Safety committee  I think all the recommendations I covered in my opening remarks help to reassure Canadians, as well as small and medium-sized businesses. The institutions are there to help them. The responsibility is not being put wholly on individuals or small and medium-sized businesses. Take privacy impact assessments.

Public Safety committee  The legislation currently doesn't provide a role for my office. The role would be specified under the Privacy Act. We have jurisdiction over the government's handling of information and we have jurisdiction over the private sector's handling of information. One of our recommendations is to have more transparency mechanisms so that we can know what is happening and so that we can know what type of information is being collected, disclosed and used so that we can exercise our powers in that regard.

Public Safety committee  I'm not suggesting that we would have oversight under this legislation. I'm suggesting that we be given the necessary information so that we can fulfill our mandate under privacy legislation with respect to public sector and private sector privacy information. One of the recommendations I've made is that privacy impact assessments be mandatory and that I be consulted on those so that we can provide insight and advice to departments, because when that happens at the front end, these issues can be corrected and addressed before they become issues that can impact Canadians' trust.

Public Safety committee  All right. What we examine are activities that impact privacy. Our mandate does not extend to security issues that do not relate to privacy. We aren't looking to broaden our mandate. According to Treasury Board policy, departments are supposed to consult our office when activities or projects could impact the privacy of Canadians.

Public Safety committee  Well, we do so at any appropriate time. Ideally, we would hope to be consulted prior to the bill being tabled, but the regular way is for my office and me to be called to committee to give a recommendation on a bill. We can also do the same for regulations and consultations with the government.

Public Safety committee  I hope so. We're certainly prepared for that. We expect that and we would call on the government to involve us in that.

Public Safety committee  Certainly in terms of data crossing national boundaries and being shared with other institutions, my recommendation is to make sure we have specific requirements for these information-sharing agreements so that the purpose, the retention and the safeguards regarding that information by our international partners—all of these—are set out and are strict, and there's a dispute resolution mechanism just so we bring in more rigour and guardrails to those exchanges of information.

Public Safety committee  Thank you, Mr. Chair. Members of the committee, I am pleased to be here to assist the committee in its study of Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. Cybersecurity is an area of significant importance, in Canada and globally.

Information & Ethics committee  Yes.

Information & Ethics committee  Yes.

Information & Ethics committee  In many instances you would need a warrant in those cases. The departments have indicated that. As was the case for the study on the RCMP's use of ODITs, those also require warrants. However, that's a separate question from the privacy impact assessment. The warrant may be based on criteria that are distinct from the privacy considerations that are at the heart of the privacy impact assessment.

Information & Ethics committee  That's a question that would be best placed to the specific department, because it's their use of their—

Information & Ethics committee  The warrant issue is relevant to us when we're looking at the legal basis for the use. That's one criteria. One investigation that we did years ago involved the use of cell towers. Some of the things were done without a warrant, and we said that's not justified.

Information & Ethics committee  I think so. We'll get the exact name. That was an issue. We looked at that as the first question. Even if you have that warrant, and you have that legal basis, there is then the second question: Do you have to do a PIA?