Appearance before the Standing Committee on Access to Information, Privacy and Ethics on Privacy Act Reform
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
May 11, 2009
Statement by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Thank you, Mr. Chairman and members of the Committee, for inviting me to address you again on the pressing issue of Privacy Act reform. I’m joined today by Chantal Bernier, Assistant Commissioner responsible for the Privacy Act.
As you know, I have already offered my views to this Committee as to why the need for comprehensive reform of the Privacy Act is needed, now more than ever.
The Supreme Court of Canada has repeatedly affirmed the central importance of the informational relationship between the Canadian state and its citizens. The Privacy Act has been accorded quasi-constitutional status in recognition of the fundamental values it is intended to protect. However, the Act remains woefully inadequate to protect such fundamental rights in the face of new technologies, new ways of offering services, new imperatives and new conceptions about privacy.
While other quasi-constitutional laws such as the Canadian Human Rights Act and the Official Languages Act have been progressively modernized to enshrine fundamental and contemporary Canadian values into law, the Privacy Act has remained virtually unchanged ever since it came into effect in 1983. Since then, we have witnessed unprecedented growth in technology and a veritable explosion in the number of services and programs delivered by the federal government, as well as a profound transformation in the way such services and programs are delivered. The Act, however, remains frozen in time, a reflection of a bygone era.
Barring a full revision of the law, I have previously proposed that the government consider quick fixes that might help address some of the more substantial shortcomings of the Act. However, my view remains that a fully modernized Privacy Act would reinforce the pivotal importance of privacy rights and ensure that government institutions remain accountable and transparent with respect to the handling of personal information, and that my Office can fulfill its mandate.
Ensuring a Certain Measure of Uniformity between Public and Private Sector Privacy Laws
I am not suggesting that a modernized Privacy Act should mirror PIPEDA in every respect. However, it makes sense to align the Privacy Act with certain elements of PIPEDA. Expanding the definition of “personal information” to include non-recorded information, giving my Office a clear public education mandate and requiring ongoing five year Parliamentary reviews are examples of changes that would allow a more uniform protection of privacy rights.
The proposal to broaden the grounds for an application for Court review is also meant to provide uniformity with respect to privacy rights. I should add that there is absolutely no discrepancy in providing complainants with the opportunity to apply for a Court hearing following an investigation, and providing me with limited and specified discretion to refuse to entertain certain complaints.
Indeed, the Minister of Industry has recently proposed how I might exercise such discretion. Under Bill C-27, which creates a new Electronic Commerce Protection Act, and amends PIPEDA among other Acts,I would have the discretion to decline to investigate complaints or to discontinue complaints made under PIPEDA in certain specified circumstances. I could, for example, decline to investigate where there is a more appropriate alternative review procedure more suited to deal with the complaint. As well, I would have discretion to discontinue a complaint in certain limited circumstances, for example, where the matter of a complaint has already been investigated by my Office. Bill C-27 would still allow individuals to apply for a Court review even if my investigation has been discontinued, thereby protecting an individual’s right to recourse.
There is no reason why this principled approach could not be adopted under a revised Privacy Act.
I have also asked that my Office be provided with greater discretion to report publicly on the privacy management practices of government institutions. This recommendation is intended to allow my Office to be able to put information regarding audits and specific investigations on our website, on a timely basis and as events occur.
As I mentioned a year ago, security safeguards under the Privacy Act also lag behind those in PIPEDA and mandatory breach notification should be considered for the Privacy Act as it is considered for PIPEDA.
There is no reason to deny Canadians a certain level of consistency with respect to their privacy rights, regardless of the organization or institution in question. Indeed, the principles of accountability and transparency beg a higher degree of protection for personal information in the hands of the government, especially considering the position of trust in which citizens stand vis-à-vis the overwhelming machinery of the State.
Law is Better than Policy
Several of our proposed reforms of the Privacy Act include the necessity of enshrining into law current government policies relating to privacy. I commend the Treasury Board Secretariat for putting into place a policy on privacy impact assessments, for providing guidance to departments on information sharing with foreign states and the outsourcing of personal data processing, and for improving reporting requirements of government departments under section 72 of the Privacy Act. Nevertheless, such practices need to be circumscribed by law as a matter of ensuring the government remains accountable and transparent with respect to its personal information handling practices.
Privacy audits, reviews and investigations carried out by my Office have unfortunately shown that institutions are not consistently meeting their commitments under government policies, and that current standards provide little assurance or information to Canadians, or to Parliamentarians, seeking to understand the privacy implications of government services or programs.
Privacy Impact Assessments (PIAs) are instrumental in addressing privacy risks associated with government programs. For example, my Office worked with the Canada Border Services Agency when the enhanced driver's license was being piloted in British Columbia. As a result of concerns we raised about the custody and control of the information of Canadians travelling to the United States, the Agency agreed to relocate the database containing personal information of travellers from the US to Canada. We would see more of these successes if the requirement for PIAs was enshrined in law so that Canadians and Parliamentarians alike have an opportunity to voice concerns and receive assurances that privacy issues are being addressed.
The truth is that it is far easier to ignore a policy as opposed to a legislated requirement. Indeed, some departments are still collecting excessive personal information even though Treasury Board policy includes a necessity requirement. In a recent audit of Elections Canada, for example, we found that it was receiving personal information on young people under the voting age that was clearly not needed for a voters list.
Parliamentarians need to have better information about how federal departments and agencies are doing managing the personal information they have from each and every one of us. Leaving it to the vagaries of policy and to the good will of public servants is simply not good enough.
Recent Events Confirm the Need for Stronger Privacy Protections
The lessons of the past few years teach us that stronger privacy protections are needed if privacy is to have any meaning at all in the face of contemporary challenges. In a recent Ekos poll commissioned by my Office, 60 per cent of Canadians feel that their information is less protected than it was ten years ago; 71 per cent of Canadians see the issue of having stronger privacy laws as a matter of high importance; and only about one in seven Canadian is confident that Canadian law enforcement and national security authorities respect the laws that protect Canadians’ privacy. These numbers speak volumes about the profound attachment Canadians have to their privacy rights.
The recent events surrounding the O’Connor Inquiry and the Iacobucci Inquiry shed light on the information sharing practices of national security and law enforcement agencies, and highlight the need to hold government institutions to a higher standard of privacy protection, information handling and data protection. Given the enormous trust accorded to the government and its institutions in relation to law enforcement and national security and their global implications, we need a more precise legal framework around information sharing in an international context.
In 1982, Canada took a leading role when it became one of the first countries to adopt stand-alone privacy legislation that applied to its government. However, the inevitable impetus of change has gotten the best of the Privacy Act; it no longer reflects our modern conception of privacy and is out of tune with the realities of contemporary government.
The Committee’s review of the Act is certainly timely; it is joining an international trend in modernizing privacy legislation to meet the realities of the 21st century. For example, Australia’s Law Reform Commission has recognized that its 20 year old Privacy Act needs a host of refinements to help navigate the Information Superhighway, which are currently under consideration by the Australian government.
Thank you once again, Mr. Chairman, for inviting me to speak to you on this issue. I would be pleased to take any questions members of the Committee may have.
Report a problem or mistake on this page
- Date modified: