Privacy Act Reform in an Era of Change and Transparency

The letter on this page was sent by Privacy Commissioner of Canada Daniel Therrien to the Chair of the Standing Committee on Access to Information, Privacy and Ethics on March 22, 2016. It outlines the Commissioner’s recommendations for amending the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies. This letter elaborates on his comments made during his appearance before the Committee on March 10, 2016, where he provided an overview of his views on modernizing the Privacy Act. For further reading, see: The Commissioner’s opening statement before the Standing Committee on Access to Information, Privacy and Ethics on Reform of the Privacy Act and the news release outlining the Commissioner’s recommendations for modernizing the Privacy Act.

---

Letter to the Standing Committee on Access to Information, Privacy and Ethics

March 22, 2016

Mr. Blaine Calkins, M.P.
Chair, Standing Committee on Access to Information, Privacy and Ethics
Sixth Floor, 131 Queen Street
House of Commons
Ottawa, Ontario K1A 0A6

Dear Mr. Chair:

Please find attached to the attention of the members of the Standing Committee on Access to Information, Privacy and Ethics a letter in which I recommend amendments to the Privacy Act around three main themes (technological changes; legislative modernization; and enhanced transparency) in order to actively address today’s existing and emerging privacy risks.

I welcome the opportunity to further support the Committee in undertaking this important study. Please do not hesitate to contact me through my Parliamentary Affairs Officer, Pierre-Luc Simard, at 819-994-6015, to make any arrangements necessary.

Sincerely,

Encl.

c.c. Michel Marcotte
Clerk of the Committee

Summary of recommendations

In order to actively address today’s existing and emerging privacy risks, amendments to the Privacy Act are needed.  Briefly, these are as follows:

Theme One: Technological Changes

1. Clarify requirements for information-sharing agreements: Require that all information sharing under paragraphs 8(2)(a) and (f) of the Privacy Act  be governed by written agreements  and that these agreements include specified elements.  Further, all new or amended agreements should be submitted to the Office of the Privacy Commissioner of Canada (OPC) for review, and existing agreements should be reviewable upon request.  Finally, departments should be required to be transparent about the existence of these agreements;

2. Create a legal obligation for government institutions to safeguard personal information: Create an explicit requirement for institutions to safeguard personal information with appropriate physical, organizational and technological measures commensurate with the level of sensitivity of the data;

3. Make breach reporting mandatory: Create an explicit requirement for government institutions to report material breaches of personal information to the OPC in a timely manner and to notify affected individuals in appropriate cases;

Theme Two: Legislative Modernization

4. Create an explicit necessity requirement for collection:  Amend section 4 of the Privacy Act to create a more explicit necessity requirement for the collection of personal information, consistent with other privacy laws in Canada and abroad;

5. Expand judicial recourse and remedies under section 41 of the Act:  Amend section 41 of the Act so that individuals have statutory recourse to Federal Court for review of all complaints under the Privacy Act , including collection, use and disclosure matters, and provide the Court with the power to order a full array of remedies, including damages;

6. Improve the ombudsman model for the investigation of complaints:  Create a hybrid enforcement model patterned after Newfoundland and Labrador’s Access to Information and Privacy Act;

7. Require government institutions to conduct privacy impact assessments (PIAs) for new or significantly amended programs and submit them to OPC prior to implementation;

8. Require government institutions to consult with OPC on draft legislation and regulations with privacy implications before they are tabled;

9. Provide OPC with an explicit public education and research mandate:  Add a provision to the Privacy Act explicitly conferring the Privacy Commissioner with a mandate to undertake public education and research activities in respect of public sector privacy issues;

10. Require an ongoing five year review of the Act;

Theme 3: Enhancing Transparency

11. Grant the Privacy Commissioner discretion to publicly report on government privacy issues when in the public interest: Amend section 64 of the Act to create an exemption from confidentiality requirements to allow the Privacy Commissioner to report publicly on government privacy issues where he considers it in the public interest to do so;

12. Expand the Commissioner’s ability to share information with counterparts domestically and internationally to facilitate enforcement collaboration;

13. Provide the Privacy Commissioner with discretion to discontinue or decline complaints in specified circumstances: Amend section 32 of the Act to grant the Commissioner with discretion to decline complaints or discontinue investigations on specified grounds, including when the complaint is frivolous, vexatious or made in bad faith;

14. Strengthen transparency reporting requirements for government institutions: Strengthen reporting requirements on broader privacy issues dealt with by federal organizations as well as specific transparency requirements for lawful access requests made by agencies involved in law enforcement;
 
15. Extend coverage of the Act: Amend the Act to extend coverage to all government institutions, including Ministers’ Offices and the Prime Minister’s Office, and extend rights of access to foreign nationals;

16. Limit exemptions to access to personal information requests under the Act: Exemptions to personal information access requests should be limited.  They should generally be injury-based and discretionary to maximize disclosure.

Introduction

Canadian society and its federal institutions have experienced profound technological advances since 1983 when the Privacy Act was first enacted by Parliament.  In accelerating fashion, especially with the explosive growth in the use of online services and communications over the past three decades, it is now much easier and cheaper for governments to collect and retain personal information about their citizens.  Massive volumes of digital records can be assembled, searched and shared in near real-time, at marginal cost.  Information sharing — both domestically and internationally — has increased dramatically as governments at all levels have sought to improve services, coordinate the movement of people and goods, investigate transnational crimes and gather intelligence in the interest of national security.

Back in 1983, these explosive technological developments were never considered, let alone anticipated.  The whole premise of the Act was to govern institutional holdings of paper records as they existed at the time. While technologically archaic now, the Privacy Act then was considered an exciting and progressive law.  It followed closely on the heels of the Canadian Charter of Rights and Freedoms and, together with the Access to Information Act (ATIA), heralded a new era of legal protections of Canadians.  Chief Justice McLachlin describes the then legal context as follows:

The Access to Information and Privacy Acts came into force together on Canada Day 1983, almost twenty-six years ago, not long after Canada adopted its Charter of Rights and Freedoms. It was a heady time for Canadian constitutional development. The country had just, after long travail and discussion, repatriated its constitution to make it truly independent and at the same time, enshrined in its constitution a powerful affirmation of rights. The capstone of this new constitutional edifice — less well known but nevertheless important — was the adoption of twin laws of quasi-constitutional status, aimed at protecting Canadians’ right to access to information and privacy.^{Footnote 1}

However, three decades have now passed — without modernization of the Privacy Act or the protections it offers.  Canada is a markedly different society now, and Canadians have very different expectations of their government.  Laws and jurisprudence around the world have evolved in recognition of the new social and technological world we live in.  We have seen second- and third-generation privacy laws passed at the provincial level and internationally since 1983 while the Privacy Act has stayed dormant throughout.  

Citizens of today have grown to expect greater transparency on the part of the governments they elect to represent them, and rightfully so.  They are increasingly concerned about what governments do with their personal information enabled by digital technologies — why do they need so much of it? What do they do with it? Who do they share it with? And why?  As engaged citizens who participate in a free and democratic society, they have every right to seek access to their personal information and challenge its accuracy as the basis on which daily decisions are made about their rights.

A commitment to transparency also means ensuring a well-informed public, one knowledgeable enough to be able to challenge the collection and sharing of their personal information, through open government practices tied to new technologies, programs and agreements for sharing. In addition, moves toward greater transparency need to be balanced against other legitimate limits — such as the value we place upon protection of privacy as both an individual right and a social good. 

In this context, as the Committee undertakes a review of both the Access to Information and the Privacy Act, long considered by the Supreme Court to be a “seamless code” of informational rights, we would recommend amendments to the Privacy Act around three main themes: 1) Technological Changes; 2) Legislative Modernization; and 3) Enhanced Transparency.

Technological Changes

1. Clarify requirements for information-sharing agreements

Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed under paragraph 8(2)(f) pursuant to an agreement or arrangement between the Government of Canada and a provincial government, foreign state or international organization for the purpose of administering or enforcing any law or carrying out a lawful investigation.  Paragraph 8(2)(a) allows for disclosures for a use consistent with the purpose for which the information was collected.  These may or may not involve sharing agreements and arrangements between institutions. However, in the experience of our Office, organizations have historically argued for a very broad and encompassing interpretation of what are consistent uses.

As it stands now, the Act does not require that the agreement or arrangement be in writing, or impose any duty on the disclosing institution to identify therein the precise purpose for which the data will be disclosed. There are no limits on subsequent uses or disclosures by partnering agencies within Canada or with foreign governments.  In contrast with other data protection laws both provincially and internationally, federal government institutions are not obliged to keep records or notify the Privacy Commissioner.  Prior review by the OPC can provide an important preventative check before sharing takes place.  Further, in terms of transparency, it is worth noting most of these agreements and arrangements are not made publicly available or indexed, effectively limiting oversight by either regulators or Parliament.

Consistent with these views, we recommend the Privacy Act be amended as follows:

• Amend paragraph 8(2)(a) to require that any sharing of personal information under the consistent use provision between institutions be subject to information-sharing agreements in writing;
• Amend paragraph 8(2)(f) to require that any sharing of personal information between the Government of Canada and the government of a province, territory or municipality, a foreign government or any institution or organisation be in writing;
• Require federal organizations developing written agreements pursuant to the Act to:
• Define the specific elements of personal information being shared;
• Define the specific purposes for the sharing;
• Limit secondary use and onward transfer, and;
• Outline other measures to be prescribed by regulations, such as specific safeguards, retention periods and accountability measures.
• Require government institutions to notify my Office of all new  or amended agreements to share personal information and that my Office be given explicit authority to review and comment;
• Allow for review of existing agreements on request by OPC to assess compliance, and;
• Require publication of the existence and nature of information-sharing agreements between departments or with other governments.

2. Create a legal obligation for government institutions to safeguard personal information

In the context of public sector institutions and the services they administer, individuals provide highly sensitive information with no effective choice on their part.  Tax filings, employment insurance reporting, passport and student loan applications — all these programs involve collection of large amounts of personal information.  Currently there is no explicit requirement under the Privacy Act for federal government institutions to safeguard personal information. 

While safeguards are not mentioned in the Act, Treasury Board Secretariat (TBS) policy does set requirements to protect federal government assets, including personal information.^{Footnote 2}  We assert it is now time to elevate these protections from the realm of administrative internal policy to the level of law.

Introducing explicit requirements for safeguards into the Privacy Act would ensure better protections for government information holdings.  In recent years, extensive privacy breaches have occurred across the federal public sector, and have affected hundreds of thousands of Canadians.  Subsequent audits and investigations by our Office have shown that current safeguards are insufficient.  We would also note the incongruity of imposing safeguards as a baseline legal obligation on private sector organizations but not on government institutions. 

We recommend incorporating safeguards requirements into the Privacy Act to bring the statutory obligations in line with other laws both domestically and internationally that require organizations to adopt physical, organizational and technical safeguards commensurate with the level of sensitivity of the data. 

3. Make breach reporting mandatory

Privacy breaches currently reported to our Office point to a lack of adequate safeguards.  While breach reporting is currently required through TBS policy instruments, not all government institutions report privacy breaches to the OPC.  Placing a specific legal obligation on federal government institutions to report “material” privacy breaches to our Office ensures that we have a better picture of the current scope of the problem, and that we are consulted in the process of responding to the breach and mitigating its impact on individuals.   

Mandatory privacy breach notification is a feature of many modern laws and was included as part of the revised Organization for Economic Development and Cooperation (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Privacy Guidelines) in 2013.  Given heightened awareness and concerns about identity theft and online snooping, these types of privacy breaches have become very important to Canadians and are deserving of our attention.  We would recommend that existing TBS policy on privacy breaches be made an explicit requirement in the Act.

Legislative modernization

4. Create an explicit necessity requirement for collection

Currently, section 4 of the Act reads “no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.” This has been interpreted by the OPC to mean that the collection of information must be necessary for the operating program or activity.  This interpretation is entirely consistent with the TBS Directive on Privacy Practices and laws around the world.

Yet this interpretation is not always applied by government. In a recent court submission, the Attorney General of Canada has explicitly rejected necessity as a standard for the collection of personal information under the Privacy Act. A literal interpretation of “relates directly” would allow a department to collect any information related to a program or activity, even if it was not truly required. Information that would merely be helpful would likely meet this literal interpretation, whereas provincial jurisprudence has found that a necessity test requires the information to be more than helpful, although not absolutely necessary.

In practice, the shift from paper-based to digital format records has actually led to a dynamic of over-collection.  In recent years, our Office has reported upon this trend in connection with numerous programs.  It would be more in keeping with the quasi-constitutional status of the Act if personal information collection by government was explicitly limited to those elements demonstrably necessary for operation of a program or activity.  Almost all of the Provinces and Territories have set necessity as a threshold as have many OECD countries, including the United States. The explicit legal standard for collection in the Act should be elevated to reflect modern reality and expectations. We therefore recommend that section 4 be amended to explicitly require that the collection of information be necessary for the operating program or activity.

Recognizing that the judicial interpretation of “necessary” has not been entirely consistent internationally and in the interest of greater clarity and certainty of outcome in the application of the Privacy Act, we recommend that necessity be defined in the Act itself.  In doing so, the Committee should consider the four factors reflected in the OPC's Privacy Impact Assessment "Expectations" document that was inspired by the Supreme Court of Canada's (SCC) seminal decision in R v. Oakes [1986] 1 S.C.R. 103. Thus, personal information would be collected under the necessity test if: the information is rationally connected and demonstrably necessary to an operating program or activity; the information is likely to be effective in meeting the objectives of the program or activity; there are no other less privacy-invasive way to effectively achieve the objectives of the program or activity; and the loss of privacy is proportional to the importance of the objectives of the program or activity.

5. Expand judicial recourse and remedies under section 41 of the Act

Currently there is little court redress for a violation of the majority of rights enshrined in the Act. Every right needs a remedy in order to have meaning.  This is especially so with respect to a fundamental right such as privacy.  We therefore recommend that section 41 of the Act be broadened to allow complainants, or the Privacy Commissioner, to apply for review by the Federal Court concerning all matters that may be the subject of a complaint, including collection, use and disclosure matters.  We further recommend that the Court be able to award a full array of remedies including damages as currently exists under the Personal Information Protection and Electronic Documents Act (PIPEDA).

6. Improve the ombudsman model for the investigation of complaints

Currently, the Privacy Commissioner can only make non-binding recommendations and has no power to make orders.  Though the Commissioner can investigate complaints concerning the full array of rights and protections under the Privacy Act - and make recommendations to the government - he cannot compel the department to take or cease any action.  While most institutions eventually agree to the OPC’s recommendations, there can be lengthy delays in reaching a satisfactory conclusion.  This is inconsistent with the objective of the ombudsman model, which is to provide a quick and low-cost recourse to ensure that the privacy rights of individuals are respected.

As the Committee examines this issue, it is important to acknowledge that there are various alternatives for improving the system of recourse and redress in question.  At present, the Information and Privacy Commissioners of Alberta, British Columbia, Ontario, Prince Edward Island and Quebec have order-making powers under their legislation.  Eight provinces and territories do not. On this question, the Province of Newfoundland and Labrador has recently examined the issue in depth and has proposed a hybrid model, which we believe would best advance the purposes of the Privacy Act.^{Footnote 3} 

In 2005, former SCC Justice La Forest provided a report (as a Special Advisor to the Minister of Justice) entitled The Offices of the Information and Privacy Commissioners: The Merger and Related Issues in which he stated:

There is a danger that a quasi-judicial, order making-model could become too formalized, resulting in a process that is nearly as expensive and time-consuming as court proceedings. It is also arguable that the absence of an order-making power allows the conventional ombudsman to adopt a stronger posture in relation to government than a quasi-judicial decision-maker. There is also some virtue in having contentious access and privacy issues settled by the courts, where proceedings are generally open to the public. The ability of both the commissioners and complainants to resort to the courts may well be seen to be a sufficient sanction for non-compliance, particularly in relation to some of the more sensitive issues arising at the federal level.^{Footnote 4}

In Newfoundland and Labrador, within 10 days after receipt of the Commissioner’s recommendations, public bodies must either decide to comply or apply to court for a declaration that they do not need to take the recommended action. Shifting the onus on public bodies to justify non-compliance with recommendations, as well as the shorter timelines imposed during the access request and complaint investigation stage, creates an incentive for them to respond to complaints in a more timely and comprehensive manner, while maintaining the advantages of the ombudsman model.

It may be that the risks of an order-making model mentioned by Justice La Forest can be mitigated through various procedures, such as separating the adjudicative and promotional functions within the OPC, but these solutions may bring other disadvantages. We will be researching and analyzing these issues in the weeks ahead as the Committee continues its review of the Act. However, at this time, we believe that the hybrid model - along with our previous recommendation to strengthen judicial recourse - would both address the issue of delays faced under the current process and ultimately improve respect for the privacy rights of all Canadians. Moving to an order-making model may not be necessary, nor the most prudent course of action.

7. Require government institutions to conduct privacy impact assessments (PIAs) for new or significantly amended programs and submit them to OPC prior to implementation

Existing TBS Directive requires institutions planning on undertaking projects which involve personal information to conduct a Privacy Impact Assessment and submit a copy to our Office.  We have found, and institutions have told us, that this process is invaluable in identifying and mitigating privacy risks prior to project implementation.  However, application of this policy requirement does not have force of law.  As a result, the practice, quality and timeliness of PIA’s have been very uneven across institutions.  Some departments even take the view that they are not required to do so at all.

In jurisdictions such as Hong Kong, Australia and New Zealand, PIAs must be conducted for any government activity that involves sensitive information such as communications data or biometric information.  The new European Union (EU) General Data Protection Regulation puts in place a requirement for a specific data protection assessment to be conducted.^{Footnote 5}  Similarly, the provinces of Alberta, New Brunswick, Newfoundland, Nova Scotia and the Northwest Territories requires by law privacy impact assessments before establishing new public health information systems.  We recommend that this obligation be enshrined in law in order to ensure that all departments be compelled to identify and mitigate privacy risks of their activities. Consistent with the preventative object of this obligation, assessments would generally be done prior to the adoption of new or substantially modified programs, in all but exceptional cases.  

8. Require government institutions to consult with OPC on draft legislation and regulations with privacy implications before they are tabled

Several provincial and international laws now set out an explicit requirement for government institutions to consult their data protection authority as they prepare new legislation. In Newfoundland, the Access to Information and Protection of Privacy Act states that a Minister shall consult with the Commissioner on a proposed bill that could have implications for access to information or protection of privacy, as soon as possible before, and not later than, the date on which notice to introduce the bill in the House of Assembly is given.  The Commissioner must advise the Minister as to whether the proposed bill has implications for access to information or protection of privacy, and can comment publically on a draft bill any time after it has been made public. 

The new EU General Data Protection Regulation require that “Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament or of a regulatory measure based on such a legislative measure, which relates to the processing of personal data” (Article 34, Recital 7).  In that vein, given developing expectations at both the sub-national and international level in data protection, we would recommend that the OPC receive advance notice and be consulted on of any proposed legislation or regulation which may have privacy implications prior to tabling. 

9. Provide OPC with an explicit public education and research mandate

The Commissioner’s authority to undertake public education and research under the Privacy Act is undefined.   As a consequence, the Office lacks an explicit legislative authority to work proactively on outreach and education efforts tied to public sector issues.  This is in comparison to PIPEDA where we have done extensive work for over a decade.  We believe the OPC should be equally empowered under both laws in tandem with our responsibilities over both the government and commercial sectors. This would allow the OPC to conduct and commission research, for example, as well as allowing us to undertake important case study work and lessons learned from our investigations.

Specifically, we would recommend to the Committee that the Commissioner be given express authority under the Privacy Act to conduct, on his own initiative, research and studies on issues of public importance.  Likewise, the Privacy Act should expressly authorise the Commissioner to engage in public education and awareness activities.  This would align his mandate with respect to research and education with his current mandate under PIPEDA and otherwise advance the purposes of the Privacy Act.

10. Require an ongoing five year review of the Act

While a statutory review of the Privacy Act took place in 1987 in accordance with the requirement for a one-time review, the recommendations by Parliament in the report Open and Shut were never enacted.^{Footnote 6}  The next major study of the Act took place in 2008-2009 when the Access to Information, Privacy and Ethics Committee conducted a review of the Act.  Again, the recommendations of that report did not produce legislative amendments. 

New technical, policy and legislative developments can greatly impact privacy issues.  Currently, there is no requirement to periodically review the Privacy Act to ensure the law remains current and relevant to modern realities and challenges.  Ongoing efforts to harmonize data protection laws wherever possible ensure a consistent privacy regime across Canada.  Regular review also affords Parliament the occasion to examine practices and regulatory developments occurring internationally.  Committing government officials to a regular review of the legislation would greatly assist in that regard, as developments at various levels of government and internationally could be more easily taken into account.  Therefore, we would recommend that the Privacy Act be amended to require a mandatory Parliamentary review every five years.  

Enhancing transparency

11. Grant the Privacy Commissioner discretion to publicly report on government privacy issues when in the public interest

Sections 63 through 65 of the Act currently impose strict confidentiality obligations prohibiting the Commissioner from publicly disclosing information related to investigations and reviews, other than in our annual or special reports to Parliament. We recognize that these confidentiality provisions are important to facilitate our role as an ombudsman and to encourage parties to be more open in their representations to our office. However, there are some cases where it would be in the public interest for the Commissioner to make his findings public.

While we recognize that the confidentiality provisions in the Act are reasonable in most cases, there should be some allowance made for limited exceptions, on grounds of public interest, as in PIPEDA.  The primary goal of this discretion should be to inform parliamentary debate and public discussions in a timely way. In the past, the OPC has been hampered in its ability to raise awareness, due to the existing confidentiality constraints in the Privacy Act.  A provision for discretion to disclose in the public interest - while respecting legitimate access exemptions -would allow for more timely and relevant disclosure rather than having to wait until the end of the reporting year when the information may have become moot, stale or largely irrelevant. 

We would recommend that section 64 be amended to create an exemption from confidentiality requirements to provide the Privacy Commissioner with the discretionary authority to report proactively on government privacy issues where he considers it in the public interest to do so. 

12. Expand the Commissioner’s ability to share information with counterparts domestically and internationally to facilitate enforcement collaboration

The OPC was recently given this authority in connection with investigations and public education work under our PIPEDA mandate.  Our enforcement actions abroad have become much more timely and effective owing to this new ability to work cooperatively with other authorities.  We have also asked that Parliament consider our ability to exchange information with other review bodies in the context of relevant national security matters — as this would enhance oversight which is of significant concern to Canadians.

In this vein, we recommend expanding the ability of the OPC to collaborate with other data protection authorities and review bodies on audits and investigations of shared concern in connection with Privacy Act issues. 

13. Provide the Privacy Commissioner with discretion to discontinue or decline complaints in specified circumstances

Currently, the Commissioner does not have the power or authority to refuse or discontinue complaints. Subsection 29(1) of the Act requires the Privacy Commissioner to investigate every complaint received. In recent years, an increasing number of frivolous and vexatious complaints are lodged with our Office, which we have no choice but to investigate under the Act as it stands.  The Privacy Act is now incongruous with PIPEDA as well as several provincial laws (e.g. Alberta) that have given their Information and Privacy Commissioners discretion to refuse to investigate or conduct an inquiry on legitimate grounds. 

In February 2012, the Canadian Bar Association passed a National Resolution calling for the Privacy Act to be similarly amended, recognizing this as an important access to justice issue. Also as a public sector organization with a broad mandate, we would like to be able to manage our caseload more strategically. 

In a context of finite resources, and where Canadians deserve efficient and effective oversight that is seized with issues of systemic interest and of the greatest significance to them, we recommend amending section 32 of the Act to permit the Commissioner to exercise discretion in discontinuing or refusing complaints on specific grounds, including where a complaint is frivolous, vexatious or made in bad faith. 

14. Strengthen transparency reporting requirements for government institutions

At present, government departments publish annual reports pursuant to section 72 of the Privacy Act, and typically provide an account on the sorts of personal information they collect, release under request, or withhold under certain exemptions. 

Unfortunately, for the lay reader, these annual transparency measures typically comprise an elaborate collage of statistics on the number of personal information requests received and processed in a year — with little or no explanation what the figures mean.  Past OPC reviews of these reports have highlighted they lack a descriptive element to render them accessible to Parliament, to our Office or to Canadians. We have argued that in order for these reports to be meaningful and useful to the public, they need to be rendered intelligible.

On the more specific issue of transparency reporting in the context of law enforcement, our Office has recently called upon federal organizations to be open about the number, frequency and type of lawful access requests they make to internet service providers and other private sector organizations entrusted with customer communications data.  The public, Parliamentarians and the privacy community in Canada have been advocating for more openness on this front for several years.  While some progress has been made on this issue in the commercial sector in Canada — we have noted that government institutions too need to step up as a model and demonstrate a commitment to accountability and transparency. 

To this end, we would recommend strengthening reporting requirements on broader privacy issues dealt with by federal organizations as well as specific transparency requirements for lawful access requests made by agencies involved in law enforcement. 

15. Extend coverage of the Act

Providing for a core right of access to ensure the basic accuracy of one’s own personal information held by government was a primary policy rationale in drafting the federal Privacy Act in the early 1980s.  Currently the Privacy Act applies exclusively to those government institutions listed in Schedule 1 of the Act or those added in the definitions section (e.g. Crown corporations).

We believe, as a matter of principle, individuals should be able to access their personal information and challenge its accuracy regardless of where it is within government.  To that end, we recommend in the course of this review that the Committee consider extending application of the Act to all federal government institutions, including Ministers’ offices and the Prime Minister’s Office.  Extending coverage of the Privacy Act  in that way would be consistent with one of the fundamental purposes for which Agents of Parliament were created: as a window into the activities for the executive branch of government.

Furthermore, the Act currently only affords access rights to Canadian citizens, permanent residents or persons physically present in Canada. Federal government departments hold vast amounts of personal information about non-citizens, owing both to global travel, migration and commercial activities.  Foreign nationals, such as those seeking to immigrate to Canada, who want access to their personal information, often have to do so by having an agent make an Access to Information Act request, and consenting to the release of their personal information.  As noted by the Information Commissioner in her Special Report to Parliament on the issue,

Among the provinces and territories, Commonwealth countries, the U.S., in model laws, and those jurisdictions with access legislation ranked in the top 10 on the Global Right to Information Rating, only Canada, New Zealand and India limit who may have access to government information. All of the other jurisdictions reviewed provide a universal right of access and none have indicated that the universal right has resulted in an unmanageable amount of requests.^{Footnote 7}

From a policy perspective, we recommend this gap be remedied so individuals can obtain their personal information directly via the Privacy Act.

16. Limit exemptions to access to personal information requests under the Act

We favour maximizing disclosure where an individual seeks access to their personal information. This involves limiting exemptions to access to personal information requests, severing protected information wherever possible, and ensuring such exemptions are generally injury-based and discretionary, where appropriate.

However, we do not recommend that the exemption from access concerning the personal information about another individual be narrowed as the Information Commissioner has suggested. The exemption currently applies to all personal information regardless of whether disclosure would constitute an unjustified invasion of privacy. This protects the privacy rights of third party individuals, in keeping with Canadian jurisprudence that has stressed the importance of privacy, even over access.^{Footnote 8}  Moreover, the Privacy Act already permits the disclosure of personal information where, in the opinion of the head of the institution, the public interest clearly outweighs any invasion of privacy. This public interest override strikes the right balance between privacy and access.

Parliament drafted the Privacy Act and the Access to Information Act together, as twin statues, and intended their provisions to be read together as a ‘seamless code’. This has been confirmed by the Supreme Court of Canada. As such, we recommend maintaining the current exemption for personal information, with the Access to Information Act incorporating the Privacy Act’s definition by reference.

Conclusion

When the Privacy Act came into force in 1983, it was a progressive and comprehensive data protection statute.  At that time, Canada was a leader in privacy law as the provisions set out an administrative framework and legal obligations across the federal government.  Technology in the intervening years has clearly been a shaping force in our society — with the net result that our Privacy Act appears increasingly antiquated.   Domestic and international privacy laws have moved the yardstick considerably since 1983.

Without renewal, the protections of the Act are proving to be increasingly out of touch with Canadians and their engagement with a digital world.  Government operates in a radically transformed environment when compared with 1983.  Canadians have come to expect more openness and transparency about how their personal information will be used by government, with whom it will be shared, and how it will be protected. 

Canadians deserve the benefit of protections and privacy rights that reflect current thinking and experience — both within Canada as well as internationally.  We hope this submission will help inform the Committee’s review and that this will prove to be a first step in bringing public-sector privacy protections in Canada up to global standards that citizens expect.