Appearances before Parliamentary Committees

ARCHIVED - Appearance before the Standing Committee on Public Safety and National Security on national security oversight

May 7, 2009
Ottawa, Ontario

Statement by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Honourable Members, Ladies and Gentlemen, thank you for inviting me and my colleagues here this morning. As an agent of Parliament, I have served as the Privacy Commissioner of Canada since 2003. Under the Privacy Act, my organization has authority to take complaints, investigate and audit the personal information handling practices of more than 250 federal departments and agencies.

Accompanying me today are Chantal Bernier, Assistant Commissioner for the Privacy Act and former Assistant Deputy Minister at Public Safety Canada. I also have beside me Carman Baggaley, our Senior Privacy Advisor. He appeared with me before the Inquiries of Justices O’Connor and Major.

My Office provided you with two documents last week. The first piece is an overview of the national security and surveillance laws passed in several countries since 2001. The social and political terrain shifted dramatically after 9-11. Certainly the context for the protection of privacy and its importance has changed as well.

Privacy laws apply to national security agencies

In the cases you are reviewing, this is all too clear. The men who became the subjects of the Inquiries you are studying all suffered terribly. But before all the other harms they endured, the first violation was to their privacy. To begin with, inaccurate, misleading intelligence about them was compiled. Their personal information was then shared inappropriately. Finally, this information was used to justify their detention, deportation and subsequent torture.

Privacy rights under Canadian law are not simply about who is allowed to collect information. Privacy laws also set out who is accountable for protecting that information, ensuring it is accurate and limiting its disclosure to third parties. The findings of the O’Connor and Iacobucci reports call into question the practices of Canadian security agencies in all these areas. Both reports underscore how critical it is for officials in these departments to properly manage the collection, validation, sharing and careful review of the exchange of personal information.

Commissioner Iacobucci concluded inaccurate information was collected on the individuals in question, that inaccurate information was shared with other states and that safeguards for these files were not properly observed. Misleading, inaccurate or out-of-date information was kept on file, shared too broadly, with few or no caveats on the use of that intelligence. Privacy practices in government must be better defined and sensitive information protected. This has never been more urgent, than in light of the national security challenges we face. To address this question, the second piece we provided presents our views on how oversight, privacy practices and data protection in government could be improved.

While I have several suggestions for your consideration, if I can leave you with one overarching message, it would be this - in an era of networked intelligence and surveillance, Canada needs a networked approach to oversight and review. Proper oversight and accountability for national security provide a vital check for Canadians’ privacy rights.

Integrating privacy into national security programs

Rights and security are often pitted one against the other. Margaret Bloodworth, Canada’s former National Security Advisor noted this tension just prior to her retirement. She said that safeguarding the privacy rights of citizens, while also ensuring their physical security, is not simply A question for the Canadian intelligence community. It is THE question, the single greatest issue they must confront. I would also add that security and privacy are not mutually exclusive. We need not – nor should we – trade one for the other.

As you have heard from other expert witnesses, a fundamental question for national security in the 21st century is data governance. In a fully wired, networked world, how does any organization exercise quality control and oversight? Given the complexity of inter-agency, inter-jurisdictional, international, inter-sector intelligence operations - who can exercise that level of global review?

A recent report from the Office of the Auditor General on intelligence and information sharing stressed this point, that review bodies must ‘look beyond individual agencies to reflect the integrated nature of national security activities.’ These are the main points I hoped to raise in our submission.

Recommendations

  1. Adopt an integrated approach to security review that allows for more coordination and cooperation on investigations and reports across the system. That is the networked approach to review recommended by Justice O’Connor. In my experience, this has worked to great effect at my own organization. Joint investigations with provincial offices and collaborative reporting with the Office of the Auditor General, for example, have worked to great effect. All the review community could benefit from similar powers;
  2. Address privacy practices within security agencies. The approach of departments and agencies to information sharing and data management has to change. Without proper attention to internal controls, new layers of oversight will not address frontline problems. Enhanced training around the theory and practice of privacy, fair information practices and data protection could effect great change here;
  3. Appoint Chief Privacy Officers across government – but in particular for departments and agencies where collection of sensitive personal information is widely required by their mandate;
  4. Provide the Commission for Public Complaints against the RCMP with the resources and legal authorities required to exercise more meaningful review – again as recommended by Justice O’Connor and the Chairman of the CPC before this committee earlier in your review;
  5. Request that Treasury Board and Ministers issue new policy requirements for departments and agencies on privacy. Robust Information Sharing Agreements, thorough Privacy Impact Assessments and well-developed privacy direction and guidance must become part of how these organizations operate;
  6. Reform the Privacy Act. In light of all that we have learned, I believe government departments must be held to a higher standard of privacy protection, information handling and data protection. I have recently put forth ten ‘quick fixes’ for government’s consideration which could tighten controls on international information sharing, require departments to test the necessity of the information they collect and allow the Federal Court a wider role in reviewing violations of the Act. Finally,
  7. Urge Parliament to increase the resources and involvement of this House Committee and its counterpart in the Senate. These bodies can provide active oversight of national security agencies and their operations. By pooling expertise, coordinating reviews and sharing information, existing mechanisms for Parliamentary review could be augmented.

Let me leave you with a few final thoughts.

While Canada’s system of review and oversight functioned throughout the 1980s and 1990s, the stresses on the system after 9-11 are now tragically apparent. This needs to be addressed. When networks of intelligence-sharing are global, oversight cannot remain rigid and localized. While I recognize there is no silver bullet fix given these complex issues, I am also keenly aware there are very real, serious human consequences that spring from poor information handling and governance. My Office deals with them daily.

Thank you for your time and consideration. I look forward to the discussion.