Bill C-2, Federal Accountability Act
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Submission of the Office of the Privacy Commissioner of Canada to the Standing Senate Committee on Legal and Constitutional Affairs
September 21, 2006
The Privacy Commissioner of Canada welcomes the direction in which the government is moving under Bill C-2. This Bill brings the first wave of important new amendments to the Access to Information Act and the Privacy Act since they were enacted in 1983.
Increased government accountability clearly requires greater access to government information. But it also means strengthening the rights of individuals under the Privacy Act to gain access to their own personal information; to know what personal information government institutions have about them and how it will be used; to be assured that the personal information being collected and kept by government is accurate and is necessary to deliver on its programs or operations. It means requiring governments to be open with their personal information management practices, to be transparent about the safeguards they have adopted and to publish the results of privacy impact assessments of new programs or initiatives.
The Commissioner has called for these rights and obligations to be reflected in a much-needed reform of the Privacy Act, which is nearly a quarter of a century old. The Commissioner’s report, entitled Government Accountability for Personal Information: Reform of the Privacy Act,Footnote 1 has been tabled with the House of Commons Standing Committee on Access to Information, Privacy and Ethics. The proposals in that submission would, in the Commissioner’s view, clearly strengthen government transparency and accountability. Far from being synonymous with secrecy, or the antithesis of access, privacy is premised on fundamental principles of accountability, openness and access. Indeed, accountability, openness and access to one’s own personal information are three of the fundamental, and now internationally recognized, principles of modern data-protection regimes. To achieve meaningful accountability of government, therefore, requires long overdue amendments to both the Access to Information Act and the Privacy Act.
Extending Coverage of the Privacy and Access to Information Acts
Bill C-2 has improved upon the status quo and furthered the cause of increased transparency and accountability of government by making agents and officers of Parliament, including the Office of the Privacy Commissioner, as well as several additional foundations funded by government, subject to both the Privacy Act and the Access to Information Act.
Expanding the definition of “government institution” under the Acts to include all parent Crown corporations and their wholly-owned subsidiaries is also a welcome change in keeping with the spirit of greater openness and transparency. This means that institutions that currently escape the obligations of access and privacy law because they have not been expressly listed in the current Schedules will now be clearly covered and held accountable.
The addition of Crown corporations to the definition of “government institution” brings a significant number of additional organizations under the Privacy Act. These organizations range from quite small to quite large and serve a variety of functions. It is not yet clear to what extent the volume of inquiries and complaints will increase, but increase it most assuredly will. In addition, the Office will no doubt be called upon to assist these institutions in developing their own practices and procedures.
While expanded coverage is to be applauded, the Commissioner has some misgivings about the effect this change will have on a few specific Crown Corporations. It is clearly desirable that significant Crown corporations like Atomic Energy of Canada Limited (AECL), the Canadian Broadcasting Corporation (CBC) and Via Rail be subject to the Access to Information Act. However, privacy, unlike access, is regulated by two separate federal statutes. These three Crown corporations are all currently subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activity and which codifies Accountability as its first and foremost fair information principle.
As a result of Bill C-2, these three Crown corporations will no longer be covered by PIPEDA, but will become subject to the less modern, less robust and less rigorous public sector lawinstead, which has no equivalent concept of accountability. As things currently stand, and until such time as there are major reforms to the Privacy Act, the stark reality is that personal information is far better protected federally in the private sector than it is in the public sector.
Changing the rules for Crown corporations which engage in commercial activities actually lowers the standard of privacy protection they are required to provide. In addition, reducing their obligations to protect personal information vis-à-vis their private sector competitors could also reduce their costs compared with their private sector competitors, giving them an unfair economic advantage, at least in the short run. This being said, the Commissioner holds the view that, in the long run, it is the responsible corporations that take privacy seriously and secure their customers’ trust and their employees’ loyalty which will, in the end, benefit from a true competitive advantage in the marketplace.
AECL, CBC and VIA Rail have been subject to PIPEDA since 2001; they have already established procedures, hired and trained staff, and otherwise adapted themselves to comply with this legislation. Rolling back the privacy standards these Crown corporations are obliged to maintain and weakening the privacy rights extended to individuals whose personal information they hold is a change that is diametrically opposed to the objective of greater government accountability for information holdings. It is indeed a sad testament to the weak nature of our federal Privacy Act, which pales in comparison with its more modern private sector equivalent. This example only reinforces the Commissioner’s plea that Privacy Act reform be recognized as a critical component of enhanced transparency.
The Office of the Privacy Commissioner as a covered entity
Bringing the Office of the Privacy Commissioner under the Access to Information Act and the Privacy Act is a change that the Commissioner supports and applauds. Although up until now, the Office of the Privacy Commissioner has not been subject to these laws, the Commissioner has striven to ensure her Office operates in an open, accountable and transparent manner. Hence, this new legislative amendment, if it comes to pass, will confirm this direction and codify standards to which the Office should rightly be held accountable. The Office of the Privacy Commissioner, like other affected institutions, will prioritize implementation by investing the necessary resources to set up an access to information and privacy office. We will ensure appropriate internal practices and procedures are in place to enable the Office to respond to external requests for access to records and personal information in the fairest and most expedient manner.
Since the Commissioner has not previously been subject to either the Access to Information Act or the Privacy Act, there is currently no independent mechanism to receive complaints against her own Office. While the Commissioner supports being subject to the Acts, clearly she cannot investigate a complaint against herself under the Privacy Act, nor can the Information Commissioner investigate a complaint against himself under the Access to Information Act. It may be equally difficult for the Privacy Commissioner to investigate a privacy complaint against the Information Commissioner or for the Information Commissioner to investigate an access complaint against the Privacy Commissioner, particularly where personal information is involved.
Bill C-2 does not provide a mechanism for investigating complaints in these circumstances; the Commissioner trusts that the provisions making the two Commissioners subject to the two Acts will not come into force until an appropriate complaint investigation process is in place. The issue of an appropriate complaint mechanism has also been raised in the Department of Justice discussion paper tabled with the House of Commons Standing Committee on Access to Information, Privacy and Ethics respecting further reforms to the Access to Information Act.Footnote 2 The Privacy Commissioner intends to raise this issue with that Committee.
Exemption for Investigative Files
As introduced, Bill C-2 provided mandatory exemptions for information obtained or created by or on behalf of the Information and Privacy Commissioners in the course of an investigation or audit (adding section 16.1 to the Access to Information Act and section 22.1 to the Privacy Act). The Commissioner supported this provision as being consistent with her current confidentiality obligations under sections 63 and 64 of the Privacy Act and sub-section 20(1) of and PIPEDA. These confidentiality obligations are integral features of the ombudsman, a person who is intended to be independent of the government's administrative institutions, and who, as a rule, may not disclose information they receive from parties to a dispute, consistent with their mission to mediate and resolve disputes in an informal and non-adversarial manner.
As passed by the House of Commons (clauses 144 and 183), information created by or on behalf of the Commissioner is no longer exempt under section 16.1 of the Access to Information Act or section 22.1 of the Privacy Act after the investigation and any related proceedings have finally concluded.
The Commissioner recognizes the wish of the House of Commons to improve transparency and accountability to the maximum extent possible, while continuing to respect the integrity of the investigative and audit process. Accordingly, the Commissioner is content that an appropriate balance has been struck in sections 16.1 and 22.1. The mandatory exemption will continue to apply to information obtained by the Commissioner, even after the investigation is over, continuing to protect the parties’ representations and related documents. Information created by the Commissioner would no longer be completely immune from disclosure, but neither would disclosure be automatic; other exemptions contained in the Access to Information Act and the Privacy Act would continue to apply to all or parts of the information, including the fundamental exemption for personal information. By their very nature, privacy complaints arise out of situations where individuals feel that their personal information rights have been violated. Hence, it would only add insult to injury if their personal information contained in an investigation file were made publicly accessible, thereby further exacerbating their sense of privacy violation. Canadians can rest assured, therefore, that the Commissioner will bring to bear the highest sensitivity to these situations and will apply relevant exemptions with utmost rigour to ensure proper protection of individuals’ personal information.
Privacy Act Reform as a Necessary Adjunct to Greater Government Accountability
A number of the changes proposed in Bill C-2 to enhance government accountability under the Access to Information Act should be mirrored in the Privacy Act. For example, the Commissioner believes that the responsibilities of government institutions to assist access requestors should be specified not only under the Access to Information Act, but also -- and necessarily -- under the Privacy Act. The Commissioner plans to address this asymmetry and other identified gaps before the Standing Committee on Access to Information, Privacy and Ethics when they next consider her report on Government Accountability for Personal Information: Reforming the Privacy Act.
The critical link between accountability and privacy is made most obvious by the privacy impact assessment. The Privacy Impact Assessment PolicyFootnote 3 came into effect May 2002. All institutions listed in the Schedule to the Privacy Act are required to demonstrate “that their collection, use and disclosure of personal information respect the Privacy Act and privacy principles throughout the initiation, analysis, design, development, implementation and post-implementation review phases of their program and service delivery activities.” They are required to routinely release summaries of these assessments through the Internet and convention publishing.
Although this policy came into effect more than four years ago, it is still difficult to find a privacy impact assessment on any government website today. The Commissioner urges that any reform of the Privacy Act include legislative backing for this and other privacy-related policies, together with appropriate enforcement mechanisms, to ensure meaningful accountability, transparency and openness about the government’s information management practices.
Privacy Act reform is thus equally as important for achieving meaningful government accountability and transparency as reform of the Access to Information Act. This view is reinforced by the Supreme Court of Canada in a recent decisionFootnote 4:
 … This Court has stated on numerous occasions that the Privacy Act and the Access Act must be read together as a “seamless code”: Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police),  1 S.C.R. 66, 2003 SCC 8, at para. 22 (“RCMP”). The right of access to government information, while an important principle of our democratic system, cannot be read in isolation from an individual’s right to privacy.
 … As is clear from the parliamentary debates at the time the Acts were introduced, Parliament intended the new, comprehensive access to information and privacy legislation to increase government accountability in two ways: first, by ensuring that access to information under government control is a public right rather than a matter of government discretion and, second, by strengthening the rights of individuals to know "how personal information will be used ... that the information used for decision-making purposes is accurate ... and that information collected by government institutions is relevant to their legitimate programs and operations": House of Commons Debates, vol. VI, 1st Sess., 32nd Parl., January 29, 1981, at pp. 6689-91, Second Reading of Bill C-43 by the Hon. Mr. Francis Fox, then Minister of Communications).
 The Information Commissioner and the Privacy Commissioner benefit not only individuals who request access or object to disclosure, but also the Canadian public at large, by holding the government accountable for its information practices
The Commissioner urges Parliament to exercise caution in making revisions to these two statutes to ensure that the “seamless code” of the scheme as a whole is not disrupted. To close the circle and hold government institutions truly and fully accountable to Canadians they serve, correlative and parallel changes must be made to the Privacy Act.
- Date modified: