Annual Reports to Parliament

PDF Version

Annual Reports to Parliament 2003-2004

	See Erratum # 1 See Erratum #2

The Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 995-8210, 1-800-282-1376
Fax (613) 947-6850
TDD (613) 992-9190

© Minister of Public Works and Government Services Canada 2004

Cat. No. IP50-2004
ISBN 0-662-68421-4

This publication is also available on our Web site at www.priv.gc.ca

---

November 2004

The Honourable Daniel Hays
The Speaker
The Senate of Canada
Ottawa

Dear Mr. Speaker:

I have the honour to submit to Parliament the Annual Report for the Office of the Privacy Commissioner of Canada, for the period from April 1, 2003 to March 31, 2004 for the Privacy Act and from January 2 to December 31, 2003 for the Personal Information Protection and Electronic Documents Act.

Yours sincerely,

 

Jennifer Stoddart
Privacy Commissioner of Canada

---

November 2004

The Honourable Peter Milliken, M.P.
The Speaker
The House of Commons
Ottawa

 

Dear Mr. Speaker:

I have the honour to submit to Parliament the Annual Report for the Office of the Privacy Commissioner of Canada, for the period from April 1, 2003 to March 31, 2004 for the Privacy Act and from January 1 to December 31, 2003 for the Personal Information Protection and Electronic Documents Act.

Yours sincerely,

 

Jennifer Stoddart
Privacy Commissioner of Canada

---

Table of Contents

Foreword

Overview

Policy Perspective

Substantially Similar Provincial Legislation

Part One - Report on the Privacy Act

Introduction

Investigations and Inquiries

• Complaints under the Privacy Act
• Definitions of findings under the Privacy Act
• Select cases under the Privacy Act
• Incidents under the Privacy Act
• Public Interest Disclosures under the Privacy Act

Privacy Practices and Reviews

• Privacy Impact Assessments

In the Courts

Part Two - Report on the Personal Information Protection and Electronic Documents Act

Introduction

Investigations and Inquiries

• Definitions of findings under PIPEDA
• Select cases under PIPEDA
• Incidents under PIPEDA

Privacy Practices and Reviews

In the Courts

Part Three - Corporate Services

Management Responsibility Letter and Audited Financial Statements

---

Foreword

This has been an exceptional year for the Office of the Privacy Commissioner of Canada. When I was appointed on December 1, 2003, I took over stewardship of an office that had undergone a great upheaval. In the course of six months, a Commissioner and several senior officials resigned amid scandal and intense publicity, an interim Commissioner was appointed, numerous internal and external reviews, audits and investigations were undertaken — and some are still ongoing — two Assistant Privacy Commissioners were appointed and a significant corporate restructuring was undertaken. I took over the helm of a ship that, while set on a positive course by Interim Privacy Commissioner Robert Marleau, was still navigating through a sea of administrative, financial and organizational crises.

Great progress has been made in the institutional renewal and strengthened management and financial framework of the OPC. This progress has been essential to rebuilding this Office and our efforts to emerge as a more effective organization, which upholds the principles of the Public Service while, at the same time, delivering on its mandate to protect and defend the fundamental privacy rights of Canadians.

I would like to salute the tremendous work of Interim Commissioner Robert Marleau in helping to move this Office through a difficult and complex period. M. Marleau's support and encouragement of staff, his work with audit and investigation teams and his emphasis on responsibility and teamwork have provided a strong foundation for a return to normalcy. He has our appreciation and gratitude.

In building on that foundation, corrective measures have been taken and continue to be taken to restore the overall wellness of the working environment, to further strengthen management practices and financial controls, to bring greater transparency and fairness to the human resources function, to encourage innovation, and to engage employees and union representatives in re-building and sustaining a process of organizational learning.

Other measures successfully undertaken include a cost recovery plan and a comprehensive planning process to realign our strategies and goals. An initial Report to Parliament on Action Arising from the Auditor General's Report on the Office of the Privacy Commissioner of Canada, jointly tabled by our Office and the President of Treasury Board of Canada on October 31, 2003, detailed actions taken or to be taken on recovery actions by our Office. The report was followed by a final report tabled in April 2004.

We have also established an External Advisory Committee comprised of distinguished national privacy experts to provide input and guidance to the Office on strategic directions and priorities and established a Union Management Consultation Committee and a Health and Safety Committee to restore the overall wellness in the workplace. In addition, we are working actively with the Treasury Board Secretariat to improve our Human Resources functions. A significant focus of our renewal has been to re-build and regain the confidence of the Parliament of Canada. To this end, we have created a new role for a Parliamentary Liaison Officer, to help us fulfill our ongoing responsibilities as Parliament's window on privacy issues.

In the midst of this challenging and chaotic year, our Office was preparing for full implementation of the Personal Information Protection and Electronic Documents Act — also known as PIPEDA. On January 1, 2004, PIPEDA, which has come into force in stages, extended to the collection, use or disclosure of personal information in the course of any commercial activity within a province — except where privacy legislation deemed "substantially similar" by the federal government is in force.

PIPEDA is a flexible, pragmatic law that addresses the multi-jurisdictional issues raised in our constitutional context. The Act may be replaced by legislation that has been found to be "substantially similar" to the federal law. At the time of publication of this report, only Quebec's legislation has been found to be substantially similar, although we expect positive findings for the privacy legislation passed in Alberta and British Columbia. Our Office is working and will continue to work cooperatively with our provincial counterparts in a harmonized approach to dealing with privacy complaints in the private sector.

PIPEDA thus affects organizations from large corporations to small convenience stores, multi-national financial and insurance industries to corner florists and the neighbourhood dry cleaners. There has been an initial period of confusion and anxiety over these new rules about personal information in the private sector.

However, over the year and particularly in the months leading up to the January 1, 2004 target date, our focus was to help organizations implement and comply with PIPEDA and to engage in outreach, cooperation, public education, and the creation of innovative new partnerships with the private sector. We have consulted extensively with private sector business associations, in particular with the banking and financial sector and with the direct marketing industry. Assistant Privacy Commissioner Heather Black, former General Counsel with our Office and with Industry Canada, where she worked on development of the Personal Information Protection and Electronic Documents Act, has criss-crossed the country this year on a busy schedule of speaking engagements to a wide variety of groups to raise awareness about PIPEDA.

We also responded to thousands of inquiries and requests for information on PIPEDA from businesses and organizations all across Canada; we engaged in consultations with business groups and associations; we sent out thousands of copies of reports, business guides, fact sheets and other public education materials; we have reorganized and overhauled our Web site to be compliant with the Government Common Look and Feel standards, and have made several new resources, guides and compliance tools available electronically to Canadian businesses and individuals.

It has been an exceptional year for Privacy Act complaints as well. Our Office received a record number of new complaints — a 250 per cent increase over the previous year. You will find more details explaining these statistics further on in this Report. As well, our investigators closed a record number of complaint investigations — an achievement to be highly commended in light of the extra challenges faced by our staff this year.

While it has been a difficult and challenging time for our Office, our work to monitor technological trends and initiatives to help protect Canadians' privacy and the integrity of personal information continued, with new threats to privacy emerging nationally and internationally. At the start of the year, the idea of a National Identity Card was proposed, opposed by many Canadians, and has been put on hold — for the time being at least. The vast majority of Canadians who made presentations to the Committee — including representatives from this Office — were staunchly opposed to the introduction of a national identity card. We remain opposed.

Personal information about Canadians continued to be gathered, stored, sorted and shared in alarming amounts on the basis of the idea — however unproven — that more information about individuals equals greater security against terrorists and other threats. We are concerned about the increasing integration of our border security with that of the United States, and the impetus this gives to the collection of large databases of personal information about travellers, potential travellers, and people in the transportation industry who must cross borders regularly to do their jobs. Our Office is looking very closely at the personal information handling practices of the newly created Canadian Border Services Agency.

The issue of trans-border data flow also commanded our specific attention this year. In an increasingly digital world, Canadians' personal information can be sent anywhere in the world at the click of a mouse. We are concerned about the impact this may have on Canadians' rights to privacy. Our Office is working on a project that will help outline the pathways for personal information flow across borders, and what rights and protections may apply to that information. We recognize the need for increased security in today's environment, and would never stand in the way of legitimate measures to fight terrorism. But the need for national and international security must be balanced against the fundamental human right to privacy and the individual's right to control the collection, use and disclosure of personal information.

New technologies are emerging that threaten our privacy in ways previously unimagined. We will continue to monitor the use and impact of technologies such as video surveillance, spyware, radio frequency identification devices (RFIDs), global positioning systems, wireless communication devices, and biometric identifiers such as face recognition, DNA and fingerprints. Our Office is working with our federal partners on finding appropriate legal, regulatory, and technical measures to address these issues.

For example, we have seen spam — those ubiquitous unsolicited e-mail messages — rapidly become a real risk to Canadians' privacy and the integrity of their personal information. Spam messages often carry malicious computer code into your computer system, creating programs that can read your e-mail, track your Internet use, and even steal your passwords and credit card numbers. Our Office is working closely with Industry Canada and its anti-spam task force to develop ways to tackle this insidious problem, and to help consumers take pro-active measures to protect themselves. Similarly, we will pursue opportunities to protect the privacy rights of consumers in dealing with the potential negative impact of new technologies that pose privacy concerns.

In the coming year, our Office will continue to focus on outreach and communications to help Canadian individuals and businesses to understand their rights and obligations under the Privacy Act and PIPEDA. We continue to seek input from Canadians in a variety of ways to help us better serve their needs, and to help strengthen the Office of the Privacy Commissioner as a seminal force in protecting and promoting privacy rights.

Above all, I would like to take this opportunity in my first report as Privacy Commissioner to praise the staff of this Office, which has laboured under unprecedented challenges, personally and administratively, to get the work done. I commend them for their professionalism, their dedication to upholding privacy rights for Canadians, for upholding the principles of the Public Service and for their grace under pressure. It has been a difficult year, but, as the saying goes, crisis creates opportunity. I am proud to say this Office has seized the opportunity to rebuild on a stronger foundation, and is confidently moving forward with renewed energy to meet the many privacy challenges ahead.

---

Overview

By most measures, the past year was a challenging year for privacy. As threats to privacy proliferated, the fight to protect the privacy rights of Canadians and to protect personal information was at times an uphill battle. The outlook however is not entirely bleak.

Surreptitious surveillance technologies

Every day, we read media stories about new technologies, or new uses of existing technology, that threaten our privacy. Global positioning systems that track the location and movements of vehicles by satellite are being installed in rental cars and in employees' vehicles. Cell phone cameras that can surreptitiously capture and transmit images of people are being used to violate the privacy of individuals. An increasing number of municipalities are considering installing video surveillance cameras in their downtown areas.

During the past year, we have become familiar with the term "radio frequency identification chips" or "RFIDs". These miniature computer circuits outfitted with tiny antennae that vibrate their presence and a unique ID code are getting a lot of attention right now, but they are not new. RFIDs are already being used in a number of ways. For example, the key chains issued by gasoline retailers that allow customers to pay for their purchases at the pump contain RFIDs. Now, retailers and governments are proposing to insert these tiny chips in everything from travel documents to paper currency and even items of clothing. Since RFIDs can be read at a distance, this raises a number of privacy concerns.

A retailer may be able to identify you when you walk into the store wearing an RFID-chipped garment. A government may one day be able to monitor the movements of visitors after they enter the country.

Spyware, a new surveillance technology, has replaced "cookies" as the latest Internet privacy villain. Spyware is software that surreptitiously installs itself on your computer and then secretly forwards information about your online activities without your permission or even knowledge. Because spyware can arrive as part of an unsolicited e-mail, you may not know how the programs arrived onto your machine or how to remove them.

Protecting your privacy rights

While these technologies have received a great deal of attention over the past year, the privacy threats they pose can, for the most part, be addressed by applying fair information principles. These principles can be found in Personal Information Protection and Electronic Documents Act (PIPEDA) which guides how your personal information can be collected, used and disclosed.

Although there are various ways of expressing these fair information principles, they can be distilled to a few key points:

• Personal information should only be collected, used or disclosed with the individual's knowledge and consent;
• Organizations should only collect as much information as they need;
• Organizations should explain why they are collecting the information and the information should only be used for those purposes;
• Individuals should be able to correct or amend information about themselves; and
• Organizations should have policies and practices governing the collection, use and disclosure of personal information, including destruction policies and procedures to safeguard the information.

While there is no doubt these surveillance technologies have a great potential to invade our privacy and compromise our personal information, there are ways to mitigate their impact. A coalition of consumer privacy and civil liberties organizations has released a position paper on the responsible use of RFIDs; our Office is preparing guidelines on the use of video surveillance by law enforcement agencies; individuals can become more familiar with spyware to protect themselves.

Enhancing security: at what cost?

Ultimately, the enhanced security actions of governments worldwide can pose a more fundamental and troubling challenge to our fundamental rights, including our right to privacy. Recent attempts to make us safer and more secure, both from international terrorism and more traditional public safety threats, raise serious privacy concerns.

Governments throughout the world, including the Government of Canada, continue to introduce measures to increase security based on the premise that if law enforcement and national security agencies have access to enough personal information about all of us we will have a safer, more secure society. In December 2003, the Government of Canada created the Canada Border Services Agency (CBSA), bringing together the border security and intelligence functions of the Canada Customs and Revenue Agency, Citizenship and Immigration Canada and the Canadian Food Inspection Agency. CBSA, in turn, is part of the new Department of Public Safety and Emergency Preparedness, along with the Canadian Security Intelligence Service (CSIS) and the Royal Canadian Mounted Police (RCMP).

In April 2004, the Government of Canada issued its first ever National Security Policy. Among other things, it proposed to create an "Integrated Threat Assessment Centre" to facilitate the collection and analysis of intelligence and other information. According to the policy document, this "will help to reduce the risk that information held by one part of Government will fail to be provided in a timely fashion to those who can utilize it."

The Government of Canada has announced that it will start issuing passports with facial recognition biometric technology in 2005. Although it was never an official government proposal, at least one Cabinet Minister has advocated the introduction of a national identification card.

Redefining borders

A border has become more than simply a river or a line on a map and a series of physical checkpoints. Borders are becoming virtual, posing privacy concerns. As the creation of the CBSA suggests, much of the Government of Canada's national security agenda is focussed on the border. The result is a new concept of what constitutes a border. In December 2001, Canada and the United States signed the "Smart Borders" Declaration. The National Security Policy talks about "building a 21^st century border" and "developing a next generation smart borders agenda with the United States and Mexico."

Decisions about who can enter our country or who might pose a threat to security are increasingly being made long before the individuals arrive in Canada. In many cities, travellers flying to the United States can clear United States Customs at a Canadian airport. In the case of cyber-threats, the traditional notion of a border is irrelevant — cyber-attacks can originate from anywhere in the world. Recognizing this, Canada's new national security policy notes that "The Government will also convene a high-level national task force, with public and private representation, to develop the National Cyber-security Strategy to reduce Canada's vulnerability to cyber-attacks and cyber-accidents."

National borders are becoming less important. The border security policy of the United States is based on the creation of a buffer zone or a "cordon sanitaire" around North America — increasingly, Canadian policies are following suit. Our border security is becoming integrated with U.S. border security. Canada and the United States have created several integrated border enforcement teams. We share watch lists and the Government of Canada has been under pressure to share information with the U.S. government about all people travelling to Canada from abroad.

Smart borders or virtual borders require the collection of personal information — large amounts of personal information. This information is used to verify identity and to determine who should be allowed to enter the country without scrutiny, who needs to be watched and who should be refused entry. This is most evident from looking at various initiatives that have been implemented or proposed in the United States — the Total Information Awareness initiative (renamed Terrorism Information Awareness), the Computer Assisted Passenger Prescreening System (CAPPS II) which has since been abandoned due to privacy concerns, and the US-VISIT program. The Terrorism Information Awareness system is designed to integrate commercial and government databases — allowing access to credit card purchases, travel reservations, telephone records, e-mail records, medical histories, financial information — even public library use.

This emphasis on the collection of large amounts of personal information is also being seen in Canadian initiatives. CBSA is now collecting personal information about all airline passengers arriving in Canada — the Advanced Passenger Information/Passenger Name Record (API/PNR) initiative discussed in previous Annual Reports. Personal information is used in the NEXUS and FAST border-crossing programs to allow pre-approved low-risk travellers and commercial shipments to move back and forth between Canada and the United States.

More information = more security?

Much of the anti-terrorism legislation passed in Canada and abroad is based on the premise that the more information governments have about everyone, regardless of whether they have done anything to incur suspicion, the safer we will be.

We are told that collecting and using this information to identify threats is the price we have to pay to avoid racial and ethnic profiling and a reliance on stereotypes. Risk assessment tools, we are assured, do not recognize colour or religion, they simply analyze information.

As law enforcement and national security organizations collect more information, from more sources, about more individuals, and use that information to identify possible threats, there is an increasing possibility that people will be subjected to unnecessary scrutiny, that people will be wrongly singled out, and that people will be treated unfairly. Mistakes have occurred and will continue to occur. And because of a lack of transparency, we may never know why these individuals were wrongly targeted or where the system broke down.

The Office of the Privacy Commissioner does not think that we should have to choose between two bad options. There has to be a middle ground between racial profiling and collecting more information on everyone and subjecting everyone to increased scrutiny. Our Office is not convinced that reducing the freedoms of all individuals in society will prevent further threats to public safety by terrorists.

Our Office is not opposed to improving security. The question is how to do it in a way that does not destroy the fundamental values of our society. We are not opposed to the sharing of information among agencies, provided there are procedures and policies in place to protect this information, to ensure it is only used or disclosed for specific stated purposes which are reasonable, retained no longer than necessary.

Part of the answer to increasing security may lie in using the information we already have more effectively rather than collecting more information. This message came through very clearly in the Auditor General's March 2004 Report. That Report cites several situations in which Canadian agencies and departments failed to share or use existing information that would have enhanced security. The Report notes, for example, that although more than 25,000 Canadian passports are lost or stolen every year, officials at our borders are not equipped with lists of these lost and stolen documents.

Another troubling feature of the national security measures that are being introduced is the involvement of the private sector. Traditionally, national security has been carried out by government agencies relying primarily on intelligence information collected by these agencies. Increasingly, national security agencies are using personal information collected from individuals by the private sector for purposes unrelated to national security. This data is added to existing intelligence information and private sector expertise is being relied upon to develop the necessary analytical tools.

This raises a number of troubling questions. One set of concerns has surfaced in British Columbia as a result of the proposal that a Canadian subsidiary of an American company take over administration of the province's Medical Services Plan and PharmaCare programs. Critics of this proposal worry that this could potentially allow American agencies such as the Federal Bureau of Investigation to obtain personal information about Canadians from U.S. companies under the USA PATRIOT Act. David Loukidelis, the British Columbia Information and Privacy Commissioner, has launched a public consultation process to examine the issue. Our Office submitted a position paper on the USA PATRIOT Act in the context of these public consultations.

Various anti-terrorism measures in the United States involve using private sector databases to confirm identity or to detect patterns of behaviour that might indicate someone poses a threat. Many of these initiatives, such as the Terrorism Information Awareness program, involve "data mining" — the use of database technology and sophisticated algorithms to sift through masses of information in an attempt to find hidden patterns and connections.

The Public Safety Act

This blurring of the line between government and the private sector can also be seen in Canada, most notably in the recently passed Bill C-7, the Public Safety Act.

Bill C-7 was a highly controversial piece of legislation that took two and a half years and four attempts to pass.

In March 2004, the current Commissioner appeared before the Senate Standing Committee on Transportation and Communications to comment on Bill C-7. Our comments focussed on two aspects of the bill: the amendments to the Aeronautics Act authorizing the Commissioner of the RCMP and the Director of CSIS to require air carriers and operators of aviation reservation systems to provide them with information about passengers; and a provision amending The Personal Information Protection and Electronic Documents Act (PIPEDA) to allow organizations to collect personal information, without consent, for the purposes of disclosing this information to government, law enforcement and national security agencies.

The RCMP and CSIS will use this passenger information to identify individuals who might pose a threat in terms of transportation safety and national security — purposes directly related to the legislation. However, the information can also be used for the enforcement of arrest warrants for offences punishable by five years or more of imprisonment — a purpose that has no direct connection to the legislation.

The amendment to PIPEDA is even more troubling because its implications are potentially far greater. Allowing private sector organizations to collect personal information without consent for the sole purpose of disclosing this information to government, law enforcement and national security agencies effectively permits these organizations to act as agents of the state. It is one thing to allow an organization to disclose information already in its possession to government agencies without consent; it is quite another to allow — indeed to encourage — a private sector organization to collect this information without consent and then disclose it without consent. The amendment applies to any organization subject to PIPEDA, not just air carriers, it does not limit the amount of information that can be collected without consent, and it does not place any limits on the sources of information.

These provisions dangerously blur the line between the private sector and government by enlisting businesses, not only in the fight against terrorism, but in conventional law enforcement.

Despite our opposition, the opposition of several of our provincial and territorial colleagues and the opposition of a large number of other organizations, the Senate passed C-7 and the Public Safety Act received Royal Assent in May 2004.

"For every action... "

But for all the challenges this year, we also had reason for cautious optimism. If the threats to our privacy are increasing so too is the interest in defending our privacy.

If we are hearing more about RFIDs, cell phone cameras, event data recorders in cars and video surveillance cameras, it is because the office of the Privacy Commissioner, civil liberties groups, privacy advocates and others charged with protecting privacy are voicing these concerns. And the media are writing about these technologies because they know that the public is interested in privacy.

Opposition from U.S. privacy advocates, the media and politicians from both parties has forced the American government to abandon, scale back or delay a number of anti-terrorism measures. Operation TIPS, a program intended to enlist workers such as cable installers and parcel delivery employees to report suspicious activity was abandoned. The Total Information Awareness Project, which would have allowed the government to utilize "data-mining" to aggregate and analyze public and private commercial database information to track potential terrorists and criminals, never got off the ground. The Computer Assisted Passenger Prescreening System (CAPPS II) program that was supposed to identify foreign terrorists or persons with terrorist connections was abandoned due to privacy concerns.

In Canada, vocal public opposition to a national identification card has, at least for the moment, pushed this proposal onto the back burner. The Office of the Privacy Commissioner of Canada raised serious objections to this idea and we remain opposed.

In September 2003, Robert Marleau, the Interim Privacy Commissioner, appeared before the Standing Committee on Citizenship and Immigration to discuss our Office's opposition to a national identification card. Denis Coderre, the then Minister of Citizenship and Immigration, argued that a national identification card would provide a more secure and reliable proof of identity, help combat identity theft, make it easier for Canadians to travel abroad, and prevent racial profiling at the border.

The Interim Commissioner urged the Committee to reject the proposal on the grounds that:

"The privacy risks associated with a national identification card are substantial. The challenges of putting in place a national identification system that is workable, affordable, and respectful of the privacy rights of Canadians are enormous. A strong case for the benefits has not been made; to the extent that benefits would exist, they would be marginal at best."

More than 60 witnesses appeared before the Committee. Almost all opposed the introduction of a national identity card. Privacy and human rights groups, consumer lobby groups, religious and ethnic organizations, and major newspapers across the country have also opposed the concept.

We have also seen progress in terms of legislated efforts to protect privacy. We now have an official in every province and territory with a mandate to protect personal information contained in government records. Three provinces — Alberta, Saskatchewan and Manitoba — have laws specifically dealing with the protection of personal health information. Ontario has just passed similar legislation that is scheduled to come into force later in 2004. Quebec, Alberta and British Columbia now have laws in force governing the collection, use and disclosure of personal information in the private sector.

Ultimately the decisions we make now about privacy and whether or not we truly value it will shape the kind of society our children will inherit in the future. As an agency charged with protecting privacy, we must confront those who would trade away individual rights, for the promise of national security or privacy invasive technologies. We must ensure that the high value Canadians place on their privacy rights, is not lost or submerged in the chorus of voices calling for more security, and more information about all of us and work together in the future to meet the challenges that are surely coming our way.

---

Policy Perspective

One of the key roles of the Office of the Privacy Commissioner is to identify and analyze emerging privacy issues, and develop policies and positions that address them to advance the protection of privacy rights. Our research and analysis of important issues stimulates and informs public debate, engages Canadians and raises awareness. This enables our Office to serve as Parliament's window on privacy issues and to provide timely and knowledgeable advice on the impacts of legislative and regulatory initiatives, and to apprise the public of risks to privacy and ways to respond to them.

Our Office has undertaken a concerted effort to strengthen our relations with Parliament and to better serve its needs. To this end, we have created a new Parliamentary Liaison function specifically dedicated to briefing Members of Parliament and Senators on specific privacy issues, monitoring legislative and regulatory initiatives, and arranging for the Commissioner and senior staff to provide informed advice to Parliamentarians on the privacy implications of emerging law and policy.

In the 2003-2004 reporting period, the Office effectively advocated for the protection of privacy rights on a range of social, technological, and political issues including:

• Identity cards
• Surveillance technologies and video surveillance
• Governmental access to commercial holdings of personal information
• The privacy of personal health information
• Regulating privacy in a federal system

Identity cards

Identity cards have been a long-standing concern for our Office and for privacy and data protection commissioners worldwide. An identity card, and the identity system in which it is embedded, is not simply a convenient tool to confirm the identity of an individual. It is also an information management tool to access, combine, and manipulate personal information. A single card, used as an identifier in a wide variety of transactions with government and the private sector, can be a powerful means of amassing and mining information about an individual, and ultimately tracking and monitoring the individual. It is this power that makes identity cards a threat to privacy.

OPC Position The Office raised serious objections when the Minister of Citizenship and Immigration proposed a debate on the subject of a national identity card in the fall of 2003. Our efforts resulted in positive coverage and a number of editorials and columns in major newspapers rallying behind our views on the issues, including an editorial by the Globe and Mail on September 22, 2003, commending Interim Privacy Commissioner Robert Marleau's "cogent, thoughtful analysis," of the issue presented to the House Standing Committee on Citizenship and Immigration. Our presentation raised a number of questions, including the considerable risks and costs of setting up a national identification system, and the significant challenge of making it practical, affordable, and respectful of privacy. The advantages of such a system were, in his view, marginal, and overwhelmed by the cost to privacy. The Office continues to hold this view, and while the proposal for a national identity card appears for the time being to be on the back burner, we remain vigilant.

Surveillance technologies

Technology can threaten privacy and is a growing preoccupation of privacy advocates and privacy commissioners. This is particularly true when increasingly powerful technologies for observing and recording information about people's location, movements, behaviour, and actions are combined with increasingly powerful computers for storing, sorting, mining, and analyzing this information. Think, for instance, of the information that could be collected about you if you drove to a store in your Global Positioning System (GPS) equipped car, used your credit card to pay for a buggy-full of goods individually identifiable by their radio frequency identification tags ("RFIDs"), in a store using video cameras equipped with facial recognition technology. Now imagine all that information about you linked together by a computer, linked with all the other data from your credit card, black box, GPS, RFIDs, and exposure to video cameras, and analyzed for patterns. The example is hypothetical, but it is by no means inconceivable.

OPC Position This challenge has led the Office to focus on strengthening its capacities for understanding and dealing with new technologies. The Office has also launched a Privacy Lecture series which has brought a number of distinguished guests to speak to staff and interested members of the community on issues of technological change and policy responses. The Office also recently launched a Contributions Program to encourage research projects that focus on the intersection of privacy and technology. We recognize, however, that the problem is not technology itself, but the failure to control its uses properly. Our basic position with respect to these technologies is that at a minimum their use must be governed by the principles of fair information practices. This approach applies to technologies as varied as smart cards, event data recorders ("black boxes") and RFIDs. People should be told what information is being collected about them, by whom, for what purposes; they should be told what is being done with it and who it is being disclosed to; they should be able to control the collection, use and disclosure of the information through the power of granting or withholding consent; the information should be securely held and treated as confidential; people should have a right of access to their information, and a right to correct it where necessary. When technologies are used for surveillance, they are subject to an even higher standard. Their deployment and use should be limited to special circumstances where they are justified as a proportionate response to a pressing and substantial problem. Claims that they are justified should be subject to close scrutiny and stringent tests.

Video surveillance

Video surveillance is perhaps the best-known and most obvious example of surveillance technologies. Some people have difficulty articulating or even understanding how they might have a sense of "privacy" in the middle of a public park or walking on a city street, surrounded by other people, and fully visible and audible to them. Yet few people have difficulty understanding that there is something wrong with cameras watching them, perhaps recording their actions, perhaps focusing on them in minute detail, whenever and wherever they go in public. We have not reached that point in Canada — not like the U.K., with its estimated 4 million cameras, one for every 14 residents. But in the course of a typical day, we are repeatedly caught on camera in banks, shopping malls, parking garages, staircases, convenience stores, and, increasingly, in public places such as parks or city streets.

OPC Position Our Office and most privacy commissioners and privacy advocates are in agreement that video surveillance presents a grave challenge to privacy. It subjects everyone to the scrutiny of police or other authorities, regardless of whether they have done anything to arouse suspicion. At the very least it circumscribes, if it does not eradicate outright, the "shell" of privacy and anonymity that we are entitled to as we go about our law-abiding business. There are good reasons to suspect that video surveillance has a chilling effect on behaviour. In 2001, the Office investigated a complaint regarding the RCMP's video surveillance of a public park in Kelowna. The conclusion of the investigation was that this surveillance was not justified. This led to protracted discussions with the RCMP, which insisted on continuing the system, although it did agree to stop recording and use the system simply for monitoring. An attempt to have the question addressed in court became mired in procedural issues, and in July 2003 the Office took the decision to withdraw the case. Meanwhile, municipal police forces in a significant number of major Canadian cities indicated an interest in installing public video surveillance systems, and in some cases moved forward with them. Shortly after taking office, the current Commissioner decided on an enhanced approach to this issue, and developed guidelines for the use of video surveillance by public authorities. These guidelines set out principles for evaluating the necessity of resorting to video surveillance and for ensuring that, if it is conducted, it is done so in a way that minimizes the impact on privacy. So, for example, video surveillance should only be a response to a real and pressing problem, where less-privacy invasive methods will not suffice; video surveillance systems should be designed to have the least possible impact on privacy, running for limited periods and avoiding capturing images of areas such as office or apartment interiors where people have an even greater expectation of privacy.

Government access to commercial holdings of personal information

Another matter of concern to our Office, privacy advocates and commissioners is access by law enforcement and national security agencies to personal information collected by private sector organizations. Many people object to the private sector collecting information about them specifically because they worry about it finding its way into governmental hands.

There can be times when this collection is legitimate, but without controls and oversight, it can tip over into what is in effect deputizing private sector organizations as law enforcement agents, and commandeering personal information that they have collected from individuals for entirely different reasons, in violation of the most basic fair information practices.

OPC Position The Office's concern about this came to a head in 2003 over the issue of the requirements for airlines to disclose personal information about passengers — including their itinerary, companions, method of payment for tickets, contact addresses and telephone numbers, and even dietary and health-related requirements — to what was then the Canada Customs and Revenue Agency, so that customs and immigration agents could assess security risks that they might present. While that specific issue was partially resolved with a compromise agreed to between our Office and the CCRA, the larger issue of access by security agencies to the personal information of passengers is still present. The Public Safety Act, 2002 which received Royal Assent on May 6, 2004, (shortly after the end of our reporting period) allows the RCMP and CSIS to use passenger information provided by air carriers and operators of aviation reservation systems to identify not just individuals who might pose a threat to transportation safety and national security, but any individual named in an arrest warrant for an offence punishable by five years or more of imprisonment. Moreover, the Act amends PIPEDA to allow private sector organizations to collect personal information, without consent, for the purposes of disclosing this information to government, law enforcement and national security agencies — effectively permitting these organizations to act as agents of the state, and not only in the fight against terrorism, but in conventional law enforcement. It was for this reason that the current Commissioner appeared in March 2004 before the Senate Committee charged with examining the proposed law, and raised her concerns. Although Parliament chose to pass the law in spite of opposition from our Office and other privacy advocates, it has not lessened our concern about the issue.

The privacy of personal health information

The application of PIPEDA to personal health information is something that was troubling to many in the health care sector even before PIPEDA was passed, and it was partly in the interest of resolving uncertainties around the issue that Parliament chose to exempt personal health information from the coverage of the Act for the first year after it was passed.

By 2003, various health care sector groups, along with provincial and territorial ministries of health, were looking with increasing apprehension at the looming January 2004 expansion of PIPEDA's scope to all commercial activity. They expressed renewed concern about the impact of the Act on the health care sector, and some parties formally asked for an amendment to the Act to either "carve out" health information from it or delay the scheduled next phase of its implementation.

Physician's offices, and the offices of other health care providers such as dentists and chiropractors, are engaged in commercial activity. Thus, the personal information that they collect, use and disclose is subject to PIPEDA. The Act does not extend to the core activities of hospitals — that is, patient care. This is clearly something within the jurisdiction of the provinces (although PIPEDA would apply to clearly commercial peripheral activities, such as a parking lot operated by the hospital if it collected personal information).

OPC Position The Office's position is that PIPEDA is a quite workable instrument to protect personal health information, without imposing an unreasonable burden on health care providers. Overall, the traditional doctor-patient relationship will not have to change significantly. While patient consent to the collection, use, and disclosure of their personal information has to be based on knowledge, this does not mean that doctors must hold conversations with every patient. Patient understanding can be achieved through notices, posters, brochures, and information on the forms people typically fill out when providing a medical history. Moreover, there are many uses or disclosures that a patient would reasonably expect for care and treatment — for example, disclosures from a general practitioner to a specialist or laboratory, or between a physician and a pharmacist in discussing a prescription. For these reasonably expected uses and disclosures of a patient's personal information, health care providers can rely on implied consent, as long as it is based on a general understanding of how personal information will be used and disclosed. More explicit consent would be necessary for uses or disclosures that a patient would not reasonably expect. The disclosure of information for research purposes is one such example. In order to address concerns, and to promote this common-sense view of the way PIPEDA will work, our Office has joined Health Canada, Industry Canada, and the Department of Justice Canada in an interdepartmental working group to develop communications tools and guidance, respond to questions, and to meet with health care associations to address their concerns and explain our position. We have noted that not all of the health care sector foresees significant problems complying with PIPEDA. For example, the Royal College of Dental Surgeons of Ontario has developed an excellent compliance package that it has distributed to every dentist's office in Ontario.

Regulating privacy in a Federal system

In a modern economy, where personal information flows back and forth across territorial boundaries — where, for example, information about customers in Madrid of a company based in Montreal can be processed in Berlin and stored in Vancouver — privacy protection has to be seamless and harmonized. Individuals need protection of their personal data, and rights with respect to it, regardless of what jurisdiction it travels to.

That is a complicated task internationally, one that requires constant negotiation and adjustment. But even when the personal information never leaves the country it is a challenge in a federal system like Canada's, with its varying jurisdictional responsibilities. The year in review marked a number of important developments in the movement towards full, harmonized privacy protection in Canada.

In October, 2003, the B.C. government passed its Personal Information Protection Act to apply to private sector commercial activity. Alberta followed in December, 2003, with an identically-named and very similar statute. On January 1, 2004, PIPEDA came fully into effect, extending to cover commercial activities throughout Canada except where substantially similar provincial legislation applies. Quebec's An Act Respecting the Protection of Personal Information in the Private Sector had already been declared substantially similar by the Governor in Council in November 2003; as we go to print, similar declarations are expected with respect to the B.C. and Alberta laws.

OPC Position The "substantially similar" provision in PIPEDA ensures consistent levels of privacy protection in all sectors of the economy throughout the country, but it does not make problems magically vanish. Harmonized privacy protection has its own special challenges. Conscious of this, federal and provincial privacy commissioners and staff have worked together to help businesses understand which law applies to them, and helped individuals understand their rights, and how to seek redress under the appropriate law. The Offices of the B.C. and Alberta Information and Privacy Commissioners have jointly released a guide (available on their websites, and linked to from ours) to help businesses and individuals sort through what can be an initially confusing picture. This complements the work done by our Office in making available various materials, such as a video streaming speech by the Commissioner, and an E-kit for businesses, that help to ease the implementation of PIPEDA.

In an increasingly connected and technologically sophisticated world, potential new threats to the privacy of our personal information seem to arise daily — if not by the minute. As we look ahead, our Office is dedicated to fostering a clear understanding of emerging privacy issues for Parliamentarians, the public and lawmakers, and to continue providing a cogent analysis of national and international privacy risks and challenges as they evolve.

---

Substantially Similar Provincial Legislation

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), the Governor in Council can issue an Order exempting an organization, a class of organizations, an activity or a class of activities from the application of PIPEDA with respect to the collection, use or disclosure of personal information that occurs within a province that has passed legislation that is substantially similar to PIPEDA.

The intent of this provision is to allow provinces and territories to regulate the personal information management practices of organizations operating within their borders, provided that they have passed a law that is substantially similar to PIPEDA.

If an Order is issued, PIPEDA will not apply to the collection, use or disclosure of personal information by organizations subject to the provincial act. Personal information that flows across provincial or national borders will continue to be subject to PIPEDA and the Act will continue to apply within a province to the activities of federal works, undertakings and businesses that are under federal jurisdiction such as banks, airlines, and broadcasting and telecommunications companies.

Process for assessing provincial and territorial legislation

On September 22, 2001, Industry Canada published a notice setting out the process that the department will follow for determining whether provincial/territorial legislation will be deemed substantially similar.

The process will be triggered by a province, territory or organization advising the Minister of Industry of legislation that they believe is substantially similar to PIPEDA. The Minister may also act on his or her own initiative and recommend to the Governor in Council that provincial or territorial legislation be designated as substantially similar.

The Minister has stated that he will seek the Privacy Commissioner's views on whether or not legislation is substantially similar and include the Commissioner's views in the submission to the Governor in Council. The process also provides for an opportunity for the public and interested parties to comment on the legislation in question.

According to the Canada Gazette notice, the Minister will expect substantially similar provincial or territorial legislation to:

• incorporate the ten principles in Schedule 1 of the PIPEDA;
• provide for an independent and effective oversight and redress mechanism with powers to investigate; and
• restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate.

Provincial and territorial legislation passed to date

The Office of the Privacy Commissioner is required by subsection 25(1) of PIPEDA to report annually to the Parliament of Canada on the "extent to which the provinces have enacted legislation that is substantially similar" to the Act.

Quebec's An Act Respecting the Protection of Personal Information in the Private Sector came into effect, with a few exceptions, on January 1, 1994. The legislation sets out detailed provisions that enlarge upon and give effect to the information privacy rights in Articles 35 to 41 of the Civil Code of Quebec. In November 2003, the Governor in Council issued an Order in Council (P.C. 2003-1842, 19 November 2003) exempting organizations in that province, other than federal works, undertaking or businesses, from the application of PIPEDA.

In the spring of 2003, the provinces of British Columbia and Alberta introduced similar legislation, Bills 38 and Bill 44 respectively. The two Bills were passed by their respective legislatures and they both came into force on January 1, 2004.

The two laws — both called the Personal Information Protection Act — are similar to PIPEDA, but they are not identical. The application of the two provincial Acts is broader. Unlike PIPEDA, they apply to all organizations, with a few exceptions, not just those that are engaged in commercial activities. They also differ from PIPEDA in that they contain different rules for employee personal information than for other personal information. As well, the Acts give the two provincial commissioners authority to issue orders, for example, to require an organization to give an individual access to his or her personal information or to require an organization to cease collecting, using or disclosing certain personal information. By comparison, the Privacy Commissioner of Canada does not have order-making powers.

Using the criteria set out in the notice — the presence of the ten principles found in Schedule 1 of PIPEDA, independent oversight and redress and a provision restricting collection, use and disclosure to legitimate purposes (a reasonable person test) — we have concluded that, on balance, the British Columbia and Alberta Acts are substantially similar to PIPEDA.

The other legislative initiative of note was the introduction and passage of Ontario's Bill 31, the Health Information Protection Act. The Act received Royal Assent on May 20, 2004 and is scheduled to come into force on November 1, 2004. We are still reviewing the Act and we are not yet in a position to comment on whether or not we consider it to be substantially similar to PIPEDA.

---

[Part One] [Part Two] [Part Three]