This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Submission of the Office of the Privacy Commissioner of Canada to the House of Commons Legislative Committee
May 30, 2006
The Office of the Privacy Commissioner (OPC) welcomes the direction in which the government is moving under Bill C-2. OPC can certainly agree with the importance of increased accountability and transparency. This is the spirit in which I carry out my responsibilities.
Bill C-2 brings the first wave of important new amendments to the Access to Information and Privacy Acts, by extending coverage to additional Crown corporations, to several Foundations and to the Officers of Parliament. By extending Privacy Act coverage to include more entities, Bill C-2 certainly improves on the status quo. I am concerned, however, with the proposal that seeks to remove certain commercial crown corporations from our private sector Act, the Personal Information Protection and Electronic Documents Act (PIPEDA) and include them instead in the Privacy Act. Specifically, I am referring to the Canadian Broadcasting Corporation (CBC) and Atomic Energy of Canada Ltd., both of which are Crown Agents currently designated by order to be subject to PIPEDA, as well as Via Rail, which is a federal work, also subject to PIPEDA. As things currently stand, and until such time as we see major reforms to the Privacy Act, the sad reality is that personal information is far better protected in the federally-regulated private sector than it is in the federal public sector. Changing the rules for these commercial crown corporations would actually lower the standard of privacy protection they are required to meet under PIPEDA, equivalent to their private sector competitors who are all presently on a level playing field.
As a general remark, I am supportive of the other amendments to the Privacy Act. My detailed comments follow. A number of these comments are of a technical nature. I leave these for the consideration of the Committee, as they are in the nature of drafting issues. I will not be proposing any substantive amendments to C-2.
My first comment relates to the addition of a new section 22.1 to the Privacy Act (clause 183 of C-2), which is a mandatory exemption for information obtained or created by my Office in the course of an investigation. This provision is parallel in concept to the new section 16.1 of the Access to Information Act (clause 146 of C-2). I support the inclusion of these new exemptions to the Access to Information Act (ATIA) and Privacy Act with respect to audits and investigations conducted by OPC.
I understand that the intention of the new exemption in section 22.1 of the Privacy Act is in part to “close the back door”, so that a person who has been denied access by a department cannot indirectly get access by filing a complaint with my office and then seeking access from my office to that same information. Secondly, this provision and the new 16.1 of the ATI Act are consistent with the existing confidentiality provisions in the Privacy Act and are necessary to protect the ombudsman process of my office and to maintain confidence of the parties to a complaint. It is only sensible that complaints, particularly as they relate to privacy, should be handled in a manner which is respectful of that privacy.
The Supreme Court of Canada in Lavigne v Canada ( Office of the Commissioner of Official Languages) 2002 SCC 53 described the mandates of both the Commissioner of Official Languages and the Privacy Commissioner as in the nature of ombudsmen, independent of the government's administrative institutions, and who, as a rule, may not disclose information they receive, consistent with their unique mission to resolve tension in an informal manner.
In my view, the obligation of confidentiality is essential to the ombudsman’s approach, to encourage the parties to engage fully within a conciliatory process, which best functions when the parties reach a mutual state of trust and confidence.
I have noted the Information Commissioner’s comment in his Special Report issued April 28 that a special exemption is not necessary for the Officers of Parliament under either the ATI Act or Privacy Act. He comments that such an exemption runs contrary to the decision of the Supreme Court in Lavigne. I do not agree with this characterization.
In Lavigne, the Supreme Court determined that, based on the evidentiary record before the Court, the Commissioner of Official Languages could not rely on the existing exemption in section 22(1)(b) of the Privacy Act. The decision of the Supreme Court relates purely to an issue of statutory interpretation of an existing exemption and does not in my view stand for the broader proposition suggested by the Information Commissioner that a new exemption is not warranted for the Officers of Parliament. The courts have consistently recognized the private nature of the proceedings under the Privacy Act and have refused to order OPC to disclose investigation records where requested by a party to a court application.
I further note that the exemption in section 22.1 does not apply to the other Officers of Parliament. It applies only to OPC, unlike the parallel exemption in 16.1 ATI Act which also applies to the other Officers of Parliament. I am aware that the Commissioner of Official Languages has requested the Committee to recommend amending Bill C-2 to include in the Privacy Act a mandatory exemption similar to the new 22.1 to protect the investigation process of that Office. I will not be raising any objections in this regard.
Finally, on section 22.1, I observe that the use of the word “record” appears to be in error, as this is a term under the ATI Act not the Privacy Act. The term should be “personal information”. The correct language has been used in new 22.2 and 22.3. I also note some inconsistency in language – the word “created” rather than the word “prepared” which is found in other existing exemptions in the Privacy Act. This same inconsistency is carried through the other new exemptions added to the Privacy Act under Bill C-2.
I am also supportive of the new exemptions 22.2 and 22.3 in the Privacy Act (clause 225 of C-2) which provide protection for whistleblowers under Bill C-11. OPC had voiced support for protection of the identity of whistleblowers when we appeared on Bill C-11.
Disclosure of wrongdoing, or whistleblowing, is not an issue of one individual pitted against another. It is an alert to the existence of departmental wrongdoing. The investigation is not based on the identity of the whistleblower but on the veracity of the alleged facts. It is important not to confuse the necessary assessment of witnesses, which applies to any investigation including investigations under whistleblowing legislation, with the legislator’s choice to protect the identity of the whistleblower in this specific context. It is also important to remember that, despite the new exemptions to the right of access, sections 11 and 22 of the whistleblowing legislation require the Chief Executive and Integrity Commissioner respectively to ensure that the right to procedural fairness and natural justice of the alleged wrongdoer is respected. Moreover, C-11 does not itself set out specific sanctions (apart from the provisions for reprisals which of course integrate principles of natural justice) for wrongdoing but leaves this to the decision of the relevant department. Subsequent disciplinary measures would be taken in accordance with the framework of applicable legislation and governed by rules of procedural fairness.
On a more technical note, I would like to draw the attention of Committee to whistleblower protection under the Personal Information Protection and Electronic Documents Act (PIPEDA). Clause 224 of C-2 amends section 9(3) of PIPEDA by adding an exemption to those listed in that section. Those exemptions are discretionary, not mandatory, and thus the same level of protection will not be afforded to whistleblowers under PIPEDA as under the Privacy Act. (Section 9(3) of PIPEDA provides only that an organization "is not required to" release personal information in the situations listed, but does not prohibit such release). A stand alone provision would be needed to create a mandatory exemption as was done for the Privacy Act.
As a final minor technical comment on 22.3, I note that this section uses the expression “created” whereas section 22.2 uses the broader expression “obtained or created”, which is preferable in my view.
I would also like to make an observation on section 11 of Bill C-11 which, as amended by clause 199 of C-2, would require the chief executive, if wrongdoing is found, to provide public access to information that describes the wrongdoing, including information that could identify the person found to have committed it if it is necessary to identify the person to adequately describe the wrongdoing. This could prove problematic for smaller agencies, as it is generally more difficult to maintain anonymity where only one or a few people are performing specific functions in the organization.
I support the amendments to the appointment and removal process of the Privacy Commissioner under section 53 of the Privacy Act (clause 120 of C-2) which ensure the necessary level of independence appropriate for an Officer of Parliament. I would not favour public disclosure of the final vote count which may adversely affect the necessary level of confidence among Parliamentarians in their ultimate choice of Officer.
I will turn now to what I consider a serious omission in Bill C-2 – the absence of a mechanism for complaint investigations against the Information and Privacy Commissioners under their own legislation as well as under the other’s, which I refer to as “cross-investigation”. Clearly the Commissioners cannot investigate complaints brought against themselves under their own legislation. With respect to cross-investigation of complaints, while this is a lesser concern, issues may still arise particularly where personal information is involved. I assume the provisions bringing the two Commissioners subject to coverage under the Acts will not come into force until a proper complaint investigation process is in place. The issue has been raised in the discussion paper released on April 11 by the Government and OPC plans to make submissions at an appropriate time.
I note without comment or concern that a number of new exemptions are introduced to the ATI Act but not the Privacy Act. These include a new 16.2 for the Commissioner of Lobbying (clause 89 of C-2), a new 16.3 for the Chief Electoral Officer (clause 147 of C-2), a new 18.1 for economic interests of certain Crown corporations (clause 149 of C-2), a new 20.1 and 20.2 for certain records of the National Art Centre and the Public Sector Pension Investment Board (clause 150 of C-2), and a new 22.1 for draft internal audit reports (clause 152 of C-2). There is also a new exclusion added to the ATI Act but not the Privacy Act - this is the new 68.2 for AECL (clause 161 of C-2).
I also note a number of additions to the ATI Act, such as the new 4(2.1) which clarifies responsibilities of government institutions to assist access requestors - this and other additions would warrant consideration for the Privacy Act. OPC plans to address these matters before the Standing Committee on Access to Information, Privacy and Ethics in the context of the comprehensive review of the ATI Act.
I will be emphasizing to the Standing Committee that I strongly believe that reform of the Access to Information Act cannot and should not take place without consideration of the Privacy Act. This is already evident from the amendments under Bill C-2 which create parallel new provisions under both Acts.
This view is further reinforced by a recent decision of the Supreme Court of Canada in Heinz v. Canada (Attorney General) 2006 SCC 13 which said that the two Acts must be read together as a “seamless code” and that Parliament intended both the access and privacy legislation to increase government accountability. To state the obvious, this means greater access to government information. But, this also means strengthening the rights of individuals under the Privacy Act to know what personal information governments have about them, how that personal information will be used, that the information is accurate, and that the information is relevant to the department’s program or operations.
OPC has undertaken an extensive review and commentary on the need for reform of the Privacy Act. I will soon be tabling this submission, entitled Government Accountability for Personal Information: Reform of the Privacy Act, with the Standing Committee. The proposals in my submission if accepted would clearly strengthen the government’s accountability initiative by making long over-due amendments to the Privacy Act.
- Date modified: