Appearance before the Standing Committee on Access to Information, Privacy and Ethics on Reform of the Privacy Act

March 10, 2016
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Thank you for the invitation to appear and provide my views on the critical need to overhaul the Privacy Act. Given my responsibility for oversight of the Act, I would also like to express my appreciation to Committee members for having determined that this is an area deserving of careful study.

With me today are Patricia Kosseim, Senior General Counsel, and Sue Lajoie, Director General, Privacy Act Investigations.

My Office will also be providing this Committee with a written submission for your consideration the week of March 21^st.

Need for reform

When the Privacy Act was proclaimed on Canada Day back in 1983, it was a development Canadians could celebrate as Canada became a world leader in privacy law.

Unfortunately, more than three decades have since passed without any substantive change to a law designed for a world where federal public servants still largely worked with paper files.

Technology, on the other hand, has not stood still. In the digital world, it is infinitely easier to collect, store, analyze and share huge amounts of personal information — making it far more challenging to safeguard all of that data and raising new risks for privacy.

Largely in response to those changes, many other jurisdictions in Canada and around the world have moved to modernize their laws.

It is also important that we move to reform the antiquated Privacy Act to provide Canadians with a law that protects their rights in an increasingly complex environment.

Our recommendations fall under three broad themes: Responding to technological change; legislative modernization and the need for transparency.

Technological change

Technological change has allowed government information sharing to increase exponentially. Existing legal rules are not sufficient to regulate this kind of massive data sharing.

We would therefore recommend that the Privacy Act be amended to require that all information sharing be governed by written agreements and that these agreements include specified elements.

The fact that government departments collect and use ever-greater amounts of personal information has also increased the stakes when it comes to privacy breaches. Over the years, we have seen massive government breaches affecting tens, even hundreds, of thousands of citizens.

We recommend creating an explicit requirement for institutions to safeguard personal information under their control as well as a legal requirement to report breaches to my Office.

Legislative modernization

The Privacy Act needs to be aligned with the legal reality of 2016.

Among other things, the law should be amended so that Federal Court review under the Privacy Act is broadened to cover all rights.

Currently, the only cases that may be pursued in Federal Court under the Privacy Act are those involving denials of access to personal information. We cannot pursue cases involving collection, use and disclosure. Since there can be no right without a remedy, there is a risk that the rights of individuals will go unheeded.

While we are pleased that in the vast majority of cases, government departments do eventually agree to implement our recommendations, the process to reach that point is often prolonged and arduous.  So how do we speed up the process?

I am not seeking order making powers at this time.  In my view, increasing the scope of court intervention would offer an adequate protection of rights.  I would suggest that adopting a new approach recently enacted in Newfoundland and Labrador’s access and privacy law should help bring more rigour and speed to the process, while maintaining the informality of the ombudsman model.

In Newfoundland and Labrador, on receipt of the Commissioner’s recommendations, a public body in the province must either comply or apply to court for a declaration that they do not need to take the recommended action. This creates an incentive for government to respond to complaints in a more timely and disciplined manner, without creating the costs of a more formal adjudicative system.  Such a system could reduce the risk that some may perceive a conflict between the Commissioner's roles as impartial tribunal and privacy champion.

Another key recommendation to ensure adequate regulation, in an environment where technology makes possible the collection of massive amounts of personal information, is an explicit necessity requirement for the collection of personal information.

This change would protect against excessive collection and align the Privacy Act with other privacy legislation in Canada and abroad.

We also recommend the creation of a legal requirement for institutions to conduct Privacy Impact Assessments and to submit them to my Office for review. New information sharing agreements should be similarly submitted. The use of PIAs by institutions, as well as their timeliness and quality have sometimes been uneven.  A legal requirement would ensure PIAs are conducted in a thorough manner and completed before new programs are launched, or when information management rules of existing programs are substantially modified.

Additionally, there should be an obligation on government to consult my Office on bills that will affect privacy before they are tabled in Parliament.

And finally, to ensure we do not again have a badly out-of-date law in the future, it would be useful to add a requirement for ongoing Parliamentary review of the Privacy Act every five years.

Enhancing transparency

An important component of transparency is providing individuals with access to their own personal information.

As the Supreme Court of Canada has affirmed several times, the Access to Information Act and the Privacy Act should be seen as a "seamless code."

Privacy is an important enabler of transparency and open government by providing individuals with access to their own personal information held by federal institutions. At the same time, privacy is also a legitimate limit to openness if personal information risks being revealed inappropriately. For these reasons, I commend the Committee for its decision to consider the two statutes together.

One important transparency measure would be to allow my Office to report proactively on privacy practices of government.  Reporting to Parliamentarians and Canadians only once or twice a year on how the government is managing privacy issues through annual or special reports to Parliament is inadequate. We would like to be in a position to share this information in a more timely way.

I would also suggest extending the application of the Privacy Act to all government institutions, including Ministers’ Offices and the Prime Minister’s Office. While the Privacy Act is probably not the best instrument to do this, Parliament should also consider regulating the collection, use and disclosure of personal information by political parties.

As well, I support extending the right to access personal information held by federal institutions to all persons, rather than only to Canadians and those present in Canada. We favour maximizing disclosure to those whose information is at stake, subject to exemptions that are generally injury-based and discretionary.

Canadian courts have been clear that where privacy and access rights conflict, privacy will take precedence, although it is not absolute. 

The Privacy Act already permits for the disclosure of personal information where, in the opinion of the head of the institution, the public interest clearly outweighs any invasion of privacy. This form of public interest override strikes the right balance between privacy and access.

Conclusion

Again, I wish to thank the Committee for undertaking this critical work, which I hope will lead to a modernized law that protects the privacy rights of all Canadians.

I look forward to these deliberations and discussions and would be happy to take your questions.