Letter to the Standing Committee on Access to Information, Privacy and Ethics on study of RCMP use of spyware

August 22, 2022

BY EMAIL

Mr. Pat Kelly, M.P.
Chair
Standing Committee on Access to Information, Privacy and Ethics
House of Commons
Sixth Floor, 131 Queen Street
Ottawa, Ontario, K1A 0A6

Dear Mr. Chair:

Subject: Follow-up to Appearance on ETHI study of RCMP use of device investigation tools

I am writing further to my appearance before the Standing Committee on Access to Information, Privacy and Ethics on August 8, 2022, in order to provide the Committee with some additional information, as requested.

I was asked to elaborate on two issues:

1. my Office’s capacity to assess new and emerging technologies, and
2. my recommendations for legislative change with respect to the provision of Privacy Impact Assessments.

With respect to the first issue, in response to the growing intersections of privacy and technology, in 2011 my Office established an in-house Technology Analysis Directorate, specifically dedicated to the analysis of technology, with a mandate to:

• Identify and analyze technological trends and developments in electronic platforms and digital media;
• Conduct research to assess the impact of technology on the protection of personal information in the digital world; and
• Provide strategic analysis and guidance on complex, varied and sensitive technological issues involving government and commercial systems that store personal information.

The Directorate is staffed by highly skilled information technology research analysts with capabilities and expertise in different areas of technology, including reverse engineering and digital forensics, malware analysis, artificial intelligence and machine learning, dark web research and monitoring, among others.

To further support its work, the Directorate is also equipped with an on-site technology analysis lab with advanced IT infrastructure and state-of-the-art tools, which is housed within a secure room and provides secure computing facilities separate from my Office’s corporate network, to enable us to conduct hands-on testing and analysis of malware, hardware components, mobile applications, Internet of Things devices and digital forensic analysis of new and emerging technologies. The Directorate would be pleased to provide members of the Committee with a tour of the lab to demonstrate its capabilities.

On the question of legislative change, I would recommend that the obligation for government institutions to conduct timely privacy impact assessments and submit them to my office be codified in the Privacy Act with clear and binding statutory provisions to that effect. In this way, not only would government institutions benefit from our privacy expertise, but Canadians would be reassured that privacy risks are being appropriately identified and adequately mitigated. I would further recommend a modernized Privacy Act require that my Office be informed of programs or activities that have an impact on privacy prior to roll-out, so that we could proactively engage with institutions where we identify potential privacy risks.

I would also bring to the Committee’s attention the consultation paper prepared by the Department of Justice in November 2020, and my Office’s comments and recommendations with respect to this consultation.^{Footnote 1} Lastly, and as you know, this Committee conducted a study on the modernization of the Privacy Act and made important recommendations, one of which dealt with the mandatory preparation of Privacy Impact Assessments.

I hope that this information is of assistance to the Committee and I look forward to reviewing the Committee’s report. Please do not hesitate to contact me should you have any questions or require further information.

Sincerely,