Annual Report to Parliament 1996-1997
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
The Privacy Commissioner of Canada
112 Kent Street
(613) 995-2410, 1-800-267-0441
Fax (613) 947-6850
TDD (613) 992-9190
Canada Communications Group
Cat. No. IP 30-1/1997
This publication is available on audio cassette, computer diskette and on the Office's Internet home page at http://infoweb.magi.com/~privcan/
Privacy Commissioner of Canada
Commissaire à la protection de la vie privée du Canada
The Honourable Gildas L. Molgat
Dear Mr. Molgat:
I have the honour to submit to Parliament my annual report which covers the period from April 1, 1996 to March 31, 1997.
(Original signed by)
Privacy Commissioner of Canada
Privacy Commissioner of Canada
Commissaire à la protection de la vie privée du Canada
The Honourable Gilbert Parent
The House of Commons
Dear Mr. Parent:
I have the honour to submit to Parliament my annual report which covers the period from April 1, 1996 to March 31, 1997.
(Original signed by)
Privacy Commissioner of Canada
The Year at a Glance
- Appearance before House of Commons Transport Committee on Bill C-20, privatization of Air Navigation System (page 33)
- Canada Post photocopying competing courier mail (page 45)
- Commissioner responds to Solicitor General's DNA databanking paper (page 24)
- Canadian Privacy Commissioners meeting, Victoria, B.C.
- Health Canada files found in Winnipeg dumpster (page 46)
- Information Highway Advisory Council report calls for framework privacy legislation by the year 2000
- CDMA endorses government plan for private sector law
- Census Day
- House of Commons Committee on Human Rights and Status of Persons with Disabilities Roundtable on privacy and new technologies (page 29)
- Appearance before Senate Committee on Transportation & Communications on privatization of Air Navigation System
- Cabinet orders local telephone companies to make customer databases available to competing directory publishers (page 37)
- Appearance before House of Commons Justice and Legal Affairs Committee on operations
- Pilot match begins of all returning air travellers' customs declarations with employment insurance database (page 7)
- CRTC licences first Personal Communications Systems (page 38)
- Uniform Law Advisory Group on Protection of Personal Information considers comprehensive data protection law
- Federal Court rules against access to Canada Labour Relations Board members' notes (page 40)
- Justice Minister commits Canada to private sector privacy law at 18th International Privacy and Data Protection Commissioners Conference, Ottawa (page 76)
- Appearance before House of Commons Finance Committee on review of financial institutions White Paper
- Ontario Human Rights Board of Inquiry rules major corporation's substance testing program unlawful
- Appearance before Standing Committee on Procedure and House Affairs on permanent voters list (page 19)
- First complaints against Customs-HRDC match
- Tax audit documents found in cabinet bought at government surplus store (page 44)
- Appearance before Select Committee on Law Amendments, New Brunswick Legislature on proposed privacy bill
- Canada Post debiting credit cards for unordered merchandise (page 45)
- CRTC announces hearings on costs of unlisted phone numbers (page 38)
- HRDC asks Office to review Labour Market Initiatives with Indian Bands
- Appearance before Special Joint Committee on a Code of Conduct for MPs
- National Forum on Health final report calls for national health information database (see page 14)
- Appearance before Sub-committee on Firearms Act regulations (page 21)
- Human Rights Committee holds cross-country hearings on privacy and technology
- Reported to Transport Canada on Air Navigation System files (page 49)
On the One Hand...
Paradox. (n.) person or thing having contradictory qualities.
- The Oxford Dictionary.
The 'thing' in this case is the Government of Canada. Paradox perfectly describes the contradictory and confusing behaviour demonstrated in the last year in the field of privacy rights. Some of the most hopeful and encouraging developments in a decade have run parallel with some of the most disturbing and dangerous.
We have seen both a growing recognition of the pressing need for stronger and more comprehensive laws to protect Canadians' privacy rights - and we have witnessed actions which threaten to make a shambles of those rights. Which will triumph?
On the positive side, nothing equals in importance Justice Minister Allan Rock's pledge that, by the year 2000, there will be federal law to provide "effective, enforceable protection of privacy rights in the private sector". The government recognizes that technology has made it all but impossible to maintain effective privacy protection without covering both the public and privates sectors.
This Office has long advocated such a step. And it has the endorsement of the government's own Information Highway Advisory Council, the Canadian Direct Marketing Association, the Information and Privacy Commissioners of Quebec, Ontario and British Columbia, to mention only a few. Let us hope that some vestiges of our privacy remain to be protected by the millennium.
Similarly overlooked was a landmark study by the House of Commons Standing Committee on Human Rights chaired by the Hon. Sheila Finestone. This committee devoted the better part of a year to the study of privacy rights and new technologies, visiting several cities and hearing from scores of witnesses representing every shade of opinion.
In April, as the House was rising for the election, the committee released its report, Privacy: Where do we Draw the Line? The report is nothing less than breathtaking both in its scope and depth. What distinguishes it from earlier reports is its recognition of privacy's fundamental value to Canadian society and not a "token to be bartered for social and economic benefits". One committee member describes privacy as an "associative" right 'one that is essential to free association, free speech, and to our very autonomy. The report offers a guide for grappling with one social and ethical impact of the new technologies.
Mr. Rock could do no better than to merge this committee's work with that of the Information Highway Advisory Council (which focuses on the consumer and business case for privacy on-line) and the Canadian Standards Association's model privacy code as the outline for his promised new privacy law.
The document deserves far more than the scant public attention it received. As the movie critics say, Two Thumbs Up!
Another important Parliamentary development was the Commons' unanimous endorsement of a private member's motion (Mr. Paul Crête, Kamouraska, Rivière-du-Loup) to extend the existing Privacy Act to cover all Crown corporations, a step advocated both by this Office on more than one occasion, and by the Commons Justice Committee in its 1987 review of the Privacy Act. Here was a clear expression by all parties in the House which, although not law, is both a strong direction to the government and clear indication of Members' growing awareness of the rising public concern over privacy intrusions.
The government also has responded at last to our repeated pleas to stop the erosion of privacy rights as it prunes its bottom line. Transforming government operations into an array of not-for-profit bodies, commercialized monopolies and competitive companies was depriving their clients and employees of legally established privacy rights.
After some hesitation, during which air traffic control operations were transferred to a private company (NAV CANADA) absent those rights, a new policy is promised which will continue Privacy Act protection for newly privatized agencies. We applaud the promise and anticipate its arrival.
Finally, we welcome the growing practice among government departments to seek our comment and advice on specific proposals or plans which have privacy implications. Our last report drew attention to a successful collaboration with the Chief Electoral Officer to ensure protection and respect for Canadians' privacy rights in the new permanent electronic voters register.
Other major information users too, Statistics Canada and Human Resources Development Canada (HRDC) among them, have sought our input in major undertakings. HRDC, in particular, is examining several projects, one of which-a the common client identifier akin to a universal identification number - literally bristles with privacy implications. Some of these proposals represent a major test of the theory that technology and privacy can co-exist. We will follow them with care and concern.
Government departments are not obliged to consult the Privacy Commissioner. But it is hard to conceive of a more useful application of staff expertise and insights than helping government departments achieve their policy and management objectives in ways that respect the rights of Canadians. Mrs. Finestone's committee recognized the value of this consultative function and recommended making it part of the Office's official mandate.
If the tale could end here, the year would have been one marked by steady progress. But life seldom proceeds so smoothly.
…On the Other
Attention now turns to a practice which poses a deadly threat to privacy and to its corollary - autonomy and personal freedom. It has led us into a head-on collision with two great departments of government, HRDC and Revenue Canada, precipitating a legal challenge which may ultimately determine whether privacy is a fundamental value of this society or merely an irritant quickly to be consigned to the scrap heap of unfulfilled good intentions when the going gets tough.
That issue is data matching, an innocent-sounding activity with the capacity to demolish any real right to privacy and certainly to destroy the basis of trust which must exist between citizens who provide, and governments which collect, personal information.
Given the intense pressure on government departments to be leaner (and, if necessary, meaner) coupled with the alluring ease of tracking citizens with computers, a confrontation was probably inevitable.
At issue is HRDC's practice of collecting data from the Customs declarations of every returning air traveller to identify employment insurance claimants who were out of the country while receiving benefits. EI claimants must report any extended absence from their normal residence for the good reason that they are expected to be looking, and available, for work. HRDC officials (and many taxpayers) have long been troubled by anecdotal evidence - approaching an urban legend - that many claimants were enjoying holidays at taxpayers' expense. The department's administration and enforcement methods were allegedly proving ineffective.
HRDC conceived the notion of matching the EI data base with that of returning travellers customs declarations. The match would quickly show whether any of those millions were receiving employment insurance payments. It would then be a simple matter to find whether they had reported their absences.
Doubtless such a match will catch some who may be cheating EI. But the price it exacts is far too high. It systematically searches millions of innocent travellers, without their knowledge or consent, who filed customs returns on the assumption - and on Revenue Canada's word - that they would be used for customs purposes only.
The match offends the most fundamental principle of any privacy law; that government tell its citizens why it is collecting personal information, then use it only for that-and not a wholly unrelated-purpose (unless the individual consents). The reason for the principle is clear: to prevent the government from conducting unwarranted surveillance on its citizens by prowling through its immense personal databanks on what amounts to nothing more than high-tech fishing expeditions.
Let us try a pre-computer age analogy. Assume there are some criminals at large in your community. Assume that the police therefore embark on a search of every single household, without warrant, without notice, without permission, and without any cause to suspect any particular household. The police just show up, barge through the door, and look around. How long would any community accept such arbitrary behaviour ?
Yet, in an information context, that is precisely what data matching makes possible - a systematic search of everyone. Governments which match data this way have turned the presumption of innocence on its head; everyone is suspect until the computer proves them innocent. It is akin to what an earlier privacy commissioner described as "high technology search and seizure". If we allow government to carry on in this fashion, they will routinely scrutinize every record of every citizen until they unearth some evidence of guilt.
A privacy commissioner cannot accept a data search that ignores the presumption of innocence, the need to identify some reasonable grounds for suspicion, and the absence of independent authorization. If such matches become standard practice, we face virtually open season on any personal information we entrust, or are forced to deliver, to government.
Unable to convince bureaucrats, or their ministers, to modify the match, we sought legal advice from one of Canada's leading constitutional experts. His advice buttressed our position that the data match violates the search and seizure provisions of the Canadian Charter of Rights and Freedoms. We are currently exploring with the government the most expeditious manner of getting the matter before the Courts for resolution.
No more crucial issue has arisen in my six years in this Office. I have no more interest in protecting UI cheats from detection than the next taxpayer. I have every interest in preventing government from putting millions of law-abiding Canadians under "dataveillance". As a people and a society, we enjoy Charter protection against having to prove our innocence. One's Charter rights should not be compromised simply because technology makes it possible.
The premise of this match is boundless - once entrenched, we are on the slippery slope to a general surveillance system in which personal data from all levels of government are routinely shared and matched.
A recent letter from Mr. Whyte of Toronto, argues that the practice "opens the door to abuse of information power of government" and urges citizens to resist. While this match may seem "reasonable and popular", he argues that it could establish a precedent for government to use customs information "to determine which citizens have travelled to a country whose policies they may oppose, whose trade they may wish to restrict, or for any other purpose.... Travel information is routinely used by autocratic regimes to restrict and control their citizens. We must not allow this precedent to be established in Canada. This match must be resisted as a routine protection of our liberty. I urge you to stop this misuse of customs information."
The Information "Panopticon"
In effect, such a match is an electronic version of late 18th century philosopher Jeremy Bentham's Panopticon. Bentham proposed a design for a prison which would allow guards to observe prisoners from a central tower from which they could see out but no-one could see in. The tower might, or might not, be occupied but the effect of his design was to create "a state of conscious and permanent visibility that assures the automatic functioning of power". Effective but chilling.
Technology now furnishes government with the power to create an information Panopticon. Why should it not seize the advantage? Perhaps we would all behave impeccably-or, at least, differently-if we thought someone might observe our every transaction. There is no underestimating the power of fear and embarrassment for social control-hence the loss of our autonomy. But we must not concede to the bureaucrats that our society is so manifestly corrupt that we must subordinate our rights of individual autonomy and privacy to their interests in efficiency.
Well, you say, I have nothing to hide so what does it matter? Sometimes an individual's right has to give way to the interests of society as a whole.
Perhaps that is where we are losing our way. It's time to consider the damage that the unfettered exercise of power can inflict on our society. By concentrating on privacy as an individual right, we then are forced to play the game of "this right trumps that one-my right as a taxpayer not to be ripped off trumps your right not to be under surveillance".
It may be time to consider the view, espoused by Priscilla Regan in her book Legislating Privacy, that considering privacy as an individual right does not serve a strong basis on which to develop public policy. We should consider privacy's social importance; its inherent place as a bedrock value in a democratic society and understand how it influences our relationships with one another, with social, political and economic organizations, and what powers we are prepared to grant these organizations.
Protecting our privacy is not simply a matter of debating the value of an individual's self-interest versus a competing interest. Privacy also serves a common, public and collective interest. The value strengthens our society by reinforcing our sense of connection through mutual respect.
Whatever we do to protect privacy, we must recognize the import of the value and the consequences to our liberty if we are lazy enough - and short-sighted enough - to consider it an administrative nuisance that gets in the way of efficiency and the bottom line. This is the path to the Surveillance Society. I urge the government not to take it.
Nothing to Hide-and Nothing to Prove
Characterizing the options governments are now considering as the path to a surveillance society is far from overstatement. Granted Canadians view governments generally as benign - part of our fortunate heritage. Geography and climate require our governments to have a social conscience, reflected in our social safety net. But funding and benefitting from that safety net do not mean abdicating our civic responsibilities, one of which is to ensure that we do not sacrifice individual choice and personal liberty at the altar of efficient government.
Governments now have the means for tracking virtually all their residents' contacts with the state, assembling comprehensive data bases from that data and sharing it widely. And with the means come the pressures-downsize, rationalize and deliver service more efficiently. Some of this information collection is a legitimate activity of a government program-a "consistent use" of the data. Some, we find disturbing. And one, we argue-matching returning travellers customs declarations with the employment insurance database-is so broad as to be an unreasonable search and seizure under the Charter.
This year's report examines just a handful of the past year's developments: the Revenue Canada Customs/Employment Insurance match, proposals for a single cards, single numbers and comprehensive personal social program data to be shared among governments, a national electronic health database, and several population registries; the permanent voters list, the firearms registry and the DNA databank.
And there is also a hopeful note-the comprehensive and forceful report by the Parliamentary human rights committee on dealing with the impact of new technologies on privacy.
The Customs - Employment Insurance Data Match
Data matching links personal data from a variety of unrelated sources, virtually always in electronic form, to make administrative decisions about those using government programs and services. Since matching is an indirect-and usually invisible collection of data, the government has established a process to control the practice.
One of the steps is providing the Privacy Commissioner with a "preliminary feasibility study" 60 days before the match is to begin. This allows the Commissioner, as an Officer of Parliament, to act as an advocate for the individuals whose records are to be matched. The Office reviews the proposal and makes any recommendations to the head of the department who is free to accept or ignore the comments. The Commissioner has no power to stop or alter the match.
This lack of power has caused little difficulty until now; departments have been sensitive to the issue and generally accepted the Office's recommendations. But the times, they are a-changing. The advent of bottom-line management has prompted a get-tough attitude in departments which provide substantial benefit payments. All to the good, most taxpayers would say. Not so good, we say, when a match is so broad it risks more than offending the Privacy Act; it threatens fundamental rights. Such a case, we argue, is the match of travellers' Customs declarations with employment insurance benefit files.
The practice at issue in this case is Human Resources Development Canada's (HRDC) match of data from Revenue Canada's Travellers Declaration Card, or Form E311, with records of Employment Insurance claimants to determine whether they had been out of the country while drawing benefits.
The Customs declaration All travellers entering Canada by common carriers (air, train and bus) must complete the card and give it to the customs and immigration official at the entry point. Travellers supply their name, address, date of birth, the airline and flight number, whether arriving from the U.S. or elsewhere, the last three countries visited on the trip, whether the travel was business or personal, the type of goods they are bringing into Canada, whether they will visit a farm in the next 14 days, the date of departure from Canada, the date of return, the value of the goods they purchased and the personal exemption claimed. A customs stamp identifies the airport.
Both departments approached the Office informally in June 1995 to discuss the proposed match. Given that the evidence of abuse was largely anecdotal, privacy staff asked the departments to provide some factual substantiation for the match, including a cost-benefit analysis.
There are four phases to the match: a feasibility study to gather data for a cost benefit analysis, a reprocessing of the feasibility study, a proposed six-month pilot project and, finally, a projected full implementation in late 1997.
The feasibility study In order to gather the data for a formal matching proposal, Revenue Canada and HRDC signed an agreement in June 1995 in which Revenue Canada would disclose traveller information to HRDC in order to conduct a feasibility study to detect potentially fraudulent EI claims.
The agreement provided for the disclosure of traveller cards to begin July 4, 1995. Revenue Canada would gather a sampling of traveller cards from nine airports for the months of June, September and November 1994 and February and March 1995. HRDC agreed not to take any enforcement measures against individuals identified through the matching process.
Since Revenue Canada stores traveller declarations on microfiche, HRDC agreed to pay staff, working on site at Revenue Canada, to convert the information from the 16,861 samples into electronic format and load it onto diskettes. The data included name, date of birth, postal code, periods of travel and the microfiche roll and frame numbers on which the E311 is stored.
The electronic match identified 257 individuals who were out of the country while receiving EI benefits, or 1.5 per cent of the sample. HRDC returned the diskettes to Revenue Canada and obtained a photocopy of the E311 cards of the 257 individuals identified to validate the results of the match.
The data matching proposal HRDC analyzed the results of the feasibility study and submitted a formal data matching proposal to the Office in January 1996. In a meeting to discuss the proposed pilot project, Privacy staff underlined the Office's concern about using retroactive data, the lack of notice to travellers about the unrelated use of Customs data during the pilot project, and the lack of a written agreement to cover the terms of the exchange. It was understood that all would be taken care of before the project was implemented. HRDC completed its data matching proposal at the end of February and the Office notified the department on March 19, 1996 that it would not object to its conducting the pilot project.
HRDC obtained again from Revenue Canada the data it had used during the feasibility study and simply reprocessed it to firm up the figures. In early July 1996, HRDC gave copies of each matched individual's EI claim record and E311 to the claimant's regional insurance representative. The regional office forwarded the information to the appropriate CEC which wrote to each claimant seeking an explanation for their travel while collecting EI benefits. Revenue Canada did not remove any of the irrelevant travel information from the E311 cards it gave HRDC.
The pilot project HRDC considered its reprocessing of the feasibility study hits as the first phase of the pilot project. The departments did not sign a memorandum of understanding for the pilot project until April 1997. At the conclusion of the pilot, HRDC is to decide whether it will make the match an ongoing practice. HRDC continues to pay the costs of equipment and 30 employees at Revenue Canada to create the electronic database. Revenue Canada now also discloses the purpose for the individual's travel.
Since then, Revenue Canada has provided HRDC with computer tapes each month containing traveller declarations of Canadian residents during the months of December 1992, January to June 1993, December 1994 and January to March 1995. Although the approved retention schedule for E-311 microfiche cards is two years, Revenue Canada has kept them since 1992 for no apparent customs purpose. Revenue Canada estimates that approximately 18 million visitors and returning residents enter Canada by air alone each year.
The resulting hits and claim files are sent to the Miramichi Investigations Centre for verification and follow up. HRDC has taken action on the hits from December 1994 onwards. Individuals are contacted and those unable to justify their absence must repay the benefits for the period of absence, plus a penalty.
The E311 cards used in the match included no public notice of the disclosure and use of customs information for detection of possible EI fraud. Nor has either HRDC or Revenue Canada "accounted publicly for the use and disclosure of personal information", as government matching policy requires. Revenue Canada has begun removing irrelevant travel details on the cards that are disclosed to HRDC in case where the claimant contests the recovery of EI benefits
The Commissioner concluded that the breadth of the match and its implementation were excessive. When repeated correspondence and meetings, including with both ministers, could not resolve the disagreement, he sought legal advice.
The Commissioner is seeking the Federal Court's guidance on the question of whether searching every returning traveller on suspicion of defrauding EI offends the "unreasonable search and seizure" provisions (section 8) of the Charter.
One Stop Shopping-The Common Client Identifier
The past year has seen all levels of government examine new ways to improve their delivery of income security programs and to share their clients' personal information. The government believes, with some justification, that Canadians do not much care what level of government delivers the service as long as it is delivered.
However, the most immediate impact of different governments and agencies sharing clients' personal information and program delivery is that the information will be linked and shared among many users inside and among governments. Individuals will have even less control over their personal information and greater accessibility will almost inevitably increase the chances that the information will be used or shared inappropriately-for purposes other than those for which it was collected.
A second privacy concern is the need for a common method for all levels of government to identify or "authenticate" the client; thus a "common client identifier". Dependable personal identity is required at every step of the process, from applying for and delivery of financial benefits, linking to other programs and services, maintaining case files, controlling fraud and errors, and terminating benefits. Thus a common client identifier is considered critical. So too is a central database accessible to all income security programs and levels of government.
In effect, the proposals amount to comprehensive and systematic data matching on a scale never done before.
A group of information technology managers from the income security departments of the federal, provincial and territorial governments have been studying the issues. The group's recently-released report, Enhanced Service Delivery Through a Common Client Identifier: Options and Opportunities, suggests that using a common identifier (and its supporting database) could produce significant gains. It would properly identify legitimate claimants before the benefits are paid, rather than matching data after the fact to detect fraud, then attempting to recover improper payments.
The report identifies several important features of an effective common identifier. These include the need for it to be used in all jurisdictions, unique to the individual, applicable to all benefit programs, and secure against forgery or tampering. The common client identifier must also protect privacy and result in minimal intrusion into clients' lives. Among the options the group considered for a common client identifier were:
- the status quo (name/birth date)
- the current Social Insurance Number (SIN)
- a "modernized" SIN (including positive client identification, such as a PIN) and establishing the SIN Register as a central database which would identify every individual in all income security programs)
- a "new" number to act as a common identifer for all federal/provincial/ territorial income security programs
- the provincial health care number.
The working group seems to favour either a modernized SIN (with the existing SIN acting as a transitional Common Client Identifier) or a new number created specifically as the common identifier. The notion of using provincial health cards and any "biometric" features (such as digitized fingerprints) seems to have been rejected for now.
Although we are prepared to keep an open mind on many aspects of the group's work, any proposal that builds on the existing SIN is in for heavy weather. Never was a personal identifier so compromised. While the federal government has a restrictive policy on its own uses (since 1989) SINs are everywhere- landlords, credit bureaus, libraries, video stores, supermarkets-the shorter list is who does not have them. Constructing a common client identifier on the SIN is building on sand.
The working group acknowledges that among the barriers to success are public concerns about individual privacy and confidentiality, restrictions against sharing and disclosure in both privacy and program legislation and legislative restrictions on the use of the SIN. In fact the report identifies the perceived impact on privacy as the single greatest barrier to the development of a common identifier.
In this respect, the report is right. While more efficient delivery of government services is a noble goal, in its pursuit we may well demolish the walls so carefully constructed around personal data files. These walls prevent governments from assembling comprehensive personal profiles of their citizens and from using information collected for one purpose for a totally unrelated purpose. Protecting privacy in this context requires, to paraphrase an American Supreme Court decision, "[protecting] the fragile values of a vulnerable citizenry from the overbearing concern for efficiency that may characterize praise-worthy government officials no less, and perhaps more, than mediocre ones."
Government must address several matters before accepting the concept of a common client identifier. First, there must be sound, proven justifications for pursuing such an identifier. To date, there has been a noticeable lack of empirical evidence supporting its introduction. There is no lack of desire to find a quick fix by applying technology to social and economic problems, but the search for such solutions must not replace a hard-nosed analysis of their merits.
Second, if governments can demonstrate the need, then legislation must precede any development of a common client identifier. As Alberta Privacy Commissioner Robert Clark remarked, we cannot have the "technocrats stepping on the democrats". The uses of the identifier and privacy protection mechanisms must be specifically set out in legislation, and there must be stringent penalties for misuse of the system.
Finally, the impact of introducing a common client identifier must be fully understood before any implementation. Both a privacy impact assessment and a broader societal impact assessment should be completed. While the report has no official endorsement, it will likely form the basis for Human Resources Development Canada to develop a business case for a common identifier in income security programs.
The Privacy Commissioner has agreed to comment on the substantial privacy impact of the project with the usual caveat; he cannot give seals of approval. The Commissioner must guard his independence in order to be a credible and unbiased investigator of any complaints.
The federal Privacy Commissioner is not the only one concerned about this issue. Provincial and territorial commissioners too are watching warily. The Office has agreed to gather and share information and co-ordinate the response of privacy commissioners.
A National Health Database
The National Forum on Health, a panel of health experts, was established by the Prime Minister in 1994 to "involve and inform" Canadians about health care issues. The Forum was also to advise the federal government on ways to improve Canadians' health and the health care system. Among the Forum's recommendations in its 1997 final report, Canada Health Action: Building on the Legacy, are several on the need for better information or "appropriate, balanced and high-quality evidence" to improve health care decisions. In the terminology of the profession, this is "evidence-based" medicine.
Specifically, the Forum recommends exploring the role information technology could play in setting up a national health data network. The 1997 federal budget set aside $50 million for a Canadian Health Information System to include a national health surveillance network, a population health clearinghouse and a First Nations health information system.
The Forum also proposes that provincial and territorial agencies develop and maintain a standardized set of longitudinal data to chart changes in individuals' health status over time.
And, finally, the Forum suggests that collecting and integrating all Canadians' health data is not enough; a person's health is influenced by a number of factors, many of them non-medical. Thus, the forum is interested in studying the relationship between health and social status, and how social and economic factors such as poverty, unemployment and cuts in social support affect individual's health. The Forum advocates linking clinical and administrative health data with such non-medical information as income, employment and educational status. However, it wishes to exempt health research from the normal obligations of privacy laws-such as obtaining the patients' consent for use of their personal information, destruction of the data on approved schedules, and obtaining the patient's authorization for further disclosures.
In summary, the Forum's recommendations foster an accelerated government drive for access to patient information in the hope of better controlling and managing the delivery of health care services. The recommendations also advance the notion that the research community should have access to the records of the entire Canadian population, yet should be exempt from privacy laws governing access to, and use of, that data. And, finally, in the interests of efficient care and research, it further proposes to computerize all these files to improve the flow of information across all jurisdictions.
While we cannot assess the claimed superiority of evidence-based medicine, we can say that adopting an evidence-based system is potentially one of the most significant privacy issues of the decade for Canadians. It represents a revolution in the way health information is collected, disseminated and used because it relies on state-of-the-art information technology to integrate information from all health sectors-for example, doctors, hospitals and pharmacists. It also envisages amalgamating health information with socio-economic data such as education and income. And it recommends that not just health care providers, but all health administrators and policy makers, have access to the information to make decisions about health care. Information about specific individuals, not aggregate data, is one of the key requirements for developing such a system.
It is hard to argue with any proposal to make better-informed health care decisions. Privacy advocates want effective health care as much the next Canadian. We also recognize that broader research may enhance our understanding of the factors affecting our health and improve delivery of health services.
However, using personal health information to foster an improved health care system is not a purely a win-win scenario. The Forum's proposals pose significant challenges to the privacy of Canadians' medical records - the right to protect the confidentiality of that personal information, and the right to be informed of, and consent to, all other uses of that information. The prospect of greatly expanded collection and sharing of personal medical information sets privacy alarms ringing.
Traditionally privacy laws and medical ethics have allowed only those directly involved in patient care to have access to patient medical records. Medical ethics and legal prohibitions exact a high standard of care and protection for the confidentiality of medical records. With few exceptions, the right to control the flow of one's personal medical information rests with the patient, not the physician, nor the hospital, nor the state.
An information network to support evidence-based health care would turn that important centuries-old rule on its head. Medical records, currently accessible to patients and a limited number of others, could no longer be said to be confidential when hundreds of strangers can access them electronically.
The experience south of our border merits mention. American law professors Paul Schwartz and Joel Reidenberg cite an observation in a U.S. medical journal that "medicine is increasingly a spectator sport." Say Schwartz and Reidenberg, "A widening audience of outside observers now watch the performance of doctors, nurses and patients, and personal data plays a critical role in the evaluation of their behaviour."
Canadians may argue that our health care system is different - that the strong government component in our health care system makes the information in the system less vulnerable to abuse. We argue that it is precisely because the state has such an important role in delivering health care that there must be mechanisms for the individual to counter that power and exert some control. While Canadians tend to view government as largely benign, that should not mean abdicating individual consent and responsibility.
As well, our system is becoming increasingly privatized; services such as home care, speech pathology and various types of testing are now performed by private companies. And now with the advent of drug plans, pharmacies (which have always been private) deal frequently with private insurance companies and do so increasingly on-line. We will see the same pressures that now exist in the U.S. to use medical information for purposes that have nothing to do with the health of the patient or even the good of society. Personal health information will become an ever more valuable commodity in the data marketplace.
Canada must not seize upon evidence-based health as a medical nirvana without sober reflection on the impact this massive assembly of personal information-health and other-may have on our privacy and autonomy.
Some Canadians may not object to substantially diminishing the confidentiality of their medical records. But the freedom to decide whether to participate in such a wide-ranging scheme is an essential component of privacy protection and democracy, and must be preserved. To protect those who object, any health network must allow individuals to prevent their medical information from being stored and accessible on this network. And people who choose not to participate should not be penalized by receiving a lesser standard of health care.
It is essential to get a grip on the issues involved in preserving the privacy of health care information. Among the measures we propose are the following:
- Enact complementary federal and provincial legislation to protect the privacy of the full range of personally identifiable health care information. The legislation would incorporate the fair information principles of international data protection agreements. This must be done before the health network develops further.
- Establish clear requirements for obtaining the informed consent of patients to disclosures of personal information. In the absence of informed consent, an individual's right to control the disclosure of personal medical information should be paramount. That right should be overruled only in the face of an overwhelming and compelling public interest (or to provide the patient emergency care). Conducting research does not always constitute an overwhelming or compelling public interest.
- Establish strict limits and controls on the circumstances under which access to personally-identifiable information is granted to secondary users for research purposes and encourage the conduct of research through the use of aggregate, de-personalized data.
- Establish strong remedies in law for disclosing information without a patient's consent.
- Educate patients about how their records are used and the privacy implications of having their medical records computerized and placed on a national network.
- Develop guidelines to address the privacy and security issues raised by the computerization of patient data, including provisions for full audit and control.
- Establish an independent review mechanism to oversee the privacy of health care information.
If medical records are linked to employment, educational and other socioeconomic databases, they would reveal not just medical information but whole life histories. For the medical community, this may be the point. But, easy as it is to rationalize data gathering as beneficial for the individual and society, the information might not be used for benevolent purposes. The collection of medical data can slide imperceptibly from health care to medical supervision to lifestyle surveillance and, ultimately, to a more generalized form of surveillance by the state.
For this reason, it is critically important that we examine how to prevent further secondary uses of this information, such as by law enforcement agencies, employers and private individuals (such widespread uses are almost the norm in the United States). The purpose of those databases must be limited to advancing health care, and nothing else. They must not be allowed to become a convenient means for government agencies and private businesses to conduct non-medical surveillance of citizens who are simply making use of an essential service.
Of course, there is a balance of interests to be weighed between the two poles of better personal and societal health, and individual autonomy. And we acknowledge the potential beneficial uses of health information and the importance of research. There are important differences between using personal data and aggregate data, stripped of personal identifiers. But we insist that protecting the privacy and confidentiality of individual health information is also critical to open communication between medical personnel and patient, and patients' trust in the system. Protecting privacy deserves as high a priority as improving health systems.
The Final Report of the National Forum on Health recognizes the importance of privacy in developing a national health information system. And the federal health department intends to address privacy in its planning of such a system and we hope to assist this critical work. But a Canadian health information system could either stand or fall on the extent to which it incorporates privacy, patient autonomy and informed consent. How well privacy fares in the development of this system may well determine whether the public will be willing participants - or will mount the barricades to protest against the extraordinary level of surveillance it makes possible.
We look forward to legislative guarantees that the system will protect rather than jeopardize individual health information.
Correction: Last year's annual report expressed concern about the lack of legal protection for data in a national longitudinal health survey being conducted by the Canadian Institute for Health Information. In fact, the survey is being conducted by Statistics Canada under the authority (and protection) of the Statistics Act. We apologize for the error.
The perennial challenge of population registers for a privacy ombudsman is where to draw the line between pragmatic acceptance of lists assembled for administrative purposes (but with solid privacy protection) and a healthy sense of unease at the growing pressures to identify and quantify citizens in various electronic databases. Once in a database it is but a small step to comprehensive profiles, all in the name of greater efficiency.
The Office followed the creation of several registers this year with varying degrees of concern; the permanent voters register, the firearms registry and the proposed DNA data bank.
The Permanent Voters Register
On April 10, 1997, federal enumerators began going door-to-door for the last time. Information collected from this final, in-person enumeration will form a permanent electronic register of electors. The register is the culmination of several years of work for Elections Canada. From now on, lists for federal elections - and, potentially, for provincial and municipal elections - will be drawn from the register which will be updated from other federal databases (with the voter's consent) and, eventually, from specified provincial data bases.
Although the idea of a permanent electronic voters register had been floated before, work began seriously at Elections Canada in 1994. Knowing the Commissioner's concern about building such a comprehensive electronic register of citizens, Elections Canada approached him to provide systematic input to the project as it progressed. The Commissioner agreed and assigned a staff member to contribute. The Office's emphasis during the exercise was on what information Canadians need to surrender in order to exercise their right to vote, and how best to protect that information in an electronic data base.
In October 1996, amendments to the Elections Act were tabled in the House of Commons and the Commissioner was asked to appear to comment on the privacy implications. The amendments responded to most of his recommendations appearing in the 1995-96 annual report (A Vote for Privacy? page 14).
Other uses of the register The greatest worry with this type of register is that government will be tempted to use it for unrelated purposes. With growing budget pressures, and the electronic means at their disposal, bureaucrats increasingly view any personal data as fair game for any purpose-the "why should you care if you have nothing to hide?" school of administration. The Commissioner sought legislative guarantees that the register would not be available for uses other than to permit Canadians to vote. The law now forbids any uses of the register other than for electoral purposes.
Updating by datamatching A second important reservation was the proposal to update the list by collecting voters' personal data electronically from other federal data bases such as income tax returns. This type of data match is invisible and violates a fundamental principle of privacy protection-informed consent.
The Commissioner recommended, and Elections Canada agreed, to match data only with the voter's active consent. A box will appear on next year's income tax return offering voters the option of having Revenue Canada transfer only current names, addresses and dates of birth to Elections Canada. Revenue Canada will not disclose any other details. New citizens can also ask Citizenship & Immigration Canada to send their information automatically to Elections Canada for inclusion in the voters register. Matches with provincial data bases, such as drivers' licences or provincial and municipal voters' lists, will have to comply with any provincial privacy laws.
Annual disclosure of lists to political parties Until this latest round of amendments, political parties and candidates received copies of the lists only when writs were issued for an election. These amendments allow for annual disclosures of lists to all parties running a candidate in a riding and to the current member, presumably because they will now be updated more or less constantly. The Commissioner considers annual disclosures excessive, not needed for the electoral process and potentially an inducement to more frequent canvassing. Nevertheless, Parliament approved annual disclosures.
No telephone numbers The Commissioner also recommended against collecting telephone numbers and including these on the lists provided to political parties and candidates, arguing that furnishing this information would make the electoral process the agent for telephone canvassing. Of course, political parties can buy software to blend the election lists with electronic telephone directories but they can do so at their own cost. Elections Canada dropped the telephone number from the data to be collected for federal elections (some provinces require the number for provincial elections).
Power to collect more data defined The provision allowing the Chief Electoral Officer to collect other personal data, once open-ended, is now more narrowly defined as that needed to "implement agreements with provincial bodies". The effect is to allow Elections Canada to collect additional details (such as occupation) if they are required to vote in a province. Any additional information will not appear on lists compiled for federal elections.
The right to opt out The right not to be in the register was certainly the most fundamental privacy question and one which met no opposition from Elections Canada. Not being in the register will not deprive anyone of their right to vote but it will mean taking an active step to put one's name on the voters list, once an election is called.
Unfortunately, despite the best intentions, this aspect of the new process may have broken down. Based on admittedly anecdotal evidence from staff and callers at this and other commissioners' offices, enumerators seemed not to have understood the optional nature of the register. In fact, some told Canadians that if they were not in the register, they could not vote. However, enumerators cannot be faulted for misleading voters; they may not have been told. Privacy staff confirmed that the training materials did not mention the option; apparently the matter was to be dealt with verbally during the two-hour training sessions.
Admittedly, training 96,000 enumerators across the country is a communications challenge, and teething troubles are hardly unexpected in an undertaking of this magnitude. Given the interest and the commitment of the Chief Electoral Officer and his staff to reinforce privacy in the electronic register, we hope and expect that the glitches will be remedied.
Anyone who was not properly informed and does not wish to be in the register can remove his/her name by writing to the Chief Electoral Officer at 257 Slater Street, Ottawa, K1A 0M6.
The Firearms Registry
The Firearms Act (Bill C-68) passed Parliament in June 1995 with no specific privacy language in place and, given its hybrid nature, without the registry being made subject to the federal Privacy Act. The Commissioner was assured that privacy obligations would be spelled out in the regulations to follow and was encouraged to give his input then. The Senate Committee on Legal and Constitutional Affairs did not wait. Recognizing the privacy issues at stake, they called the Commissioner to appear.
In short, the Commissioner observed that the bill anticipated collection of substantial and potentially sensitive personal information which needed protection in the law or, failing that, in the regulations. Firearms registrars will maintain records of every licence and certificate issued and revoked, application refused, every loss, finding, theft or destruction of a firearm, as well as both exports and imports. In addition, local firearms officers, who may be provincial or municipal officials, will gather highly personal medical and domestic details on firearms applications. The Commissioner commended the Privacy Act's fair information code as a model for appropriate collection, use and disclosure of any personal data needed for the register and recommended making those principles clear in the law.
In April 1996, regulations were submitted, then withdrawn and a new set submitted in November 1996. They provided very little detail. Nevertheless, the accompanying regulatory impact analysis stated firmly that "matters of access to the information kept, and the privacy of that information will be found in the relevant provincial and federal law" and that the "law is comprehensive and deals adequately with all the issues...".
The Commissioner begged to disagree. In a February 1997 appearance before the House of Commons Subcommittee examining the regulations, he pointed out first, that not all jurisdictions have privacy law. Second, some provincial privacy laws deal only with access to personal records and establish no rules on appropriate collection, use and disclosure of personal information. Third, some provincial laws do not cover the municipal police forces who often will gather and control the records. In short, there are gaping holes in the legal protection.
Since the regulations themselves provide little detail, it now appears that only the forms and schematic of the process will provide the answers - far too late to provide legal protection. Nevertheless, two regulations warrant particular mention. The first concerns procedures to obtain a licence which include the police notifying current and former spouses, and broad powers and discretion to gather "additional" information about applicants.
While the intent of the provisions are clearly to protect public and individual safety, the process needs some accountability to ensure the information is credible and relevant. Anyone providing information which is used to determine the applicant's suitability for a licence should be prepared to have their comments given to the applicant. Being able to face one's accusers is a fundamental principle of both privacy law and natural justice. Any deviations should be exceptional, not the rule. Having a comprehensive privacy scheme in place would enhance the accuracy and currency of the information by allowing applicants to correct factual errors and annotate disputed information. And some attempt should be made to define what types of "additional" information may be relevant to granting a licence so as to prevent "fishing expeditions".
The second omission is an interim review process for those denied a licence. The current scheme requires the unsuccessful applicant to go directly to court. Apart from the burden this places on both the applicant and, one would argue, the courts, it also risks disclosures of potentially sensitive personal details in an open process, some or all of which may be disputed. It seems a heavy-handed approach to challenging an administrative decision where an independent third party or panel would serve as well at lower cost.
The Subcommittee passed the regulations but made two recommendations to deal with the privacy issues. The first recommended that the government negotiate a memorandum of understanding with each province and territory, establishing that the Firearms Act is a federal statute, subject to the Privacy Act where no comparable provincial privacy law exists, and setting out rules of application in those jurisdictions. The government accepted the recommendation.
However, the government rejected the second recommendation for a mediation mechanism to allow applicants "to challenge allegedly false or inaccurate information without resort to court action". It argued that investigative techniques already ensure that the decisions are not based on inaccurate information and the investigations will normally give an applicant an opportunity to be heard. While it undertook to see whether the investigative process could be improved to deal with privacy concerns, the Department of Justice rejected mediation as "incompatible with the overriding safety objectives of the legislation".
The Commissioner is unconvinced.
On April 10, 1997, the government introduced Bill C-94, the DNA Identification Act, in Parliament. The purpose of the bill was to establish a DNA databank of samples taken from convicted offenders to help police identify those responsible for other unsolved crimes. The bill was the second phase of the government's scheme to regulate DNA testing as a tool to identify individuals responsible for certain crimes. Although it died on the order paper with the election call, several aspects of the Bill give cause for concern. There is now an opportunity to get it right.
But first, to backtrack. The first phase of the government's DNA testing plan was passed in 1995, allowing police to take samples without consent from individuals suspected of criminal offenses, generally those involving serious violence. The sample taken from the suspect would be matched with samples from the crime scene to determine whether the suspect had committed the specific offence being investigated. The legislation did not deal with the storage of the information - or samples - derived from the testing. This was one of a number of issues left for the second phase.
We cautiously supported the 1995 legislation. DNA evidence can help convict the guilty and absolve the innocent, and the 1995 legislation provided a reasonable scheme to ensure that DNA samples were not taken from suspects unnecessarily. Then, early in 1996, the Solicitor General issued a discussion paper (Establishing a National DNA Databank) which examined several other issues, including the storage questions, and asked for comment.
Our response to the discussion paper made several suggestions for the government to consider before introducing legislation. Among them were three major conditions that needed to be met to satisfy privacy concerns:
- reviewing the legislation within three to five years of its enactment, including a privacy audit to determine to what extent the intrusion involved in creating a database was justified by an increased number of violent crimes solved through DNA evidence;
- taking DNA samples only from those convicted of a violent offence for which there is a high risk of re-offending and a high likelihood that genetic material would be left at the crime scene, and
- destroying the DNA samples after extracting the identification information, leaving only the analysis on police files.
Bill C-94 did propose a general review of the legislation within five years of its enactment. However, its treatment of the other issues is problematic.
The "designated offenses" First, the range of offenses for which samples could be taken from convicted offenders appears unnecessarily broad. It may seem trivial to quibble over the criminal offenses for which the state could compel offenders to provide a DNA sample. It is not. This technology empowers the state to intrude into our very bodies - a power it should exercise only in the most compelling circumstances. Casting the net too wide results in privacy intrusions on a massive scale.
The Bill contained a list of "primary designated offenses"; generally serious, and frequently violent, crimes such as manslaughter, sexual assault and kidnapping. Taking a DNA sample is automatic on conviction for these offenses. However, a list of "secondary designated offenses" for which police may seek a warrant for a DNA sample includes (among others) common assault, breaking and entering, setting fire to "other substances" and failing to stop at the scene of an accident.
Storing the DNA samples Among our most serious reservations about Bill C-94 is the plan to store the DNA samples themselves, rather than just the analysis-the information drawn from the samples. This is not too fine a distinction to make. This legislation seeks to use DNA to link specific offenders with specific crimes. Keeping the DNA sample itself will inevitably invite further uses of the DNA that have little to do with identifying offenders; for example, allowing researchers to use the material to study genetic links to criminal behaviour. This century has already seen one misapplication of genetic research to criminal behaviour (the XYY chromosome theory which purported to identify violent males).
We remain strongly opposed to retaining DNA samples. Analysis of the DNA is sufficient to help police solve crimes, without the need to preserve the actual sample.
The policy makers behind Bill C-94 had a choice. They could choose the least intrusive measure; retaining the information they needed for forensic DNA identification, or the most intrusive measure; keeping the DNA samples themselves. They chose the latter.
The seriousness of the privacy invasion-allowing the state access to our bodies-warrants the least intrusive means. That means storing identifying information only. Should keeping only the analysis prove an unworkable limitation on investigations, the subsequent review would allow Parliament to address the issue. By adopting the most intrusive measure first, we will have no way of knowing whether the lesser intrusion would have been sufficient. And few of us would expect the state to surrender a power once it is acquired.
We also continue to be concerned about authorizing police officers to take DNA samples. There is something chilling about a police officer, not medical personnel, performing what is essentially a forced medical procedure, no matter how minor or painless.
Destroying "volunteered" samples The bill is silent on another source of concern-the treatment of DNA samples from "volunteers". A recent sexual assault case in Vermilion, Alberta illustrates the problem. Police asked male residents to volunteer DNA samples to help eliminate them as suspects in an investigation (in other words, to prove their innocence, an odd twist to one of the fundamental presumptions of our criminal justice system).
Having given the police a DNA sample for that investigation, the volunteer should have a right to have that sample and any analysis destroyed immediately after it has proven that they were not implicated. DNA samples taken from volunteers should never be retained, and the analysis of those samples should never be kept for a database. Nor should they be used to investigate any crimes other than the one for which they were gathered, unless the person gives a fully-informed consent to further uses.
Unfortunately, Bill C-94 offered no provision to ensure that volunteered samples and any information relating to them would be destroyed as soon as they proved the donor's innocence.
Reopening the DNA issue on another front
On April 14, 1997, shortly after Bill C-94 was introduced, the Canadian Police Association (CPA) placed full-page advertisements in The Hill Times calling for extending the current law on identification of criminals to DNA technology:
[T]he current law, pursuant to the Identification of Criminals Act, which permits the taking of offender information (fingerprints) at time of arrest for indictable offenses, [is] exactly the process which must be followed with the technological upgrade which DNA samples represent.
The Association appears to advocate taking DNA samples, like fingerprints, as a matter of course from anyone arrested for an indictable offence. It is clear that the Association wants to use the DNA databank bill to obtain expanded powers to take DNA samples from suspects-the issue that was the focus of the DNA legislation passed by Parliament in June 1995.
CPA's attempt to expand the taking of DNA samples from suspects is extremely troubling. DNA samples cannot be equated with fingerprints. True, both offer information that can identify an individual. Fingerprints do no more. However, human DNA contains a storehouse of highly personal information that has nothing to do with linking a person with a crime, and that can be seriously damaging to an individual if allowed to fall into the wrong hands.
The office has spent considerable energy ensuring that DNA samples could be collected from suspects where warranted, while respecting the legitimate privacy rights of Canadians. Apparently the points we made in our first (1995) submission on the issue of forensic DNA analysis bear repeating:
DNA evidence should not be collected from suspects as a matter of routine. To do so causes an unnecessary privacy intrusion; in the vast majority of criminal cases DNA evidence will contribute nothing to the investigation. Thus, it would not be appropriate for Parliament to give blanket authority to collect DNA samples from all persons suspected of indictable offenses. DNA should also not be collected from a suspect if investigators have no DNA evidence with which to compare the suspect's sample.
Nor would a DNA sample from the suspect be necessary if the suspect admitted guilt. However, as a practical matter, the DNA evidence might be critically important in getting the suspect to admit guilt in the first place.
In short, we recommend the following conditions on the collection of DNA samples from suspects:
- the crime must involve violence or the likelihood of violence
- there must be reasonable grounds for suspecting that the person committed the offence
- a DNA sample must be relevant to proving the offence; investigators must have DNA related to the crime with which the suspect's sample can be compared, and
- the collection from the suspect must be authorized by a judge.
Our position was largely reflected in the DNA legislation passed in 1995. Now, however, the CPA wants to remove three of these four privacy safeguards: the requirement of a violent crime, the relevance of the DNA sample to proving the offence, and the requirement of a judicial warrant.
The CPA's proposal would also lift the restriction, accepted in the 1995 law, that a sample taken under warrant be used only to investigate the offence in question.
The thirst for ever greater police "efficiency" by using intrusive technologies - technologies that may not live up to their promise - must not be allowed to override this fundamental right of privacy without a clear and compelling justification. The CPA has offered no such justification.
Position papers on both issues, compulsory collection of DNA samples from suspects in a specific crime and establishment of a DNA database, are available from our office and at our Internet web site: http://infoweb.magi.com/~privcan/.
Where Should Parliament Draw the Line
In April 1997, shortly before Parliament was dissolved for the federal election, the House of Commons Standing Committee on Human Rights and the Status of Persons with Disabilities issued its report, Privacy: Where do we Draw the Line? The committee, chaired by the Hon. Sheila Finestone, examined a range of privacy issues flowing from new technologies. The report is a must-read for anyone interested in preserving some vestige of their privacy.
Mrs. Finestone referred to the stunning impact of reports from the Privacy Commissioner of Canada and subsequently from specialists, on the wide-ranging capabilities of new technologies and their implications upon the right to privacy.
To the committee's great credit, it did not merely listen politely to those concerns, then walk away-as some Parliamentary committees have done. Instead, the human rights committee concluded that it was time to "explore the role of privacy as a human right and social value". The committee soon realized the importance of its mission: "As we struggled with the impact of new technologies on our understanding of privacy, we realized that, ultimately, we were talking about what kind of society we want for our future".
To make its task even remotely manageable, the committee focused its examination on the privacy impact of three technologies on peoples' lives-advanced video surveillance, genetic testing and smart cards. These, the committee report argued, were examples of technologies on the cutting-edge where real choices will soon have to be made.
The committee's work had two phases. First, members heard from a range of international privacy experts (many of them, we are proud to say, Canadian). Second, it conducted a series of "town hall" meetings across Canada to learn how Canadians felt about their privacy and the government's role in protecting that right.
The committee's task was truly daunting. Our office is often overwhelmed by the growing number of instances where technologies threaten the fundamental human right of privacy. For a Parliamentary committee, whose members all had multiple other responsibilities, addressing even a handful of these important issues would not be easy.
Despite the magnitude of its task, what emerged from the committee's ten months of consultations and research was an intelligent and thoughtful program for government to begin addressing the privacy threats Canadians face at the end of this century.
Most important, the committee reinforced the importance of privacy as a fundamental human right. The committee's proposed Canadian Charter of Privacy Rights, a kind of "quasi-constitutional" document that would take precedence over other federal legislation, would guarantee the expectation and enjoyment of
- physical, bodily and psychological integrity and privacy;
- privacy of personal information;
- freedom from surveillance;
- privacy of personal communications, and
- privacy of personal space.
These rights could be infringed only if the interference were reasonable and could be demonstrably justified in a free and democratic society. In other words, privacy should be the natural state of affairs; a right of Canadians that should not require justification. Instead, the onus would rest with government (or the federally regulated private sector, such as banks, to which the Charter would also apply) to justify privacy intrusions.
The report also calls on the government to introduce legislation to "deal specifically with the privacy and antidiscrimination issues related to genetic testing", as well as amendments to the Criminal Code to extend current prohibitions against interception of private communications to surreptitious video surveillance.
Some of the committee's recommendations would have significant impact on the Office of the Privacy Commissioner.
The first calls for replacing the current Privacy Act with a Data Protection Act which would extend privacy protection to personal information held by Parliament, all federal government departments, agencies, Crown corporations, boards and commissions, and the federally-regulated private sector. (The current act applies only to approximately 105 federal bodies named in the schedule-government departments for the most part.) An important part of the new law would be stricter rules on data matching within the federal government and data sharing between the federal and provincial and territorial governments.
The committee also recommends new legislation to broaden and strengthen the mandate and powers of the Privacy Commissioner to deal with privacy issues in the federal sector. In addition to the Commissioner's current obligations to both receive and initiate privacy complaints, the committee recommended empowering the Commissioner to conduct audits, technology impact assessments and studies on privacy and emerging technologies. It also advocated that the Commissioner review legislation, regulations, policies and practices that may have an impact on privacy rights and, when appropriate, table a privacy impact statement before the House of Commons.
The legislation would be preceded by a broad and open public consultation process and also provide for a comprehensive public review of its provisions and operations within five years (and at regular intervals thereafter).
Among the committee's many other recommendations:
- an explicit constitutional right to privacy in the long term;
- framework data protection legislation governing the federally-regulated private sector;
- efforts to build generally uniform privacy laws across the country;
- access to and use of privacy enhancing technologies, and support for the creation and availability of such technologies;
- greater public education about privacy issues, and a formal education mandate for the Office of the Privacy Commissioner of Canada.
The committee's report is a voice of salvation for the too-often besieged right to privacy of Canadians. The report calls for much of what this Office has long advocated, and proposes much else that we can comfortably support. The challenge now is to translate the committee's concerns into action. A new government may have new priorities - we will do our utmost to ensure that acting on the committee's report becomes one of them.
The discussion in last year's annual report about the privacy implications of government privatization met with some puzzled responses. Why was privacy a concern? The case most immediately at issue was Transport Canada's transfer of the air traffic control system to NAV CANADA, a not-for-profit corporation.
However, NAV CANADA was simply the first of a number of federal agencies undergoing metamorphoses; some simply into new government agencies, some into private but not-for-profit organizations, and others into private companies. The common thread was that no provisions were being made to continue the privacy rights acquired by clients and employees of the organizations.
Early in 1995, the Privacy Commissioner alerted government and the public to the apparently unanticipated consequence of contracting out services and handing off federal operations to the private sector. In his report to the Standing Committee on Government Operations, the Commissioner recommended that the government
- issue a broad policy directive that all personal information handled by the private sector for, or in lieu of, government remain the property of the Crown and subject to its control for purposes of the Privacy Act;
- require all government institutions subject to the Act to insert comprehensive data protection provisions in contracts with the private sector;
- prohibit federal institutions from reducing the scope of privacy rights as a consequence of dealing with the private sector, and
- in the interim, extend the Privacy Act to cover all federal institutions and all federally-regulated private sector enterprises.
Soon after the creation of NAV CANADA, the government offered for outright sale the printing operation of the Canada Communication Group (CCG), formerly the Queen's Printer. The Privacy Commissioner wrote to the deputy heads of both Transport Canada and Public Works and Government Services (PWGS) asking that they commit to maintaining privacy protection. Neither deputy agreed.
In his mid-1996 appearance before the Commons Transport Committee, the Commissioner recommended making NAV CANADA subject to the Privacy Act to ensure continuing privacy protection. He also alerted members to the perils of privatizing a substantial government operation without the benefit of a cogent information management plan. The Committee agreed and recommended the government include the provision in the enabling legislation. NAV CANADA resisted, the government ignored the recommendation and the legislation passed unchanged.
Staff also approached CCG to offer input on reviewing the personal records it anticipated transferring to St. Joseph Corporation, the new owners. CCG accepted and over the ensuing months it prepared its personal files for the sale. The transferred files now include only those concerning corporate clients, and employee files containing only essential information-name, business unit, position title, salary, preferred language and seniority. All affected employees signed an undertaking that they had no confidential government or personal information except their own. All personal information contained in filing cabinets and work stations was removed to a central repository under the control of PWGS where it will be properly maintained or destroyed. And all computer memories were erased before being released to St. Joseph Corporation.
Paying the piper When Bill-C20 cleared both houses of Parliament with no privacy protection clauses, the Commissioner initiated a review (under section 37) to satisfy himself that the transfer of personal data to NAV CANADA complied with the Privacy Act.
As anticipated, the audit team discovered that most personal records could not easily be transferred because they contained an abundance of personal data that did not fall within the scope of the transfer protocol. Nor had any attempt been made to seek the consent of the individuals concerned. At the 11th hour, Transport Canada was required to hire staff and review masses of personal documents. (See page * for detail).
While the Office's attention was focused on CCG and NAV CANADA, government announcements to privatize or devolve other government programs arrived at a steady pace-manpower training programs transferred to the provinces and to Indian Bands; airport and port authorities devolved to other levels of government or converted to Crown corporations; the St. Lawrence Seaway to join ranks with NAV CANADA as a private sector "not-for-profit" corporation. And - just passed or on the drafting tables - new agencies to inspect our food, collect our taxes, and monitor our health.
The Commissioner sought the help of the Clerk of the Privy Council and the Deputy Attorney General to stem the haemorrhage. He asked for a commitment that privacy rules would apply to all new privatization and devolution initiatives. He also asked to be informed of any new initiatives at the earliest possible date.
A March 17, 1997 letter, signed jointly by the Deputy Attorney General and the Secretary of the Treasury Board, advised the Commissioner that:
"... in principle, when programs or services of the federal government are privatized or commercialized, continuing protection of personal information equivalent to that contained in the Privacy Act should be made part of the agreement between the government institution and the private sector entity taking over the responsibility. We are working to develop a clear government policy statement to that effect.
In addition, as the government has already committed itself to the introduction of legislation in the federally-regulated private sector, it makes sense that any newly created federal government institution should be added to the schedule of the Privacy Act".
As we go to press, we have not yet seen a clear government policy on the subject, but we can report that Human Resources Development Canada has made considerable efforts to ensure privacy protection is addressed in its negotiations to devolve responsibility for manpower training. The Canada/Alberta Service Centres agreement serves as an example.
Bill C-60 creating the new Canadian Food Inspection Agency recently passed into law. It binds the new agency to the Privacy Act. Bill C-44, the Canadian Marine Act, died on the order paper, however, it also contained a provision to make all of Canada's major ports subject to the Privacy Act. And the first draft of plans to create the new tax collection agency include a provision making the agency subject to the Privacy Act.
It is difficult to understand why ports and a crown corporation like Canada Post are subject to the Privacy Act, but not airports, or not-for-profit monopolies like NAV CANADA and the St. Lawrence Seaway Authority. Perhaps it's just timing-little consideration was given to privacy protection in the early rush to privatize-or perhaps the NAV CANADA audit illustrated our point. Whatever the reason, the federal government now has in place a more systematic approach to privacy protection and privatization.
Publicizing the Identity of High-Risk Offenders' an update
Last year's annual report discussed at some length the challenges of finding a balance between society's need to protect itself from violent criminals, and the need of individuals who have served their sentences to re-enter society. While publicizing some offenders' identity may help the community adapt to the person's presence, publicity could increase the risk of harm to, rather than protecting, the community.
Since last report, there have been three developments of note.
First, Parliament amended the Criminal Code, the Corrections and Conditional Release Act and other federal statutes concerning offenders who pose a high risk of committing further violent offenses. A court may now designate a person convicted of certain sex offenses as a long-term offender, providing certain conditions are met. The court must then order the offender to be supervised in the community for up to ten years.
Identifying individuals as long-term offenders gives police and correctional authorities the right - and duty - to supervise them in the community after their release from custody. Effective supervision by police and correctional authorities may reduce the need to notify the community about the presence of an offender in their midst.
The same set of amendments introduced a new provision to the Criminal Code allowing Crown prosecutors to ask a court to require a person to enter into a recognizance to keep the peace, "be of good behaviour", and comply with any other conditions the judge sets out. Prosecutors can use this provision in cases where they have reasonable grounds to fear that the person will commit a serious personal injury offence. This provision allows some control over violent offenders who are released into the community at the end of their sentences.
Since last year, several provinces have developed protocols, either by law or policy statements, establishing when it is appropriate to notify communities about the presence of certain released offenders.
In November 1996, Saskatchewan proclaimed in force The Public Disclosures Act. The Act sets in place a means for a police service to ask a "public disclosure committee" appointed under the Act to decide whether information about an individual should be released to the public, and the extent of the release. The police force would make the final decision whether to release the information.
In April 1997, Alberta introduced a protocol on the release of information that would apply to any convicted person judged to pose a risk to others. Newfoundland (1996) and Yukon (1997) also introduced protocols. Ontario's Community Safety Act, also a vehicle for the release of information about high risk offenders, was introduced in the Legislature in 1996, but has not yet been enacted.
Also in April 1997, the Nova Scotia Department of Justice released for discussion a draft protocol on disclosure of information about high risk offenders. The Nova Scotia protocol proposes to establish a community notification advisory committee to which police forces could refer cases. However, the police agencies themselves, not the committee, would make the final decision about any release of information.
The difficulty of finding the right balance in the debate over notification is illustrated in a recent Ottawa case. A convicted paedophile was released at the end of his sentence. Media reports suggested that he was at considerable risk of re-offending. His identity was discovered by the community and a newspaper published his photograph on the front page. Shortly afterwards, the offender moved. His new location was unknown. In fact, he had simply moved from the centre of town to a suburb where, despite the media publicity, his criminal history remained unknown for months.
This underlines one of the flaws in publicizing offenders' identity in the community. Despite the extensive coverage of his photograph, the offender was able to reestablish himself - for several months, at least - in another community in the same metropolitan area. Publicity in this case appeared to do little good and may have driven the person underground.
The same case illustrates yet another potential harm from publicity. Eventually, the offender's identity was discovered, and he was severely beaten by a local resident - a vigilante action that will succeed only in driving the offender to yet another community, where he will have an even greater incentive to keep his past secret.
Just before this report went to press, the Commissioner spoke at a national conference on community notification in Winnipeg. Conference participants discussed the competing interests and examined several notification schemes, as well as other legal mechanisms for protecting public safety. We will continue to follow the issue closely.
This Year's Telecommunications News
Directory listings: The saga continues
Last year, we reported on efforts by independent telephone directory publishers to buy the electronic subscriber lists of full-service telephone companies. The Canadian Radio-television and Telecommunications Commission (CRTC) agreed but asked the telephone companies to give their subscribers an opportunity to remove their names from the lists before sale to independent publishers.
White Directories, one such publisher, argued that allowing telephone subscribers to opt out of the sale would mean independent directories would be less complete than those of affiliated publishers (such as Tele-Direct, Bell Canada's directory publisher). White appealed to the Cabinet that it would be at a competitive disadvantage. In June 1996, the Cabinet agreed, overturned the CRTC decision and asked it to report on two issues: the appropriate level of protection to be given to subscriber listings, and the mechanisms for unlisting one's name and number from any directory. The CRTC called for submissions from interested parties.
In his September 1996 submission, the Privacy Commissioner observed that most telephone subscribers understand that their listings will be used for directory assistance and to publish the local telephone directory. However, they are not told that the lists are rented and sold to competing publishers and marketers, or that their listing is available through call-display and call back options. Those wanting an unlisted number are further discouraged by the cost which ranges from $1.55 to $5.75 a month.
The Commissioner recommended that:
- the telephone companies spell out all the listing options for subscribers;
- not charge for unlisted service, and
- provide unlisted subscribers with free per-line blocking and ensure the blocked listings are only available for emergency and lawful call tracing purposes.
He also urged the CRTC to prohibit other directory publishers from contacting unlisted subscribers (using other information sources) to promote listing in their directories, and to require them to establish a means for individuals to de-list should they choose to at a later date.
Of course, suppliers of all telecommunications services assemble lists of their clients; companies selling cellular telephones, pagers, PCS, and Internet services all assemble customer lists and commercial Web sites maintain lists of site visitors. Some of these companies publish or sell their lists. For example, America On-Line recently sold its subscriber lists to a list broker - a company which specializes in the sale of mailing lists targeted for commercial interests.
Providers of these services should be required to spell out the primary and secondary uses of subscriber listings and seek consent for such secondary uses as sale to third parties.
In its December 1996 report, the CRTC agreed subscribers needed to be better informed of their listing options, observed that the privacy of fax and cellular subscribers was well protected by existing listing mechanisms, and acknowledged that existing costs deterred subscribers from choosing to be unlisted. The CRTC will hold public hearings on unlisted charges and the Privacy Commissioner will participate.
Going digital: No miracle privacy solution
Many readers remember media stories about intercepting conversations on cellular telephones. Most existing cellular phones transmit in analog format (conventional radio waves) and are easily intercepted using cheap off-the-shelf scanners.
One way to avoid interception of cellular calls is encrypting the signals to make them incomprehensible to the interceptor. However, encrypted analog signals are easily unscrambled. Another method of protecting one's calls is to transmit signals in digital format (the 0-1 binary code used by computers). Digital signals cannot be intercepted by analog scanners. But neither is "being digital" the ultimate solution.
Digital signals can be intercepted: Digital scanners, now rare and expensive, will gradually become more widely available and cheaper. In October 1996, Industry Canada acted on an earlier undertaking and issued Standard RSS-135-1 obliging digital scanner users to obtain a license. However, the licensing requirement will not apply to users of manually-tunable digital scanners, the bulk of the digital scanner market.
Encrypted digital signals can be unscrambled: Although digital encryption is far better than analog encryption, it can still be decoded, as proven in March 1997 by researchers from the University of California at Berkeley and a private U.S. systems company.
Digital signals do not always remain digital: Digital signals are automatically converted back to analog format if any point on the transmission path cannot support digital signals; for example, when the receiver is using an analog cellular phone or a conventional analog home telephone. The moment the signals become analog, they can be intercepted more easily. (Of course, once the conversation is carried on conventional wires, it is protected by the wiretapping provisions of the Criminal Code
These cautions apply equally to all digital wireless services such as Business Communications Systems (BCS), Enhanced Specialized Mobile Radio, Local Multi-point Communications Systems (CellularVision Canada, MaxLink Communications and Regional Vision Canada), pagers, Personal Communications Systems (PCS), and wireless telephones.
In the Courts
Privacy Commissioner of Canada v. Canada Labour Relations Board et al- Court File A-865-96
In this case, the Privacy Commissioner supports an individual seeking access under the Privacy Act to his personal information recorded in hearing notes by two members of the Canada Labour Relations Board. The Trial court judge rejected the application in June 1996 and the Privacy Commissioner has appealed that decision to the Federal Court of Appeal. At issue is the definition of personal information, the notion of agency control of that information and the nature of the exemptions under the Act. Also at issue is the extent to which Board members may claim judicial independence in the same manner as judges of the courts.
Intervenors are the Public Service Staff Relations Board, the Human Rights Tribunal, the Canadian International Trade Tribunal, the National Transportation Agency of Canada and the Attorney General of Canada. The appeal is expected to be heard in the Fall.
Michael A. Dagg v. the Minister of Finance and Privacy Commissioner of Canada and Public Service Alliance of Canada-Court file S.C.C. 24786
In this case, Mr. Dagg requested access under the Access to Information Act to logs signed by employees entering and leaving the Department of Finance, after hours. The Minister provided access to the logs but deleted employees' names, identification numbers and signatures, considering this information personal. Mr. Dagg complained to the Information Commissioner who supported the Minister's decision to withhold the information.
Mr. Dagg applied for a review of the Minister's decision and succeeded at Trial. He lost subsequently at the Federal Court of Appeal and has now succeeded in this first case to come before the Supreme Court of Canada dealing with personal information under the Privacy Act. In a split 5/4 decision, the Court held that the information Mr. Dagg sought relates to the individual's position and not to the individual. Therefore it falls within an exception to the definition of personal information in the Privacy Act and thus may be accessible under the Access to Information Act.
However, the decision is fundamental for the guidance it provides for reconciling two apparently competing legislative policies - access to information held by the federal government, and protecting the privacy of individuals' personal information in those records. The Court stated that both statutes recognize that, once information meets the definition of "personal" in s. 3 of the Privacy Act, privacy is paramount over access. Further, the Court held that the general opening words of the definition - "...information about an identifiable individual..." - are intended to be the primary source of interpretation for what constitutes personal information. Justice La Forest continues, "Consequently, if a government record is captured by those opening words, it does not matter that it does not fall within any of the specific examples"
Finally, the Court endorsed a deliberately broad definition as consistent with the great pains which Parliament has taken to safeguard individual liberty. "Its intent seems to be to capture any information about a specific person, subject only to specific exceptions...". The Court continues, "Such an interpretation accords with the plain language of the statute, its legislative history and the privileged, foundational position of privacy interests in our social and legal culture."
Tax audit documents found in surplus file cabinet
A broadcast journalist alerted the office to several taxpayers files found in an old filing cabinet. The journalist made two copies of the documents, gave one set to the radio station's legal counsel and sent the second to the Commissioner. The originals were returned to the finder who subsequently turned them over to his MP.
Once the Commissioner examined the papers, it was evident that they were tax audit files which also contained banking and real estate documents about nine taxpayers. The investigator returned the files to Revenue Canada and began an inquiry.
The cabinet appeared to be one of more than 275 sent by Toronto North Tax Services to a Crown Assets Distribution Centre between March and June 1996 for resale. The cabinets were declared surplus following a major refit of offices to maximize space and accommodate GST staff being moved from another building. Employees affected by the move were temporarily shifted to other floors and the surplus cabinets assembled for eventual sale. The buyer purchased the cabinet at the Mississauga disposal centre and, on opening it, found documents in the first drawer. He then found more documents behind a divider in another drawer. Disturbed by the carelessness, he called the journalist.
Although the investigator could not establish conclusively that the cabinet was from Toronto North, it is highly likely. During that move, employees were reminded to check their cabinets thoroughly and other staff conducted a spot check but did not search every one. Although clearly a human error, Revenue Canada has reviewed its operating practices and taken extra steps to prevent a recurrence.
The Commissioner asked Revenue Canada to notify the taxpayers whose files were disclosed, apologize and explain the circumstances. He also pointed out that the files themselves contained old working papers which do not form part of the official audit file. Revenue Canada appeared not to have a retention and disposal schedule for these documents and some were kept indefinitely. The Commissioner recommended Revenue Canada consult National Archives on an appropriate schedule and describe the material in Info Source, the government directory of information holdings.
Canada Post copies courier competitors' client addresses
Another journalist alerted the office to a sales blitz going on at the Longeuil postal station near Montreal. Apparently keen sales staff were encouraging postal sorters and carriers to photocopy the envelopes, or note the addresses, of mail from nine competing courier companies. With the clients' addresses, the sales staff planned to approach the competitors' clients and try to sell them Canada Post services.
To encourage staff to participate, $1 per prospective client would be paid into the appropriate unit's social fund and, ultimately, names of participating staff would be entered in a $50 draw.
The portfolio officer called Canada Post which immediately acknowledged that the promotion was wrong and senior management was taking it very seriously. The specific question of whether it was also a violation of the Privacy Act hung on whether the addresses were individuals' homes, rather than business addresses and titles.
While staff pursued this avenue, the Minister was questioned on the incident in the House of Commons. She replied that the promotion was an error, an isolated incident, it would stop and it would not happen again. The Canada Post president obtained written assurances from all vice presidents that this was not general practice. The manager and three sales staff were disciplined. And, finally, all sales staff will be required to take an ethics course and sign a written statement acknowledging that they have taken and understood the course.
Given Canada Post's vigorous and speedy action, the Commissioner considered the incident resolved. Any individual complaints would be investigated in the usual way.
Stamp collector's credit card billed for unordered products
Another Canada Post business practice offended a stamp collector who found himself billed for stamps he had not ordered. Although an occasional purchaser of Canada Post products, paid for by credit card, he had not ordered the "Winnie the Pooh" series. The stamps arrived, billed to his credit card, with an explanation that if he did not want them, they could be returned for a credit.
A journalist called to ask whether this was a violation of the Privacy Act-misuse of the credit card number which had been provided for specific purchases. Although the office did not receive a direct complaint, Canada Post did-150 of them.
Privacy staff undertook to resolve the matter informally. The first hurdle was for Canada Post Marketing staff to recognize that misuse of a credit card number was a privacy issue. Although they acknowledged the marketing mistake, they needed convincing that taking information provided for one purpose, then using it for another without the client's consent, is a violation of the collection principles in the Privacy Act. Canada Post's privacy coordinator undertook to explain the principles to marketing staff.
The second hurdle for Canada Post was to sort out the permutations and combinations in client lists. Many stamp collectors have a standing order for all new stamps to be billed automatically to their credit cards. Some collectors have standing orders but for specific interests-first day covers, special issues, those displaying the crown-and may, or may not, want to be alerted to other products. Others want to decide on each issue. The standing order lists were not always clear. They needed cleaning up, and the options clarified.
As a result of the incident, Canada Post Marketing is surveying all standing order customers, explaining the product ranges, and asking them to identify the range to which they want to subscribe. This should help prevent customers being shipped and billed for products they do not want.
Health Files in Winnipeg trash bins
A journalist's call about a discovery of immigration medical files and X-rays in a Winnipeg trash bin sent an investigator on site.
According to the article, the originals of at least 300 preliminary medical examinations for individuals seeking entry into Canada were found overflowing trash bins in a Winnipeg alley. The documents, dating back to the 1970s and early 1980s, were found intact in Health and Welfare Canada envelopes and included applicants' photos, X-rays and personal medical information.
The medical documents had been placed in two bins behind a townhouse. The plastic bags had ripped, spilling some of the contents onto the ground. A resident collected the loose material, put it back in the bin and called Immigration Canada officials at the Winnipeg Airport, hoping they would retrieve it. Not satisfied with their response, she telephoned the Winnipeg Free Press and, finally, the police.
The investigator interviewed several parties and pieced together the story. A Citizenship officer received a call from an Immigration Officer at the Winnipeg Airport who reported being called about a large amount of immigration medical documents in garbage bins. The Citizenship officer went to investigate.
He discovered two garbage bins filled with many X-ray envelopes and other medical documents, some with photos attached. All appeared to concern persons seeking immigration to Canada. Some of the documents bore Health and Welfare identification. Unable to find a Health & Welfare contact, he called the Winnipeg manager of Citizenship and Immigration Canada, advised him of the discovery and later called to advise him that the bins would be emptied the following morning.
The following morning, two Health Canada employees learned of the discovery from the newspaper article. Their search for the records lead them through garbage bins over a three block area at the site, an attempt to locate the truck which had already emptied one bin, and ultimately to the Brady Road landfill site. They and two other employees searched the area where the truck had dumped but found nothing. Finally, city tractors buried and compacted the area so that any records were unlikely to be accessible to anyone.
Apparently the medical records had been stored at National Archives records centre in Winnipeg. The material was due for disposal and after a cursory inspection indicated that they contained only X-ray films, they were sold through Crown Assets to a local contractor for silver extraction. However, instead of providing just the X-rays, Archives turned over envelopes containing individual medical files of more than 2,600 potential immigrants to Canada.
The contractor who purchased the materials for silver extraction got a lot more work than he bargained for. He had sorted through approximately 300 paper files to extract the X-rays and put the paper in the garbage bins when journalists from the Winnipeg Free Press arrived to take photographs. He realized the material should not have been put there and went back immediately to retrieve the files.
While the newspaper stories and calls from various government officials unnerved the man, he returned all the documents and X-rays to Archives.
Health Canada had approved the disposal of the outdated records, as had Archives which agreed that X-rays of prospective immigrants have no historical value. Understanding the records contained only the X-rays, the Records Centre manager sent what was described as "1200 lbs of X-rays - silver content recoverable" to Crown Assets where the contractor's bid was accepted.
An Archives staff member told the investigator that he examined more than ten envelopes and they contained only X-ray films, not medical reports. He removed any identifying details, marked the material to be disposed of as unclassified waste and it was moved to the shredding area. Other staff saw the material with medical documents and photographs stapled to the outside of envelopes standing in the area and assumed they were to be shredded. The supervisor of the shredding company who was on site also confirmed that the skids had been placed in the shredding area and he was told that someone would pick the material up. He also confirmed that when the contractor arrived, he opened one or two envelopes and was surprised to see medical records in the envelopes, saying he thought that he had bought X-ray films.
The contractor also confirmed that all but two of about 300 X-ray envelopes he processed contained medical reports, the majority stapled to the outside. When the material was returned to the Records Centre it was found to consist of hundreds of loose X-ray films, envelopes and medical reports, as well as more than 60 bundles containing an average of 40 to 45 X-ray envelopes each. The centre compared the material against the accession shelf lists to verify that all the records have been returned.
The investigator confirmed that, in addition to X-ray films, they contain sensitive medical information about prospective immigrants to Canada, including applicants' photos, preliminary medical examination report, radiological reports and laboratory test results indicating whether the applicant had such conditions as a sexually transmitted or contagious disease. The review also confirmed that personal information, such as the individual's name, passport number, month/year of birth or age, address, etc., was also contained on the X-ray films.
The Commissioner found the officials of the Manitoba Region Federal Records Centre negligent in their handling of the records and sale of the X-rays. The disclosure of this material to the contractor was a direct violation of the disclosure provisions of the Privacy Act. The Commissioner made several recommendations to the Chief Archivist including
- suspending all sales of X-rays until new procedures are in place;
- removing film from the envelopes and destroying any identifying material;
- requiring contractors and staff having access to X-rays to sign undertakings of confidentiality;
- improving record centre staff awareness of what constitutes "personal information"and their obligations to protect it, and
- notifying the Commissioner's office without delay in similar cases in future.
The Archivist accepted all the Commissioner's recommendations and also suspended further sales of X-rays until the cost of silver recovery made the operation cost-effective. In the meantime, the film will be destroyed in RCMP-approved equipment.
The Office has substantially reduced its dependence on audits as a method of assessing compliance with the Privacy Act. Systematic auditing has proved unsustainable with the Office's dwindling resources. Staff undertook two routine audits this year; the Canada Student Loan Program of Human Resources Development Canada and the RCMP Public Complaints Commission. A third, the Air Navigation System files of Transport Canada, were audited prior to their transfer to NAV CANADA.
Transport Canada - Nav Canada
Transferring the Air Navigation System (ANS) is one of the federal government's largest commercialization projects. The ANS includes seven Area Control Centres, 44 control towers, 88 Flight Service Stations and a network of navigation aids. It manages all Canadian airspace and designated International Civil Aviation Organization airspace in the North Atlantic Region, providing air traffic control for approximately 6.8 million aircraft movements annually. Under the agreement, NAV CANADA bought all relevant physical assets and assumed responsibility for approximately 6,400 employees.
In mid-1996 the Privacy Commissioner appeared before the Commons Transport Committee and urged that NAV CANADA be made subject to the Privacy Act to ensure continuing privacy protection for clients and employees. The Committee agreed and recommended the government include the provision in the enabling legislation. NAV CANADA resisted, the government ignored the recommendation and the legislation passed unchanged.
Given the size of the system and the potential disclosure of vast quantities of personal information, the Commissioner launched an audit of the transfer to NAV CANADA. In August 1996, staff began examining files in the National Capital and Quebec Regional Offices, Ottawa and Dorval air traffic control towers and the Training Institute in Cornwall. They identified several problems, including substantial amounts of personal information that was outdated, information that NAV CANADA did not need and, in some cases, sensitive information from managers' working files that should not have been collected at all.
However, the most immediate problem was the November 1, 1996 deadline for handing over the system to NAV CANADA-not enough time to complete what clearly was a necessary review. The Privacy Commissioner wrote to Transport Canada's deputy minister setting out the preliminary findings. Transport Canada agreed to extend by 60 days the proposed transfer date for personnel files and hired 35 temporary clerks to review files and cull extraneous information.
In their preliminary search, staff found virtually all personnel records contained information about other individuals-names, Social Insurance Numbers and other personal details-often in the form of lists, but also overtime sheets, payroll deduction lists and other memos and forms. Much of it concerned people no longer employees or who were not being transferred and, therefore, was irrelevant to NAV CANADA. And, of course, the individuals had not consented to the disclosure. Transport Canada agreed to remove the irrelevant material.
It also agreed to destroy many documents kept in personnel files and managers' working files long after they served any administrative purpose and well past the normal retention schedule. These included old disciplinary actions, resolved grievances, pay and tax forms, information about family-related leave and physicians' certificates to support employee sick leave.
Rating files in the Quebec region also included the employees' conflict of interest declarations and post-employment code attestations, neither of which apply to NAV CANADA. And the Cornwall Training Institute files held information on both successful candidates and others who failed or abandoned courses (many of them not ANS employees), some of it dating back to 1959. All this information has been removed and given to Transport's information management directorate for proper storage or destruction.
The result: Transport staff removed almost one million pages of outdated or irrelevant personal information from the files being transferred. That's 330 standard file boxes that, stacked one on top of the other, would reach 32 stories high. If nothing else, NAV CANADA records managers should be grateful.
The audit also identified personal data on ANS desktop computers, 3,500 of which will be transferred to NAV CANADA. Managers who maintain employment records in these computers were asked to remove the data of those not transferring. Transport Canada will define limits for access to mainframe computers and networks while NAV CANADA and Transport employees temporarily share offices and computer systems.
NAV CANADA has now received the personal information it needs on employees who accepted its offers of employment. Transport Canada will retain all other personnel files of employees who refused consent to the transfer, as well as outdated and other personal information that was removed from the files.
The good news: a sizeable chunk of Transport Canada files (and virtually all NAV CANADA personnel files) have had a thorough housecleaning. Perhaps the results will encourage the department to review the rest. Some of the problems Transport Canada encountered could have been minimized or avoided had NAV CANADA been made subject to the Privacy Act. Waiting until the privatization process was well under way before dealing with the privacy issues further exacerbated the problem. Involving the Commissioner's Office in the process from the outset is one solution but, ultimately, binding these new entities to the Privacy Act is a far better one.
Canada Student Loan Program
The program is one of those administered by Human Resources Development Canada. It now provides interest rate subsidies to financial institutions for loans to qualifying students but does not guarantee repayment of loans approved since the new Canada Student Assistance Plan took effect. Loans made under the previous Canada Student Loan Act will still be guaranteed by the federal government. In both cases, defaulted loans may eventually be given to collection agencies for recovery.
The audit reviewed the public listings in Info Source, information sharing, staff awareness of privacy protection, contracting out, security, use of telecommunications to transmit personal information and computers to process and store the data.
The Privacy Commissioner's staff suggested some minor adjustments (which they will follow up) but identified no substantive privacy weaknesses. They concluded that an intensive audit was not warranted, particularly given the government's diminishing role in loans written under the new program.
RCMP Public Complaints Commission
The Commission is an independent agency which reviews the RCMP's investigation of complaints against its members. It may also receive complaints directly from the public, although these too are referred to the RCMP for investigation. The Commission has regional offices in Vancouver and Edmonton but all complaint reviews are conducted at the Ottawa Head Office.
Privacy staff found the Commission generally in compliance with the Privacy Act but recommended it:
- seek consent to disclose in its reports personal information that is more than required to properly report the investigation;
- amend the personal information bank description to better describe the holdings and the retention and disposal schedules;
- destroy employment files of former employees held past the approved retention schedule, and evaluations of current employees held past the five-year period, and
- retain Members' notes as part of the Commission's information holdings.
The recommendation to retain members' notes could be affected by the Federal Court of Appeal decision in the case concerning access to notes of Canada Labour Relations Board members (see page 40).
Notifying the Commissioner
Designating a new "investigative body"
The Justice Department sought the Commissioner's views on designating Fisheries and Oceans' Conservation and Protection Directorate as an "investigative body" under paragraphs 8(2)(e) and 22(1)(a) of the Privacy Act.
The effect of this designation is to allow the body to withhold personal information from the individual for up to 20 years if it has been collected during "a lawful investigation", regardless how trivial, or whether disclosure would harm the investigation. In the legal jargon, this is a "class" exemption which-for the organization, at least-has the advantage of not obliging staff to review the files in response to an access request. Nothing need be released.
The Commissioner's response minced no words. Acknowledging that an individual's right of access had to be balanced against the state's need for secrecy, nevertheless he found it "unacceptable for this principle to find expression in any statutory provision that does not contain an injury test". He described section 22(1(a) as "repugnant".
Despite the favourable findings of a 1996 Justice Department study into departments' use of 22(1)(a), the Commissioner observed that discretion in applying the blanket exemption is too rarely used. He cited examples of exempted files containing newspaper clippings, and correspondence between the department and the subject. While it may be simpler to apply 22(1)(a), "I do not believe that administrative convenience should be a consideration...".
The specific case was "particularly troubling" because the department's request had focused on making the case for similar exemption under the Access to Information Act. While there may be good reason for a class exemption from a general right of access under the Access Act (a matter for the Information Commissioner to consider), the application had failed to demonstrate the need to withhold an individual's own personal information under the Privacy Act-one would argue, a more onerous test. Certainly exemptions should not be invoked without considering the individual records and assessing what, if any, harm their disclosure might cause.
The department is reported to be pursuing the application which the Commissioner will continue to oppose.
"Public interest" disclosures
Although the Privacy Act generally prevents government departments and agencies from releasing clients&' and employees' personal information, it lists several circumstances which may warrant disclosure. One of these, subsection 8(2)(m), permits the head of an organization to release information if he or she judges the public interest to outweigh any invasion of privacy. The head must then notify the Privacy Commissioner who may notify the individual(s) concerned, if he considers it appropriate.
Traditionally the heaviest users of this provision have been Correctional Services Canada, National Parole Board, and the RCMP-Correctional Services and the Parole Board to release reports on incidents involving inmates and parolees, and the RCMP to notify communities about impending release of a dangerous offender.
The number of notifications dropped slightly this year to 63 from 69, due mostly to fewer CSC notices. However, RCMP notifications increased to 12 from three last year, an increase due in part to delegating authority for these disclosures from headquarters to divisional commanders, and in part to a growing public outcry about public safety.
Nine of the notices concerned release of violent offenders in Manitoba communities following review by the new Manitoba Community Notification Advisory Committee. The RCMP has established its own policy on notifying communities about the arrival of violent or dangerous offenders, and several provinces have, or are about to establish committees to examine these notifications more systematically. For more information on these disclosures, (see page 35).
Office staff also reviewed two other data matching proposals, one of which-the HRDC student loan match-is ongoing.
Human Resources seeks student loan defaulters In another attempt to ferret out those who owe money to the government, Human Resources Development Canada (HRDC) asked Public Works and Government Services to match its list of student loan defaulters against the federal government employee database. Public Works approached the Office about the request.
Privacy staff pointed out that although Public Works administers the lists to provide pay and benefits services, it does so on behalf of Treasury Board which is the public service employer. The Board is the real owner of the data and would have to agree with HRDC in order to submit a matching proposal. Despite its repeated verbal assurances that the Board agreed, HRDC was unable to produce written authorization. The Commissioner's Office would not consider the proposal without the Board's agreement and there the matter hung at the end of the reporting year.
Agriculture Canada sets off farmers' debts against benefits
Agriculture Canada proposed to match landowners' applications for benefits from two programs-the Arable Acres Supplementary Payments Program and the Freight Costs Pooling Assistance Program-against lists of farmers owing money to other Agriculture and Agri-Food Canada and Canadian Wheat Board programs. The cost-benefit analysis identified approximately $900,000 as the amount to be recovered and the costs to be negligible as the computer software is already configured to run the match.
The match is not described specifically to Arable Acres Program applicants, however, Agriculture staff argued that "set-offs" are described as conditions of the program in both the application form and letter setting out the outstanding balance owing.
At one point it appeared that Agriculture was contemplating extending the match to other departments to which moneys are owed - apparently including Revenue Canada and Veterans Affairs. The Office could accept the specific match within the department as a consistent use of the information, but not an extension to other unrelated departments. Agriculture staff understood and the data matching proposal they eventually submitted was limited to the specific proposal.
Complaint intake surged ahead this year setting yet another record - 2,235 received compared to 1,625 last year and the 1700 forecast. Investigators also completed 2,717, made possible by a combination of factors; a fast track process, a one-time infusion of funds from Treasury Board to hire contract staff (the money, and staff, are now gone) and internal re-alignment of staff. As well, one complainant withdrew 248 complaints, effectively freeing up two investigators.
The huge intake hampers the Office's efforts to substantially reduce its open caseload, investigators habitually carry an average of 90 open complaints at any given time - an excessive case burden. Too much investigator time is spent managing files and placating complainants. Caseload, inadequate resources, and government cuts in ATIP units, continue to seriously slow the entire process.
Delays In fact, delays have become endemic in some departments, due to the volume and increasing complexity of applications, and staff cuts. The seed of the problem was sown in 1983 when departments were told that there would be no new resources to handle requests under the then-new Privacy and Access to Information Acts.
Since then, federal agencies have responded to more than 650,000 applications as resources have been steadily cut. Unless technology-driven, there are no funds available and this work is people-intensive. Managers can only increase efficiency to a point - after that functions must be delayed, cut back or cut entirely. The ATIP program, not the core function of a department, is often high on the cut list. The result; service suffers, so too do the legitimacy and the credibility of the program.
Identifying Access Requesters Once again, the Office has grappled with the vexed question of whether identifying those who make Access to Information requests to other staff within the department or agency is a privacy violation. There is an understandable fear of chill - an apprehension that identifying the applicant could colour the department's response. Those looking for a simple answer will be disappointed.
Investigators have found some instances of departments routinely sending copies of the access request (which identifies the applicant) to program staff for a response. In some cases these staff had been delegated responsibility to approve the response, or to deal directly with the applicant to clarify points or simply to speed up the process. When this was not the case, the Commissioner has found the disclosure offends the Privacy Act.
As a general rule, the applicant's identity should not be revealed to other staff who do not need it in order to handle the access request. There may be other circumstances in which the disclosure of the applicant's name is justified. However, the Office recommended that departmental coordinators consider the circumstances of each application carefully to reduce the suspicion that the department is manipulating its response.
Streamlining the Investigation Process The Office continues reviewing and streamlining its own processes. During the year it re-grouped the branch into two units; one investigates complaints about government collection, use and disclosure of personal information, the other, all access-related complaints. It also implemented a "fast-track" system to reduce both the administrative and paper burden and elapsed time; established quality service standards to reduce the resources and turnaround time, improve the quality of the investigations and ensure more consistent findings; conducted in-house training to ensure consistency and enhance investigative skills, and transferred the Inquiries function to the Public Affairs unit to allow Branch management to concentrate strictly on complaint investigations.
Reducing the Backlog In an effort to reduce the backlog of cases - 1629 carried over from the previous year, the Office has identified all files more than twelve months old (578 complaints or 35 per cent of ongoing cases), established a Backlog Unit which completed 375 investigations or 65 per cent of total backlog by the end of 1996, deployed other professional staff to finalize investigations - completing 38 complaints or 18 per cent of the 578 total; assigned virtually all time limits complaints to one junior privacy officer - closing 426 cases, thus freeing up senior investigators for more complex cases.
While these measures substantially reduced the number of cases open between six months and two years, the record intake of new complaints has simply shifted the indigestible chunk into the six to 12-month age bracket.
Covering Commissions of Inquiry
One complaint about disclosures of personal details during the Somalia Inquiry revisits a matter about which the Commissioner made recommendations in earlier annual reports - that commissions be added to the schedule to the Privacy Act. In this case, the inquiry ordered National Defence to turn over virtually all information considered relevant to the public inquiry including, obviously, large amounts of personal information.
DND was legally obliged to provide the material and the Privacy Act permits disclosures to comply with warrants or subpoenas. The Commissioner concluded that DND had not improperly disclosed personal details. But he and National Defence staff were concerned that an individual's control over the information is lost once in the hands of the commission of inquiry.
The Somalia commission assembled more than 100 Document books for legal counsel and the parties to the inquiry. Once filed as exhibits, the books are available to the media. The inquiry staff were conscious of the privacy implications of releasing the material and attempted to remove what it considered any irrelevant details. However, they are under no legal obligation to do so, thus privacy protection will vary from inquiry to inquiry, depending on the knowledge, time and inclination of staff.
Making commissions of inquiry subject to the Privacy Act would not impede their work; the act permits disclosures when the public interest "clearly outweighs any invasion of privacy that could result". But it would require commissions to consider carefully what disclosures clearly serve that public interest, and it would provide framework for access, disclosure and retention of inquiry material once the inquiry completes its work.
Canada Post spells out opt-out of Change of Address notices
This year the office concluded lengthy negotiations to attempt to resolve two complaints about Canada Post's change of address service.
The service redirects mail from clients' old to new addresses when they move (for a fee). Canada Post operates on cost recovery so it offers an address correction service to commercial and government mass mailers which (also for a fee) updates their clients' addresses, unless the client actively objects.
The complainants objected to the feature on the Change of Address Notification form telling clients that by signing the form "you consent to the information being provided, for address correction purposes, to mailers having your name and old address". More detail was provided in some accompanying material which the complainants argued was likely to be missed or thrown away in the pressure of moving. Assuming clients have given their permission if they are not heard from is a common commercial practice known as "opting-out".
Although technically speaking, there had been no improper disclosures (the complainants had opted out) the investigator took up the procedure with Canada Post. As part of its modifications to the Change of Address program, Canada Post agreed to provide more detail on the form itself and a toll-free line for clients to call if they have questions.
The Commissioner has made no secret of his dislike of opt-outs as a means of obtaining permission. Canada Post argues that the form is already too full to allow for a consent box and they are under some pressure from clients who frequently complain if they do not receive all their mail at their new addresses.
Anyone planning a move who objects to their new address being given to mass mailers should read the form carefully. Anyone who wants to reduce the amount of marketing mail can also use the Canadian Direct Marketing Association's Do Not Call/Do Not Mail service at
1 Concorde Gate, Suite 607
Don Mills, Ontario
Guidelines on using program files for employee supervision
Some government managers have to wear two hats when dealing with employees; one as employer and the second as program administrator. Distinguishing between the two functions and dealing with the person appropriately can pose a challenge. Following a complaint in 1993, Revenue Canada issued guidelines on using taxpayer information for monitoring or disciplining its employees; this year a similar complaint led Human Resources Development Canada (HRDC) to agree to do the same.
At issue was the employer's investigation of a woman's employment insurance (EI) claim file which was then used to discipline her as an employee. The woman, an insurance agent with the former Employment & Immigration Department (now HRDC) developed severe health problems and eventually used up her sick leave. Once her leave was gone, she applied for and received EI benefits.
To speed up her payments, she hand delivered her claims, and those of her son, directly to co-workers for manual input to the system. Although caught, suspended for eight days and counselled for the conflict of interest, she repeated the behaviour. Departmental managers became concerned about her pressure on co-workers in general, particularly on one in a trusted position, and examined her EI file. Her employment was terminated with an out-of-court settlement.
The woman complained that HRDC's use of her EI benefits file for employment purposes violated the Privacy Act because it meant using information gathered for one purpose-to pay her EI claim, for an unrelated use-disciplining her as an employee.
The department argued that the Privacy Act allows disclosures specified in other acts of Parliament and that it gathered the information to administer and enforce the EI Act, an essential component of which is to ensure the professionalism and personal integrity of the staff responsible for administering the program. Officials also maintained that the use was "consistent with" the original purpose for collection-to administer the EI act. The Privacy Act allows consistent uses.
The Commissioner rejected the proposition that the section of the EI act on which the department was relying (section 96) was anything other than a confidentiality provision to ensure that EI information was not disclosed outside the department. During a subsequent meeting to resolve the disagreement, privacy staff suggested HRDC examine the guidelines put in place by Revenue Canada to deal with similar extraordinary situations; examining an employee's income tax return.
At issue is not whether a department can discipline its employees for conflict of interest or other infractions, but ensuring that program files do not become a routine part of employee supervision. The circumstances which justify this use of non-employment information should be serious, the access restricted and the authority clear.
Office staff offered their advice and support in drafting appropriate controls. The department agreed and the Commissioner looks forward to seeing the results.
RCMP's disclosures during investigation "excessive"
A complaint from a lawyer challenged the information the RCMP revealed to several organizations about his client whom it was investigating. He argued the disclosure was excessive and in violation of the Privacy Act.
In an attempt to gather evidence for an investigation into alleged fraud and misappropriation of federal funds, the RCMP wrote to nine organizations seeking copies of any contracts they entered into with the individual and details of any disbursements they made. The letters disclosed information about the investigation, in particular that "evidence uncovered to date is overwhelming and prosecution will be unavoidable". The individual also complained to the RCMP Public Complaints Commission.
The RCMP should be able to demonstrate that its disclosures of personal information during investigations are required to fulfil its law enforcement and investigation mandate. During the Public Complaints Commission investigation, the RCMP acknowledged that the reference to the prosecution was unnecessary and apologized to the complainant for any discomfort this may have caused. Thus, by its own admission, the disclosure was excessive.
The privacy investigator reviewed the files, located the letter but could not find the same or similar statement in any of the preceding volumes. The comment first appears in the letter and seems to be the opinion of the writer. The RCMP agreed that the statement was unnecessary, improper and "lacking in tact". The RCMP Commissioner undertook to ensure that proper training is available to all members who must secure evidence from outside bodies during economic crime investigations.
The Privacy Commissioner concluded that the complaint was well-founded but regretted that nothing further could be done to remedy the situation.
HRDC disclosures to private training companies tightened
One of the most immediate and visible signs of contracting out government services is the training courses offered employment insurance claimants. The courses, once given by Human Resources Development Canada, are now contracted out to private training organizations. This often comes as a surprise to the claimants who wonder where the company got their information.
A case in point was an Alberta woman who left her job to accompany her husband who was attending university in another city. She applied for employment insurance two weeks before the move and gave her new address. Shortly after moving she received a call from a company offering her a three week course, paid for by the department, on "employment issues". Taken aback, she asked how they got her information and whether they were a private company. The company explained its status and role but the woman was "astounded" at the disclosure of the information outside the department.
The Employment Insurance Act allows the department to disclose information to "persons as the Minister deems advisable". The investigator confirmed that the then-minister had signed an authorization to release information to contractors for purposes specified in the contract. The department had entered into a contract with the company which had called the complainant to provide training.
In an attempt to increase participation in the training, the department gave the names and telephone numbers of targeted EI applicants to the company which would market the course directly to applicants. The department did not tell the applicants or ask their consent for the disclosure and there was no mention of it in the supporting materials. The course was voluntary and the woman was not interested in its content, the focus of which was to help EI recipients deal with the personal changes, brought on by job loss that "negatively impact on their ability to become re-employed". Since the training was not mandatory and the contract did not permit disclosure of personal information for marketing the course, the Commissioner concluded that the woman's complaint was well-founded. The investigator also found that the contracts contained no clauses protecting the personal information once in the hands of the company.
As a result of the woman's complaint, the Canada Employment Centre now consults clients before giving their names to private contractors for training. The description of the information and its uses in Info Source will be amended, and the EI application form has been changed to describe the potential use of claimant's information for training purposes. And, most important, Employment Centres have been instructed to ensure that contracts now contain clauses to protect clients personal information. With these steps, the Commissioner considered the complaint resolved.
Lost file prompts new tracking system
A Second World War veteran's request for his medical file to support a disability pension application revealed that the file was apparently lost. When neither National Archives (which stores all old government personnel and military records) or Veterans Affairs could find the file, he complained to the Commissioner.
The veteran's original request went to Veterans Affairs. Since the file was more than two years old, the request was transferred to National Archives. Archives found the file was missing but did have a copy of a form indicating that it had been loaned to Veterans Affairs in 1987. Apart from keeping the form, Archives had no process to follow up and ensure that the file had been returned.
Veterans Affairs normally photocopies original files in Ottawa, returns the original to Archives, and forwards the copies to the appropriate regional office. It too found no trace of the file and believed it had been returned. Although a computerized system now tracks files borrowed from and returned to Archives, it was started in 1991. Any paper records from 1987 would have been destroyed as part of normal record review and destruction.
When the complainant produced a letter from the Royal Canadian Legion stating that staff had reviewed his file in 1988 to help him with his pension application, the investigator contacted the Legion. The Legion was happy to try to help but it was apparent that its staff only review original documents on site in government offices and take copies of the needed documents; they do not receive originals. Fortunately the copies they had taken were helpful. The investigator followed another possible lead to the Surgeon General's office at National Defence but it too was cold.
The investigator had to conclude that the file was gone or misfiled in Archives' huge inventory and too much time had elapsed for there to be any hope of finding it. Had Archives file loan controls been better, the loss would have been noted much earlier and the chances of recovery far greater. Although little could be done to solve the immediate problem, the Commissioner wanted some assurance that the incident would not be repeated.
The investigation led Archives to initiate a file recall system for loans to other departments. The departments will now receive a formal recall notice at 90 days, and at 120 and 180 days if there are valid reasons for keeping the file longer than 90 days. The Commissioner concluded that the complaint against Archives was well-founded but, with the file recall system, now resolved. He dismissed the complaint against Veterans Affairs.
Complainant was source of personal details
It is evident that people often don't understand the implications of borrowing money and the collection and disclosure of personal information that is an integral part of the process. A man complained that a letter to him from a law firm about his unpaid Canada Student Loan contained information about his defective heart condition and his Social Insurance Number. He wanted to know how they got the information.
The man had defaulted on the loan and Human Resources Development Canada (HRDC) turned the matter over to a collection agency-the law firm. The firm obtained a credit report from Equifax (a major credit bureau) which contained the medical information, the name of his doctor, and the notation that the information was provided by the man himself during an interview.
Student loans are like commercial loans. The student borrows the money from a financial institution and authorizes the lender to exchange with credit bureaus, credit granters and credit reporting agencies information about the loan. This is part of the bargain between borrower and lender. The student loan program acts as guarantor for the bank. If a student defaults, the bank is paid by the government which then attempts to recover the money owing.
The law firm was acting as the department's agent in its attempt to get the loan repaid and had a legitimate reason to obtain the credit report from Equifax. In fact, the law firm acted in the complainant's interest when it explained to him that HRDC might defer its collection if he could provide information to confirm that his disability prevented his working and therefore repaying the loan.
The department also demonstrated that the Canada Student Loan Program is one of the federal activities legally mandated to use the SIN and, as its agent, the law firm had a right to it. The SIN was also in the man's Equifax file. Use of SINs by credit agencies is the single biggest motivator for private sector requests for the number and is outside of the federal government's jurisdiction. The Commissioner dismissed the complaint.
Should employees expect privacy for their e-mail?
An employee of a Correctional Service Canada (CSC) treatment centre alleged that the secretary of the division had obtained her computer password and accessed her e-mail without consent during her absence. She complained that the access breached her privacy and that of inmates whose personal information was in her data base.
The investigator established that CSC headquarters had called for a copy of a document the complainant had prepared but it had not received. The request was urgent, the complainant was absent but her secretary knew it had been sent and could be found in her e-mail. She asked the divisional secretary for help. Informatics staff suggested re-setting the complainant's access code to allow the secretary to obtain the document. The Assistant Warden gave the secretary permission to re-set the code in order to access the e-mail.
The complainant argued that a copy could have been obtained from another office. She suspected that her supervisor wanted access to her communications with a union representative and another employee concerning her harassment complaint against him. In fact, only her secretary entered her computer and she insisted that she did not browse through the e-mail or any personal files. She knew approximately when the e-mail had been sent and found it quickly.
The investigator found no evidence that there had been any improper disclosure of personal information. Computer passwords are the equivalent of locks and access lists for conventional paper records; they are to prevent unauthorized access by individuals who have no need to examine information in employees' working files. However, no matter the medium, information employees prepare for government business and stored on government premises should be available to an individual's supervisor if there is a demonstrated need during an employee's absence.
The Commissioner agreed with the complainant that access should always be controlled and authorized by the employee's supervisor. As a result of the complaint, CSC informatics staff now require a written authorization from a supervisor before re-setting passwords.
Managers and employees alike should remember that e-mail is not secure and even deleted e-mail messages can sometimes be retrieved. In short, these systems should not be used to send or store anything they don't want others to read. The complaint was not well-founded.
Tax reassessment of travel allowances no "fishing expedition"
Several RCMP members complained to the Commissioner that by giving Revenue Canada a list of those receiving transfer allowances from 1991 to 1993, the RCMP had improperly disclosed personal information. (They also complained about Revenue Canada's collection of the information.) The complainants argued that the request was akin to a "fishing expedition" and that Revenue Canada was obligated by the Income Tax Act to obtain a judge's order to obtain information about unnamed individuals, and the RCMP should not have relinquished the list without one.
At issue is the allowance paid to RCMP members when transferred to a new location. The allowance, equal to 1/12 the annual salary, is to be taxed at source by the RCMP and reported by members as a taxable benefit on that year's income tax return. Members are told this when paid the allowance. In contrast, actual moving expenses are fully deductible with receipts.
A Revenue Canada audit of Regina District RCMP members revealed that many were simply deducting the full amount of the allowance as a moving expense. Auditors also discovered that the RCMP had not properly reported the taxable allowance on members T4 slips. If it had, Revenue Canada could have found any discrepancies from its own computer system and not needed the RCMP's list. Once Revenue Canada discovered the omission, it asked the RCMP for the lists to conduct a random sampling to determine the extent of the problem. Following a telephone conversation between the RCMP Commissioner and the Revenue Canada Deputy Minister, the RCMP agreed to turn over the necessary records to ensure that transfer allowances were being properly reported.
Revenue Canada reviewed the computer tape and examined the returns of all members who received the transfer allowance during the three years at issue. Of the 1400 returns, 633 were reassessed and $1,227,000 in unpaid taxes was recovered. The remaining returns were processed with no changes, either because the member did not claim the allowance or the return had already been re-assessed by a field office in the post-review process.
It was clear to the Commissioner that both departments were cognizant of the restrictions in both the Privacy Act and the Income Tax Act, had sought legal advice and proceeded carefully. The RCMP is required to report properly to Revenue Canada any benefits paid its employees. Rather than ask the RCMP to re-issue T4 slips to all its members for the relevant years (which would have triggered a review of every member's file) Revenue Canada focused its request on a list of only those who had received the transfer allowance. The Commissioner concluded that Revenue Canada is entitled to collect the information under the Income Tax Act and therefore there was no violation of the Privacy Act.
Air crew remarks to safety inspectors given to airline
The disclosure of an employee's critical comments to the employer can have predictable consequences and require a careful assessment of whether the remarks are simply letting off steam, or information to which the employer is entitled. This was evident when the flight service director of an Air Canada cabin crew allegedly told a Transport Canada inspector that a number of the shortcomings she noted on the trans-Atlantic flight were due to the airline emphasizing service over safety. The inspector paraphrased all the crew members remarks and relayed them to the airline in her report. The report led the airline to correct the deficiencies and to take disciplinary action against the flight director. He, in turn, complained that the inspector's disclosure was improper.
The investigator found that the inspector had noted numerous violations of the Aeronautics Act, Air Regulations and related Air Navigation Orders. Normally inspection reports are sent monthly to appropriate airline personnel. Only when inspectors note "extensive non-conformities" do they issue separate letters of finding. The inspector's letter noted both the specific violations and her interpretation of the flight director's remarks that the company should be blamed for the non-conformities, not him, since cabin crew had been complaining for some time about service considerations overriding safety procedures. The flight director said his comments had been misinterpreted.
Airline inspection personnel find interviews with flight crew a valuable source of information since crew often voice concerns to inspectors they would be reluctant to express to their employer. Open communication between inspectors and crew is essential. However, safety comes first. When inspectors find cabin crew not complying with safety requirements, they must report this to airline management. Management, in turn, must respond in writing to Transport Canada on its corrective action. As well, the flight director has overall responsibility for service, safety and cabin crew and is subject to disciplinary action when there are extensive violations. Although airlines usually determine the disciplinary action, Transport Canada can make specific suggestions and recommendations.
It was evident from the legislation, regulations and procedures manuals that Transport Canada has authority to inspect flight safety and communicate its findings, including relevant crew comments, to the airlines. The inspector considered the crew's comments were relevant to flight safety and required by the airline to correct the shortcomings. The Commissioner concluded that Transport Canada has clear legislative authority for safety inspections and that the inspector disclosed the crew's remarks for the very purpose for which they were gathered-to deal with safety violations. Thus there had been no violation of the Privacy Act.
Nevertheless, the Commissioner agreed that paraphrasing the crew's remarks risks misinterpretation, particularly when the crew does not see the written report and thus has no opportunity to correct misunderstandings. The comments are often gathered while flight crew are busy on descent which may prompt less than careful remarks. The Commissioner recommended inspectors have an opportunity to share written findings with aircrew before submitting them to the airline. He also recommended inspectors make a greater effort to record the crew's comments verbatim to avoid misinterpretation.
Instructor circulates students' information
A student on a course at a private training centre under contract to Human Resources Development Canada (HRDC) complained that the instructor had circulated a list of the students' names, addresses, telephone numbers and Social Insurance Numbers for each student to verify the information. Circulating one list effectively disclosed her personal details to each of the other students. She thought there should be some penalty against the centre.
There was no doubt that the private training centre was under contract to HRDC and thus bound to respect the Privacy Act. Nor was there any dispute that the information had been disclosed. The investigator interviewed the instructor who confirmed that HRDC had advised her that she was responsible for protecting her students' personal information. She confirmed that the centre would use individual sheets in future.
The investigator explained to the complainant that there are no penalties against the training centre-HRDC is held responsible for the actions of its contractors. The complaint was well-founded.
Request for Archives investigation not "personal"
A letter asking the National Archivist to investigate allegations of improper document destruction at National Defence prompted a complaint from the writer that the letter should not have been disclosed to DND.
The letter set out the writer's allegations, named DND sources who could provide information, and asked the Archivist to investigate. Since National Archives does not have the power to enter a department and investigate on its own right, the Archivist wrote to the Deputy Minister of National Defence enclosing a copy of the letter, and asking him to investigate the allegations.
The complainant argued that the letter contained confidential and personal information, including the name of his sources, which should not have been disclosed, and that his own privacy had been violated by Archives' release of his letter to DND.
The Archives argued that the letter was on company letterhead and therefore did not appear to be personal, the writer had not asked for confidentiality (a request made - and respected - in an earlier letter), the Archivist could not investigate without the full cooperation of DND, and the department could not investigate without knowing the allegations against it.
The Commissioner concluded that the writer clearly wanted Archives to investigate and had provided the information in order for it to do so. Archives has no investigative power of its own and, therefore, it was reasonable that it should provide the allegations to DND for it to investigate. In effect, Archives used the information for the purpose for which it was provided.
It is also a fundamental principle of natural justice that an accused be able to face the accuser and know the charges being made. This is true even of complaints under the Privacy Act-the complainant's name and allegations are given to the department cited. The Commissioner considered the complaint not well-founded.
This year's inquiries exceeded 9600 for the first time. Inquiries range from straightforward questions about the Privacy Act, to how to get a pardon, remove names from mass mailing lists, or find natural parents. And each time the federal government launches a new program or begins another collection of personal information - the last census, the Consumer Price Index survey, or matching Customs and EI data - the telephones start to ring.
A substantial segment of the work deals with referring callers to organizations which may be better placed to help. Clearly a number of callers are frustrated to discover the limit of the Commissioner's mandate and angry that, in fact, there is no legal protection for their privacy. We encourage them to support the government's initiative to have national privacy legislation in place by the year 2000.
About 40 per cents of the inquiries are in the Commissioner's jurisdiction and focus on using and interpreting the Privacy Act. The next largest group, requests for Office publications and calls from the media, makes up 18 per cent. Referrals to our provincial counterparts count for eight per cent and complaints about uses of the Social Insurance Number seven per cent (see below). The remaining 27 per cent concern such issues as telemarketing and direct mail, adoption, geneology, credit reporting, financial institutions, and medical records.
Hydro Québec asks new customers for SIN
Many Canadians view the federal government as the custodian and supervisor of the Social Insurance Number, and the federal Privacy Commissioner as its national guardian. In fact, neither is true. The federal government has a strict policy on its own uses of the ubiquitous SIN but no power to control how others use it. A case in point is Hydro-Québec's request for SINs from new customers which prompted a deluge of calls demanding that the federal Commissioner intervene because it is a "federal number".
The Québec Information and Privacy Commissioner and Hydro-Québec (which is subject to the provincial privacy law) debated the issue at some length and appeared headed for court. By mutual consent both parties agreed to step back and find a solution with which both could live. Hydro-Québec convinced the provincial commissioner that using SIN was the only way to track down customers who move without paying their bills. The commissioner, in turn, got Hydro's agreement to create a new unique ID number from the SIN, remove some gratuitous personal details from its files and allow only its collection staff access to the actual SIN. In May 1996, the Quebec National Assembly passed Section 8 of Hydro-Québec By-Law 634 giving the corporation the right to request SIN from customers "opening an account". Once Hydro began advising its customers that it might ask for their SINs, the phones began to ring.
The federal Privacy Commissioner continues to object to compelling people to provide their SIN for uses completely unrelated to their original purpose. However, given that Hydro-Quebec's by-laws now require the SIN, its customers have no legal grounds for refusing.
New Permanent Register for Electors
The office also received several calls from individuals upset with Elections Canada's request for their date of birth on the enumeration form for the new permanent voters register (see page 19 for more detail). Elections Canada collects the birth date and gender to help it distinguish between individuals with the same or similar names. The information does not appear on the lists given to political parties each year. Inquiries officers explain that the register is protected under both the Privacy Act and the Elections Act and voters do not need to be in the register to vote. Voters also have the right to withdraw their names or to prevent their transfer to the provinces or territories by writing to the Chief Electoral Officer.
Errors on credit files
We continue to receive many calls from individuals who are concerned about errors on their credit files. Credit bureaus in Canada are private businesses and therefore are not covered under the Privacy Act. They are regulated by provincial consumer protection laws so the details of the parties' rights and responsibilities vary from province to province. Individuals who have not been able to have errors corrected by their local credit bureau should contact their provincial agency which administers consumer protection law.
Top Ten Departments by Complaints Received
|Correctional Service Canada||602||134||422||46|
|Human Resources Development||141||53||38||50|
|Immigration and Refugee Board||115||65||38||12|
|Citizenship and Immigration Canada||110||66||38||6|
|Royal Canadian Mounted Police||86||57||2||27|
|Canada Post Corporation||69||37||7||25|
|Canadian Security Intelligence Service||45||44||1||0|
Completed Complaints by Grounds and Results
|Grounds||Well-founded||Well-founded; Resolved||Not Well-founded||Discon-tinued||Resolved||Settled||TOTAL|
|Retention & Disposal||11||12||20||8||2||6||59|
|Use & Disclosure||32||27||109||71||5||52||296|
Completed Complaints by Department and Result
|Department||Total||Well-founded||Well-founded; Resolved||Not well-founded||Discon-tinued||Resolved||Settled|
|Agriculture and Agri-Food Canada||16||1||0||2||10||1||2|
|Auditor General of Canada||2||0||0||0||2||0||0|
|Bank of Canada||1||0||0||1||0||0||0|
|Business Development Bank of Canada||5||4||0||0||0||0||1|
|Canada Mortgage and Housing Corporation||5||1||0||1||2||0||1|
|Canada Ports Corporation||1||0||0||1||0||0||0|
|Canada Post Corporation||112||5||5||71||9||10||12|
|Canadian Environmental Assessment Agency||1||0||0||1||0||0||0|
|Canadian Heritage, Department of||8||0||1||1||5||1||0|
|Canadian Human Rights Commission||18||1||3||11||0||1||2|
|Canadian International Dev. Agency||1||0||0||0||0||1||0|
|Canadian Radio-Television and Telecommunication Commission||3||0||0||3||0||0||0|
|Canadian Security Intelligence Service||73||0||3||52||4||1||13|
|Canadian Space Agency||22||0||0||18||0||4||0|
|Citizenship and Immigration Canada||122||39||8||37||11||4||23|
|Correctional Service Canada||731||293||24||269||50||19||76|
|Farm Credit Corporation Canada||6||0||2||2||0||0||2|
|Fisheries and Oceans||11||1||1||1||0||0||8|
|Foreign Affairs and Int. Trade Canada||10||6||0||4||0||0||0|
|Human Resources Development Canada||176||35||24||45||25||8||39|
|Immigration and Refugee Board||93||54||1||15||21||0||2|
|Indian and Northern Affairs Canada||22||1||1||13||6||0||1|
|Jacques-Cartier & Champlain Bridges Inc.||4||0||3||0||0||0||1|
|Justice Canada, Department of||209||2||1||20||179||5||2|
|National Archives of Canada||55||9||0||29||6||0||11|
|National Arts Centre||1||0||0||0||0||0||1|
|National Library of Canada||1||0||0||0||1||0||0|
|National Parole Board||27||4||2||11||7||2||1|
|National Research Council Canada||1||0||0||1||0||0||0|
|Natural Resources Canada||4||0||2||1||0||1||0|
|Natural Sciences and Engineering Research Council of Canada||1||0||0||1||0||0||0|
|Privy Council Office||5||1||0||3||0||1||0|
|Public Service Commission of Canada||24||5||1||13||3||1||1|
|Public Works and Govt. Services Canada||11||1||0||6||2||0||2|
|RCMP Public Complaints Commission||15||0||0||5||0||1||9|
|Royal Canadian Mint||1||0||1||0||0||0||0|
|Royal Canadian Mounted Police||162||3||4||103||10||7||35|
|Social Sciences and Humanities Research Council of Canada||1||0||0||0||0||0||1|
|Solicitor General Canada||2||0||0||0||0||0||2|
|Treasury Board of Canada Secretariat||6||0||1||3||0||0||2|
|Veterans Affairs Canada||4||0||0||3||0||1||0|
|Western Economic Diversification Canada||1||0||0||0||0||0||1|
Origin of Completed Investigations
|Prince Edward Island||
|National Capital Region - Québec||
|National Capital Region - Ontario||
Complaints Completed by Grounds
International Privacy Commissioners Meet in Ottawa
Last September, the Office hosted the 18th International Data Protection Commissioners Conference in Ottawa. The conference, which began as an informal annual meeting of Western European data protection and privacy commissioners, has evolved into an event to exchange information and examine the privacy implications of new trends, techniques and technologies.
The 1996 conference attracted 300 provincial, territorial and foreign commissioners and for the first time a large contingent of government and industry representatives and privacy protection advocates from around the world. The commissioners represented 23 countries and 17 sub-national jurisdictions (for example, Canadian provinces and German states).
The 1996 Ottawa conference theme, Privacy Beyond Borders, focused on the privacy impact of growing international trade in personal information. The Ottawa conference offered the first opportunity to attract a sizeable North American contingent, as well as participants from other countries interested in the North American approach to data protection.
The first two days of the three day conference were open to all participants and consisted of presentations and panel discussions. The last day was a business meeting for privacy commissioners and their staffs to exchange views on administrative, legal and policy issues common to their operations. Among the topics debated at the public meetings were:
- the new European Union Directive on the protection of data and privacy, and its impact on North American businesses;
- increasing surveillance of individuals, including workplace monitoring and the use of information relating to a person's whereabouts;
- international developments in data protection and privacy legislation; and
- privacy and selected Canadian private sector industries.
These annual conferences serve many purposes, most important of which is sharing experiences with privacy issues that increasingly respect no national boundaries. Canada can learn much from other countries' privacy initiatives, and our own privacy bodies have much to share with other jurisdictions. In an environment in which increasingly scarce public resources are being shifted to programs and systems that threaten to erode privacy, few are available for its protection. The data protection commissioners conference offers the prospect of some synergy.
Many of the papers presented at the conference are available on our Internet web site at http://infoweb.magi.com/~privcan/. The office also has available a limited number of bound copies of the papers.
Privacy Protection In Canada… an update
British Columbia will begin reviewing its Freedom of Information and Protection of Privacy Act later this year. The Legislature is expected to appoint a Special Committee that will report back to the Legislative Assembly within one year on the results of its review, including any recommended amendments.
There was some concern that the government might amend the act before the committee completed its review. The government now appears to have postponed any such plans and will allow the committee to hear representations before considering any changes.
Alberta introduced Bill 1 to extend the Freedom of Information and Protection of Privacy Act to schools, health authorities, post-secondary institutions and municipalities. The bill allows local public bodies to be phased into the act, sector by sector, as they are ready. The education sector is expected to be the first new group brought under the legislation, followed by the health sectors and the municipalities.
The government also released a discussion paper entitled Striking the Right Balance as part of the process of preparing new health legislation. At issue is the balance between sharing information to improve health and health care while protecting the privacy of an individual's personal health information. Results of the consultations will lead to draft legislation to be introduced later in 1997.
Manitoba is planning to table a new freedom of information and protection of privacy bill to replace the 1988 Freedom of Information Law which deals only with access to personal records. The new bill would include a fair information code-rules for government collection, use and disclosure of residents' personal information. It would also address the impact of growing application of electronic technology on information rights.
In addition, the province is considering a separate medical privacy protection bill to strengthen health privacy provisions across many different statutes, and to respond to growing concerns over protecting personal health information with the advent of new health information-sharing technologies.
In July 1996, the New Brunswick Ministry of Justice released a discussion paper seeking comments on a proposed Privacy Act. This new law, somewhat similar to the federal law, would replace the December 1994 voluntary Privacy Code and apply to provincial government records. Like the code, the law would be overseen by the province's Ombudsman.
The Northwest Territories' Access to Information and Privacy Act came into force in January 1997. In anticipation of the April 1999 splitting of the Territories to create Nunavut, however, minor changes were made to the law before it came into force. The Information and Privacy Commissioner will be a private sector specialist instead of a government employee, and his/her term will end in March 1999.
In March 1996, the Nova Scotia advisory committee reported on its review of the province's 1993 Freedom of Information and Protection of Privacy Act. The committee made 65 recommendations including extending the act to private businesses under contract to the provincial government, to academic institutions, and to municipal and regional agencies, and appointing a commissioner to replace the existing part-time Review Officer.
Ontario's February 1996 omnibus bill brought changes to its Freedom of Information and Protection of Privacy Act. Applicants must now pay a $5 fee to examine their own information, and a further $10 if they wish to lodge a privacy complaint with the province's Information and Privacy Commissioner. The Bill also allows an institution to refuse to respond to requests which the head has reasonable grounds to believe are "frivolous or vexatious".
Another bill amended the provincial law to remove from its application any records an institution collects, maintains or uses concerning communications, consultations, discussions, meetings, negotiations or proceedings about labour relations or employment-related matters in which the institution has an interest. These changes could deprive provincial employees of much of their right of access to, and correction of, their personal information.
Quebec's Bill 32, enacted in June 1996, somewhat weakened that province's privacy law by furnishing the provincial Ministry of Revenue unprecedented powers to obtain personal information from other provincial and municipal agencies to catch "tax cheats". The Ministry must notify the provincial Privacy Commissioner who will monitor but may not stop the collection. As well, Québec set up a province-wide prescription drug network which became operational in January 1997, stirring some privacy concerns. The province also announced that, beginning in 1998, it would replace existing health care cards with smart cards, although these would not contain a person's medical record but act as a key to centralized computer files. Lastly, Quebec's National Assembly held a series of public consultations in March 1997 on the need for a provincial identity or multi-purpose card. No recommendations have been made to the government to date.
Yukon has enacted a revised access to information law which now includes provisions for protecting territorial residents' personal information and privacy. The new law is overseen by the territorial Ombudsman, who doubles as Information and Privacy Commissioner.
The Offices of the Information and Privacy Commissioners share premises and administrative support services while operating separately under their statutory authorities. These shared services-finance, personnel, information technology advice and support, and general administration - are centralized in Corporate Management Branch to avoid duplication of effort and to save money for both government and the programs. The Branch has just 15 staff and a budget of approximately 15 per cent of total program expenditures.
The Offices' combined budget for the 1996-97 fiscal year was $6,657,000. Actual expenditures for 1996-97 were $6,669,015 of which personnel costs - $5,452,166, and professional and special services expenditures (contractors and outside legal counsel) $721,248 - accounted for more than 93 per cent of all expenditures.
The remaining $495,601 covered all other costs including postage, telecommunications services, supplies, equipment, travel and printing for both programs, the 84 employees and two Commissioners.
Actual expenditure details are reflected in Figure 1 (Resources by Organization/Activity) and Figure 2 (Details by Object of Expenditure).
Figure 1: 1996-97 Resource Use by Organization/Activity
Figure 2: Details by Object of Expenditure
|Employee Benefit Plan Contributions||
|Transportation and Communication||
|Professional and Special Services||
|Purchased Repair and Maintenance||
|Utilities, Materials And Supplies||
|Acquisition of Machinery and Equipment||
|* Expenditure Figures do not incorporate final year-end adjustments reflected in the Offices' 1996-97 Public Accounts.|
- Date modified: