Key takeaways for public servants from the Commissioner’s 2020-2021 Annual Report
December 9, 2021
Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.
In the report, Commissioner Daniel Therrien calls on the government to use its renewed mandate to bring Canada into the modern era by adopting rights-based privacy laws that will reflect Canadian values and support responsible innovation.
“Over the course of my mandate, it has become increasingly clear that we need a stronger privacy framework to protect the rights of Canadians in an increasingly digital world. This would allow Canadians to safely participate in the digital economy and confidently embrace new technologies,” writes Commissioner Therrien in his annual report message.
“As a society we must project our values into the laws that regulate the digital space. Our citizens expect nothing less from their public institutions. It is on this condition that confidence in the digital economy, damaged by numerous scandals, will return.”
The report also includes statistical data on complaints and breaches, information about our business and government advisory work, as well as summaries of investigations. It discusses the federal government’s engagement with the OPC on a range of files, including numerous initiatives related to COVID-19 infection, border controls and programs that provide benefits during the economic crisis.
We encourage federal public servants to read the report and we highlight, below, a couple of issues of note for federal institutions.
Intersection between public and private sectors
The line between private businesses and government institutions is becoming increasingly blurred, given the interconnectedness of the digital economy and the ease with which information is generated, used, and disclosed. We are increasingly seeing issues that span both public and private sectors, raising important privacy questions and illustrating the need for some consistency in updated privacy legislation.
This intersection appeared in our investigation of the RCMP’s collection of personal information from Clearview AI. In June 2021, our office tabled a Special Report to Parliament to share our findings in an investigation regarding the RCMP’s use of a facial recognition technology database created by Clearview AI, a technology company that was itself the subject a previous OPC investigation.
Our investigation found that the RCMP’s use of Clearview’s facial recognition technology to conduct hundreds of searches of a database compiled illegally by Clearview AI is a violation of the Privacy Act.
We also found serious and systemic gaps in the RCMP’s policies and systems to track, identify, assess and control novel collections of personal information through new technologies.
The case was another example of how public-private partnerships and contracting relationships involving digital technologies are creating new complexities and risks for privacy.
The Commissioner encouraged Parliament to amend the Privacy Act to clarify that federal institutions have an obligation to ensure that the personal information obtained from third party agents was collected lawfully.
- Activities of federal institutions must be limited to those that fall within their legal authority and must comply with applicable laws, including the Privacy Act.
- Institutions should conduct privacy assessments of third-party data collection practices to ensure any personal information is collected and used in accordance with the law.
- A government institution cannot collect personal information from a third party if that third party collected the information unlawfully.
Social media monitoring
In 2020-2021, we reviewed a Privacy Impact Assessment (PIA) and completed a consultation process with Immigration, Refugees and Citizenship Canada (IRCC) on their social media monitoring activity.
IRCC has been monitoring social media platforms to collect data on posts and commentary relevant to the department’s mandate, policies and activities. The activity is not directed at gathering information about individuals or IRCC clients. IRCC indicated that it is using social media monitoring tools to assess whether inaccurate information about Canada’s immigration policies and practices is being disseminated via social media platforms, and to counter such misinformation with communications messages where necessary.
We recommended that IRCC ensure measures are in place to minimize the collection of personal information from social media sites to that which is clearly necessary for legitimate government business and the stated purposes of the program. In addition, we recommended the department regularly evaluate its use of social media monitoring tools to determine whether continued use is justified as necessary, proportional and effective. We also recommended that IRCC provide transparency to the public about this activity by posting a clear privacy notice on its website, by publishing descriptions of use of information collected from social media sites in its Personal Information Bank (PIB), and by publishing a summary of the PIA.
We have provided similar advice to other institutions, as government interest in monitoring social media has grown.
- Institutions are not allowed to collect personal information that is not directly related to an operating program or activity, even when it is publicly available.
- Institutions also have an obligation to ensure that personal information used in any decision affecting an individual is as up to date and accurate as possible.
The annual report also highlights Privacy Act investigations that may be of interest to public servants:
- An institution shared employee’s sensitive personal information without authorization
- Investigation into the RCMP’s use of Clearview AI facial recognition technology
- RCMP commits to privacy improvements for vulnerable sector checks
Want to know more?
You can find information on what to expect during a complaint investigation on our website.
Expectations: OPC’s Guide to the Privacy Impact Assessment Process will help you effectively manage privacy risks as part of the PIA process. You can also consult the OPC’s Government Advisory Directorate by contacting us at email@example.com.
Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.
- Date modified: