Proposed Immediate Changes to the Privacy Act

PDF Version

Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Privacy Act Reform

April 29, 2008
Ottawa, Ontario

Statement by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

---

Introduction

Thank you, Mr. Chairman and members of the Committee, for inviting me to address you once again on the issue of Privacy Act reform.  I’m joined by Raymond D’Aoust, Assistant Commissioner for the Privacy Act, and Patricia Kosseim, our General Counsel. 

In 2006, as you may recall, my Office tabled with the Committee a comprehensive document entitled Government Accountability for Personal Information: Reforming the Privacy Act. More recently, for the purposes of our April 17 appearance, we prepared an Addendum to that document, discussing how events of the past two years illustrate the ongoing need for reform of the Act. At that time, I provided you with a list of ten recommended changes to the Privacy Act. These changes were outlined in my opening statement to the Committee.

Further to a request from the Committee, my Office has now prepared a third document, which provides greater detail on the rationale supporting our ten “quick fix” recommendations.

I would like to make it clear that the changes we are currently proposing are not meant to be the definitive statement on Privacy Act reform.  This is most emphatically not the case – the Privacy Act is in desperate need of a full Parliamentary review and complete overhaul.

I realize, however, that a full Parliamentary review of the Act may not happen for some time.  While we wait for a comprehensive modernization initiative, there are some relatively simple changes we could make which would be of significant benefit to Canadians.

Some of the changes we are suggesting would simply incorporate into law existing Treasury Board Secretariat policies and practices.   Other recommendations correspond to privacy requirements found in PIPEDA – Canada’s private sector privacy law.

“Quick Fix” Recommendations

I’d like to provide a quick overview of the ten recommendations:

1. Parliament should create a requirement in the Privacy Act for government departments to demonstrate the need for collecting personal information.  This “necessity test” is already included in Treasury Board policies as well as PIPEDA. It is an internationally recognized privacy principle found in modern privacy legislation around the world.
2. The role of the Federal Court should be broadened to allow it to review all grounds under the Privacy Act, not just denial of access.
3. Parliament should enshrine into law the obligation of Deputy Heads to carry out a Privacy Impact Assessment – or PIA – before a new program or policy is implemented. 
4. The Privacy Act should be amended to provide my Office with a clear public education mandate.  PIPEDA contains such a mandate and it is only logical that the Privacy Act contain a similar mandate for the public sector.
5. The Act should be further amended to provide my Office with increased flexibility to publicly report on the privacy management practices of the federal government.  As it now stands, we are limited to reporting to Parliament and Canadians through annual or special reports.
6. My Office should have greater discretion to refuse or discontinue complaints if an investigation would serve no useful purpose or is not in the public interest.  This would allow us to focus investigative resources on privacy complaints which are of broad systemic interest and affect the interests of a significant number of Canadians.
7. The Act should be aligned with PIPEDA by eliminating the restriction that the Privacy Act applies only to “recorded” information.  At the moment, for example, personal information contained in DNA and other biological samples is not explicitly covered.
8. Annual reporting requirements of government departments and agencies under section 72 of the Act could be strengthened by requiring these institutions to report to Parliament on a wider spectrum of privacy-related activities.
9. The Act should include a provision requiring an ongoing five-year Parliamentary review of the Privacy Act, as is the case with PIPEDA.
10. The Act should be strengthened with respect to the provisions governing the disclosure of personal information by the Canadian government to foreign states. Treasury Board Secretariat (TBS) has taken some important steps by providing guidance on information sharing agreements and outsourcing of personal data processing.  However, we need privacy protections related to cross-border information sharing enshrined into law.

Privacy Education in the Public Service

Our Office also believes more needs to be done to ensure that program managers in the public services are aware of their responsibilities under the Privacy Act and related TBS guidelines.

I urge the Government to carry out a comprehensive assessment of the privacy training provided to public servants. It is critical that privacy issues are thoroughly addressed in leadership, professional development and management courses aimed at all levels of the public service.

Conclusion

In closing I would like to re-emphasize that although we are proposing ten “quick fix” changes, the Privacy Act is still very much in need of a major review and overhaul. There are many other problems with the Act that require attention, including the need for proper security safeguards for personal information and mandatory breach notification. This said, however, making the adjustments to the Act that we are suggesting would certainly help to enhance the level of personal information protection in the federal public sector.

Thank you for inviting me to share some further thoughts on this important subject.  We would be pleased to answer any questions.