Appearance before the the House of Commons Standing Committee on Access to Information, Privacy and Ethics regarding 2008-2009 Privacy Act Annual Report and Privacy Act Reform
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
November 19, 2009
Statement by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Mr. Chair, on Tuesday, I had the privilege of presenting to Parliament our latest annual report on the Privacy Act. I believe it is an important document for all Canadians, because it highlights some vital developments and future trends in public-sector privacy.
Through the lens of the audit and review, and complaints-investigation work of my Office during the 2008-2009 fiscal year, the report explores the privacy challenges posed by two broad societal influences: National security initiatives, and technology.
I will touch on key highlights of the report in a moment, and then I propose to share a few thoughts on the unresolved matter of Privacy Act reforms. But first I would like to underscore the principal message that emerged from our annual report.
And that is that privacy rights need not be at odds, either with public security or with the use of information technology. On the contrary: We contend that measures to respect privacy must be integral to all these new developments.
In this annual report, my Office reports on what we discovered in privacy audits of two major national security initiatives – the Passenger Protect Program, better known to Canadians as the “no-fly list,” and FINTRAC, the Financial Transactions and Reports Analysis Centre of Canada.
Our FINTRAC audit found that the agency generally has a robust and comprehensive approach to securing the personal information of Canadians.
However, our examination of a sample of files in FINTRAC’s database turned up personal information that the Centre did not need, use or have the legislative authority to receive. In some cases, in fact, reports existed absent even a shred of evidence of money laundering and terrorist financing.
Clearly, excess personal information should not be making its way into the FINTRAC database, and one of our key recommendations was that FINTRAC do more work with reporting organizations to ensure it does not acquire personal data beyond its mandate.
After all, it is a bedrock privacy principle that you collect only the personal information you need for a specific purpose.
Aside from the recommendation on data collection, we also called on FINTRAC to permanently delete from its holdings all information that it did not have the statutory authority to receive.
And we recommended that FINTRAC analyze all Proceeds of Crime (Money Laundering) and Terrorist Financing Act guidance issued by its federal and provincial regulatory partners to ensure that such guidance does not promote client identification, record-keeping or reporting obligations that extend beyond the requirements of the Act.
We were pleased that the agency accepted 10 of our 11 recommendations. We had recommended that FINTRAC strengthen its information-sharing agreements with foreign financial intelligence partners by including mandatory breach notification and audit provisions, but the Centre maintained that its efforts in this area are sufficient.
Passenger Protect Program audit
A second audit summarized in the annual report relates to our examination of the Passenger Protect Program.
In general we found that Transport Canada collects, uses and discloses personal information related to the program in a way that safeguards privacy. We did, however, identify a few gaps.
One related to the information that officials supply to the Deputy Minister, who is ultimately responsible for adding to or removing people’s names from the no-fly list (or Specified Persons List).
In light of the serious consequences flowing from every one of these decisions, we found that officials had not always provided the DM with all the relevant information upon which to base a sound decision.
Our audit also revealed that Transport Canada had not verified that airlines were complying with federal regulations related to the handling of the Specified Persons List. The risk of a breach was especially high for the handful of air carriers that relied on paper copies of the list.
Further, we found that air carriers were not obliged to report to Transport Canada security breaches involving personal information related to the no-fly list.
The audit also found that the computer application used to provide air carriers with information on the no-fly list was not subjected to a formal certification and accreditation process designed to ensure the security of sensitive personal information.
We were, however, pleased that Transport Canada responded positively to all our recommendations.
Investigations and Inquiries
The annual report we presented to you this week also includes details of our engagement with Canadians through our public inquiries and complaints work.
Over the 2008-2009 fiscal year, my Office received more than 12,000 calls and letters from Canadians concerned about privacy issues.
With respect to concerns focussed on the public sector, we received 748 formal complaints in 2008-2009, down slightly from the previous year.
The most common complaints related to problems people encountered in accessing their personal information in the hands of the federal government, and to the length of time it was taking departments and agencies to respond to access requests.
In analyzing our caseload, we noted that technological glitches can have an extraordinary impact on the privacy of Canadians. For instance, we found that a hacker, using amateurish, off-the-shelf software, was able to penetrate a computer at Agriculture and Agri-Food Canada, exposing about 60,000 personal data records of farmers using a federal loan guarantee program.
But we were equally disturbed to discover that, 26 years after the passage of the Privacy Act, too many data breaches could still be traced back to decidedly low-tech origins, from a briefcase left on an airplane, to the careless mishandling of sensitive documents.
That said, I want to underline that the vast majority of public servants we have worked with across the government do take privacy issues very seriously.
In all, our Office was able to close 990 complaints files related to the Privacy Act during the fiscal year, up almost 13 percent from the previous year.
You’ll notice that we closed more files than we opened. That is due to a concerted effort to tackle a significant backlog of cases, which had driven up our treatment times from an average of about 14 months in 2007-2008 to 19.5 months in 2008-2009.
Our backlog challenge was exacerbated over the past fiscal year when we decided to redefine when a file is deemed to be in backlog, to more accurately reflect how long Canadians actually have to wait for service. As a result of the redefinition, 575 files were backlogged in April 2008.
Fortunately, through a significant re-engineering of our systems and processes, we managed by the end of the fiscal year to cut that number down by 42 percent, to 333 cases.
We are on track to eliminate it altogether by next March.
Privacy Act reform
Over the past year, my Office and this Committee have also continued to work toward the modernization of the Privacy Act, to ensure it properly protects the fundamental right to privacy in the digital age. Reform of this statute is essential to meet the modern privacy needs of Canadians.
And yet, despite our efforts and those of this Committee, I confess to a measure of disappointment when it comes to the government’s response to this Committee’s report of last June.
As we all know, Mr. Chair, updating antiquated privacy legislation and ensuring that privacy principles apply uniformly to the public and private sectors is becoming increasingly urgent in this globally interconnected era.
Indeed, other industrialized democracies have already recognized this imperative. Australia, for instance, is rewriting its federal privacy laws so as to create a single set of principles covering government agencies and businesses alike, address emerging technologies, and introduce consistent new provisions on cross-border data flows.
The European Commission has announced that it will be re-examining its 1995 directive to see whether it is still capable of fostering the level of data protection required for the modern technological era. In light of the fact that our own Privacy Act is 12 years older, we can no longer ignore the need to make significant updates to our own law in order not to be left behind.
Mr. Chair, I would like to end with a few words about the work of my Office as we continue to move through 2009-2010.
I can tell you that we are already deeply engaged in several key files, all of them with significant impact on the privacy of Canadians.
Notably, with the 2010 Winter Olympic and Paralympic Games just around the corner, the challenge of integrating privacy and security will come to a head in an unprecedented way. We have already engaged security officials in a constructive dialogue to build privacy considerations into their security measures.
At the same time, we are taking a close look at Citizenship and Immigration Canada’s plans to roll out initiatives using biometric information. For example, CIC is collecting fingerprint data from refugee claimants and is sharing it with certain other countries.
And we will continue to make known our views about Bills C-46 and C-47, legislation to oblige wireless, Internet and other telecommunications companies to make subscriber data available to authorities, even without a warrant.
Since the terrorist attacks of 9/11, Canada has seen a proliferation of new national security programs, many involving the collection, analysis and storage of personal information.
We fully appreciate that the underlying aim of many security programs is to protect Canadians.
But, as we will continue to remind Parliament and Canadians at every opportunity, it is critical that privacy protections be integrated into all such initiatives at the outset.
Thank you for your attention, Mr. Chair, and I welcome your questions.
- Date modified: