Bill C-2, Federal Accountability Act
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Standing Senate Committee on Legal and Constitutional Affairs
September 21, 2006
Opening Statement by Jennifer Stoddart
Privacy Commissioner of Canada
(CHECK AGAINST DELIVERY)
Thank you for inviting me. I appreciate the opportunity to share my Office’s views on Bill C-2 with you.
Let me say from the outset that I strongly support the government’s efforts to bring more transparency and accountability to how government operates. The history of my own Office demonstrates how important this is and I believe Bill C-2 is an important step in ensuring that history is never repeated.
I will stress today that privacy is key to achieving the goal of greater accountability in government. Bill C-2 makes some amendments to the Privacy Act, but much more needs to be done to make this nearly 25-year-old law meet modern privacy requirements. I believe that a real Privacy Act reform is a pre-condition for achieving true government accountability and transparency.
Extended Scope of Application
I support the current provisions of Bill C-2 that expand the number of government institutions covered by the Privacy Act through a broad, inclusive definition of “government institutions”.
While I fully support the underlying goals of greater accountability and transparency, I am concerned about the impact C-2 will have specifically in respect of some major Crown corporations, which in my view, goes directly against the intended objective of the Bill. As a result of C-2, corporations such as the Canadian Broadcasting Corporation, Atomic Energy of Canada Ltd., and VIA Rail would effectively be removed from our modern private-sector privacy legislation and included instead under the out-of-date public sector Privacy Act. Currently, these corporations are subject to the newer Personal Information Protection and Electronic Documents Act, or PIPEDA, which provides far more robust privacy protection than the Privacy Act. Putting them under the Privacy Act umbrella would significantly lower the privacy bar not only for the people who work for those organizations but for every individual who deals with these organizations. The reality in Canada is that – until we fix the Privacy Act – legal protections are far stronger for the personal information held by businesses than the personal information held by government bodies.
For instance, right now, someone can come to my Office with a complaint about how either VIA, CBC or Atomic Energy has improperly collected, used or disclosed their personal information. We investigate and we make recommendations. If the organization doesn’t fix what’s wrong, we pursue next steps, which can include court action.
Under the Privacy Act, there would be nothing my Office could really do – other than to make recommendations, hope they are implemented and ultimately express regret about the situation. In essence, under the Privacy Act, our hands are tied.
Imagine a case where a VIA Rail passenger complains the railway has given her travel itinerary to an abusive ex-spouse. Imagine an Atomic Energy worker who loses out on another job because a corporate official has improperly disclosed personal information to a prospective employer. Worse yet, imagine if the information disclosed was inaccurate. The Privacy Act offers those people no real redress.
Privacy rights would also be eroded in another very significant way. These three corporations are currently required under PIPEDA to adhere to a modern standard of personal information protection, including regularly updated technological safeguards. There is simply no such requirement under the Privacy Act. So, in some ways, we are going backward in time.
Considering the harm that misuse of one's personal information could cause – the risk of identity theft, for example – it’s clear that moving these Crown corporations from the broad protection of PIPEDA to the very narrow protection offered by the Privacy Act is not an insignificant change.
Atomic Energy, CBC and VIA Rail have been subject to PIPEDA since 2001. They have already done all the work in establishing procedures and hiring and training staff to comply with that law. Under Bill C-2, the privacy burden imposed on these three Crown corporations would be lighter. Imagine that the CBC will be held to a lower standard than its competitors, such as CTV or Global.
The Office of the Privacy Commissioner as a covered entity
Bill C-2 will make Officers of Parliament - including my own Office, as well as several additional foundations funded by government – subject to both the Privacy Act and the Access to Information Act. I applaud this change. As I have always said, I believe my Office should be subject to the Privacy Act and the Access to Information Act and that we should at least be held to the same standards expected of the organizations we investigate.
Since my Office has not previously been subject to either the Access to Information Act or the Privacy Act, there is currently no independent mechanism to receive privacy or access complaints against our Office under these acts. While I support being covered by these Acts, it would be clearly and entirely inappropriate for me to investigate a complaint against my own Office, as it would be for the Information Commissioner to investigate itself. Whether we could investigate complaints against each others’ offices could equally be problematic in some cases. Bill C-2 does not provide a mechanism for investigating complaints in these circumstances. It is my expectation the changes would not come into force until an appropriate complaint mechanism is in place.
I am pleased to see an access to information exemption for information my Office obtains or creates during the course of an investigation or audit. This is crucial to meeting the confidentiality obligations in my role as an ombudsman. By their very nature, privacy complaints arise out of situations where individuals feel that their personal information rights have been violated. It would only add insult to injury if their personal information contained in an investigation file were made publicly accessible – further exacerbating their sense of privacy violation. While I will accept Parliament’s wisdom to open up certain parts of my investigation files upon completion, I intend to apply the personal information exemption with full vigour – in the interest of protecting the privacy rights of individuals consistent with my mandate and my mission as Privacy Commissioner of Canada.
Privacy Act Reform as a Necessary Adjunct to Greater Government Accountability
Bill C-2 includes the first wave of important new amendments to both the Access to Information Act and the Privacy Act since they came into force in 1983. A number of the changes proposed in Bill C-2 to enhance government accountability under the Access to Information Act should be mirrored in the Privacy Act. For example, the responsibilities of government institutions to assist access requestors should be specified not only under the Access to Information Act, but also – and necessarily – under the Privacy Act.
Increasing government accountability clearly requires greater access to government information as well as strengthened privacy rights when it comes to how government handles the personal information of Canadians. Privacy Act reform is thus as equally important for achieving meaningful government accountability and transparency as reform of the Access to Information Act.
Individuals need stronger rights under the Privacy Act to gain access to their own personal information; to know what personal information government institutions have about them and how it will be used; to be assured that the personal information being collected is necessary and accurate, and that it will be rigorously protected from unlawful use and disclosure. Like private sector organizations, government institutions must be required to be open with their personal information management practices, to be transparent about their privacy safeguards, which includes publishing results of privacy impact assessments of new programs or initiatives.
I’ve detailed how these steps should be included in a much-needed reform of the Privacy Act in a report which has been tabled with the House of Commons Standing Committee on Access to Information, Privacy and Ethics in June.
I hope I have given you a sense of my Office’s views on the new provisions in Bill C-2. Though I strongly support the Act and the many advances it will achieve with respect to government transparency and accountability, as you have heard, I do have a few reservations that I have already shared with the House of Commons Committee – in particular, the weakening of privacy standards for certain major Crown Corporations – which I hope will be addressed by your Committee.
Secrecy may be the antithesis of access, but privacy is something very different. Privacy is based on fundamental principles of accountability, openness and access. In addition to some of the other issues I have raised today, bringing meaningful accountability to government must include long overdue changes to both the Access to Information Act and the Privacy Act.
- Date modified: