Appearance before the Standing Committee on National Defence as part of its study of transparency within the Department of National Defence and the Canadian Armed Forces

May 1, 2024

Ottawa, Ontario

Opening statement by Philippe Dufresne

Privacy Commissioner of Canada

(Check against delivery)

---

Thank you, Mr. Chair, and Members of the Committee, for this invitation to appear as part of your study of transparency within the Department of National Defence and the Canadian Armed Forces.

As this is the first time that I have appeared before this Committee, let me begin by discussing my role as Privacy Commissioner of Canada and the role of my Office, the OPC (the Office of the Privacy Commissioner of Canada).

As Privacy Commissioner, my mission is to protect and promote individuals’ fundamental right to privacy. This includes overseeing compliance with both the Privacy Act, which applies to federal institutions’ collection, use, disclosure, retention or disposal of personal information, and the Personal Information Protection and Electronic Documents Act, or PIPEDA, which is Canada’s federal private-sector privacy law.

As an Agent of Parliament, I report directly to Parliament. Through written submissions and appearances such as this one, I provide analysis and expertise to help inform Parliament’s review of evolving legislation and recommendations on privacy issues.

The Privacy Act defines personal information as any recorded information about an identifiable individual, including a person’s race or colour, religion, age, marital status, as well as medical, criminal or employment history, or Social Insurance Number, among other data.

The Privacy Act provides individuals with the right to access the personal information that the government holds about them, and to request corrections to that information where necessary.

My Office investigates complaints that are made against federal institutions under Section 29 of the Privacy Act, which includes cases where people have been refused access to their personal information, or instances where the institution is taking too long to respond to a request. My Office also investigates issues relating to the protection of personal information, such as allegations of improper collection, use, disclosure, retention or disposal of personal information. This includes matters involving privacy breaches.

While I am responsible for oversight of the Privacy Act, my colleague, the Information Commissioner of Canada, Caroline Maynard, who also appeared before you on this study, administers and enforces the Access to Information Act. The two pieces of legislation were enacted together in 1983 and are intended to be a “seamless code” of informational rights that carefully balance privacy and access.

The Privacy Act has not been significantly updated since it was passed 40 years ago. The Justice Department published a consultation paper in 2021 and is still consulting on Privacy Act reform. One of the issues that it discusses is the government’s approach to transparency.

I support the enhancements to transparency that are proposed in the paper and my Office has made recommendations for further improvements. Transparency is important for empowering citizens with the knowledge that they need to exercise their rights, and for requiring the government to be accountable for its handling of personal information. These are critical aspects of a meaningful data protection framework.

With respect to this Committee’s study of transparency, my Office has had ongoing engagements with the Department of National Defence. In the past five years, the Department has consulted the OPC on a wide range of privacy-related issues such as biometrics, open-source intelligence, staffing and recruitment. My Office has worked with the Department and Canadian Armed Forces to provide advice on compliance with the Privacy Act.

My Office has accepted nearly 300 privacy complaints against the Department of National Defence and the Canadian Armed Forces over the last five years. More than half of these were related to the time that it was taking them to process requests for access to personal information.

In the same five-year period, the OPC received 10 breach reports from the organization, which are primarily related to unauthorized access, unauthorized disclosure, and the loss of personal information.

I welcome the efforts that the Department of National Defence and the Canadian Armed Forces have made toward privacy protection, and my Office remains available to provide support and advice. I encourage them to prioritize timely responses to requests for access to personal information, and also to undertake privacy impact assessments before onboarding new programs and processes.

I would be pleased to take your questions.