Information & Ethics committee  I agree.

Information & Ethics committee  A number of the departments, in this instance, that have not done those PIAs are not compliant with this directive.

Information & Ethics committee  What I would have liked, in a situation like this, is for my office to have been consulted beforehand in the 13 cases and for us to have all the necessary information so that, in response to the media, we could confirm to them what has happened, tell them that we have been notified, that we have given advice, that an assessment has been made and that we have no problem with it, or the opposite, and then present the recommendations we have made.

Information & Ethics committee  I think there are all kinds of challenges, whether in terms of resources or the pressure on departments. They're in a better position to speak to that than I am. The challenge is that privacy impact assessments are mandatory under the Treasury Board directive but not under the act.

Information & Ethics committee  This isn't a legal obligation for them, which would become a top priority. It's only an obligation under the directive.

Information & Ethics committee  Before setting up a program, they don't always have the reflex to check whether my office has been informed of it. There are improvements to be made in that regard. We're talking about departments that use this tool for a specific purpose: Some use it for internal investigations and others for investigations within their mandate.

Information & Ethics committee  I don't have all the details of what they would be doing. That could be asked of them. Generally speaking, you would be talking about the tools that are provided to the employee by the employer—the email, the laptop and these types of things. Again, nonetheless, there are some expectations of privacy vis-à-vis these tools, but it's contextual.

Information & Ethics committee  The policy is an internal rule that the government imposes on itself, so it's a directive that would be issued, in this case, by the Treasury Board. It says, here are the expectations that we have of the department. It's certainly important but it doesn't have the same binding legal force, and it certainly doesn't allow me to conduct an investigation in the same way as if it were in the Privacy Act.

Information & Ethics committee  Generally, when we talk about spyware we're talking about these types of tools that will be covertly accessing phones, retrieving data, turning on cameras and turning on recordings. It's the broad category of spyware we recently referenced for illegal use and unauthorized use. When we talk about ODITs, on-device investigative tools, we're talking about those types of things that are used by law enforcement authorities.

Information & Ethics committee  If we're talking about digital forensic tools, which is what we're talking about in this context, they can be used to acquire digital evidence, recover deleted files, analyze files of interest and create a timeline of interests and events. They almost always require the physical access to the device.

Information & Ethics committee  I don't know of all the departments that would have it, but certainly from the reporting, 13 were identified as having those tools. We followed up with them and have obtained information.

Information & Ethics committee  In many cases that's correct, because we don't know what a department is doing unless they advise us or unless they consult us. The policy of the Treasury Board requires it, but it's not a legal obligation. My recommendation is that it should be. It is always better for the department, for Canadians and for my office when that proactive reach-out is done from the department so that we can provide our input, we can flag risks and Canadians can see that this is happening.

Information & Ethics committee  I think we have to strengthen that generally. More and more technology is being used with greater capabilities. That brings innovation and that brings opportunities, but we need to have that reflex of privacy by design and privacy at the front end. Often we'll see the situation where the tool is developed and used, and then we do a privacy impact assessment or we bring in those things.

Information & Ethics committee  In the cases where they're used for administrative investigation, these are not the only purposes. Some departments would use them for other types of investigations, but certainly if we're talking about administrative investigations, that would be the employees of the department.

Information & Ethics committee  We're talking about a range. Some of the departments will be using them to do investigations on breaches of the act by Canadians generally. Others will be using them to investigate their employees. In the case of the three that were using them for administrative investigations, that won't be all Canadians.