Appearance before the House of Commons Standing Committee on Public Safety and National Security on Bill C-19, An Act to amend the Criminal Code and the Firearms Act
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
November 22, 2011
Ottawa, Ontario
Statement by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Introduction
Thank you Mr. Chair and Members of the Committee for inviting me to appear before you to discuss the Act to amend the Criminal Code and the Firearms Act, commonly referred to as Bill C-19. I am accompanied by our General Counsel, Patricia Kosseim.
As Privacy Commissioner, it’s my role to comment on the privacy implications of the Bill as they relate, in this case, to retention, accuracy, and disposal of personal information.
I’ll also be pleased to answer your questions from the perspective of our mandate.
Before that, I’ll start by providing a brief overview of my Office’s involvement with the firearms registry program.
Historical Context
As many of you may know, my predecessors took interest in the Canadian Firearms Program because it involved the collection and use of significant amounts of sensitive personal information.
We looked at the firearms program in detail when it was first introduced and for about five years afterward. For example, we issued a Review of the Personal Information Handling Practices of the Canadian Firearms ProgramFootnote 1 in 2001.
We also received a number of complaints related to the registry over the years. More recently, in 2009, we carried out investigations concerning a survey of firearms licensees where we concluded that the information disclosed by the RCMP to the survey research company was properly safeguarded.
My Office has reviewed Bill C-19, and I’ll now present some specific observations related to the personal information implications for Canadians whose personal information is collected under the Firearms Act.
Clause 29 and Lawful Authority to Dispose of Personal Information
Personal information is collected by federal government institutions in relation to operating programs and activities, typically to make decisions about individuals. There are a handful of guiding principles – known as fair information practices – in personal information protection that are contained in the Privacy Act. Some of these are relevant to our discussion today.
One of these is retention. It is important to retain personal information for as long as it is needed to fulfill the purpose or purposes for which the information was collected. Also fundamental to personal information protection is the need to ensure the accuracy of the information. Retaining information allows people enough time to seek access to their personal information and to challenge the accuracy of it. This is very important when decisions are being made about individuals.
I note that Clause 29 of the Bill introduces the obligation to dispose of all relevant records pertaining to firearms that are neither prohibited nor restricted and that are found in the Firearms Registry. This requirement would also apply to related records held by chief firearms officers in the provinces and territories.
Under Clause 29, relevant information is to be disposed of “as soon as feasible”. This is in keeping with another fundamental tenet of personal information protection, namely that when personal information is no longer being used for the purpose for which it was collected it should be destroyed.
Specifically, Clause 29 exempts the destruction of records from the application of the Privacy Act and Regulations. The Privacy Act Regulations require institutions to retain personal information for at least two years after it has been used by a government institution for an administrative purpose. That is, it should be kept for a minimum of two years unless the individual gives consent for it to be destroyed.
I acknowledge the government’s authority to enact an exemption to the retention provision under the Privacy Act.
However, if Clause 29 of the present Bill considers “as soon as feasible” to be much shorter than the two year-requirement under the Privacy Act Regulations, then there may be some situations where certain information that might still be relevant – for instance in a possible court action – is destroyed.
Challenges in personal information disposal
Finally, with respect to disposal, I would simply like to underscore that – whatever schedule the government decides to follow – it should allow enough time for properly and securely disposing of personal information in the main, secondary and related registry databases.
In 2010, my office published an audit Report about the Personal Information Disposal Practices in Selected Federal Institutions. The Report found that the selected departments overall did do a good job when it came to disposing of personal information. However, we also uncovered inadequate control mechanisms and inconsistent practices. My office made recommendations and improvement measures were implemented.
Disposing of data is indeed a complex process.
Let me conclude by underlining that appropriate safeguards and secure disposal are paramount in ensuring that information no longer required for government use is not misused or exposed to potential data breaches.
And with that, I look forward to your questions.
- Date modified: