Privacy Issues on Reserve: Applicable Law and Unique Context
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the 2011 Canadian Aboriginal Law Conference
November 25, 2011
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
Thank you for inviting me to this conference.
Having started my career as a lawyer for the Inuit of Northern Quebec, to then move on to the Native Law Section at the Department of Justice, I have had the privilege of pursuing my interest for Aboriginal law as an Assistant Deputy Minister at Indian and Northern Affairs Canada, and then at Public Safety Canada where I was responsible for Aboriginal policing. Given that background, you will easily understand that I am delighted to tackle these relevant issues, once again, under the angle of privacy law.
After saying a few words on the role of the Office of the Privacy Commissioner of Canada, I will discuss how each of the two federal pieces of privacy legislation would apply on First Nations reserves, and end with specific issues related to applying privacy law on reserves.
Who we are and what we do
I will begin now by giving you an overview of the legislation in place to protect privacy in Canada, and of the role of the OPC in this context.
There are two federal acts overseeing personal information in Canada: one aimed at the private sector and the other, at the public sector.
For reasons I will expand upon in a moment, Band Councils come under the private-sector act, while Aboriginal Affairs and Northern Development Canada, of course, comes under the purview of the public-sector legislation.
Canada’s private-sector privacy legislation, namely the Personal Information Protection and Electronic Documents Act, or PIPEDA, regulates the collection, use and disclosure of personal information by federal works, undertakings and businesses, and by private-sector organizations in provinces that do not have substantially similar legislation over the private sector.
At the present time, that means all provinces and territories except Quebec, Alberta and B.C., who have their own private-sector privacy laws.
The other piece of legislation is the Privacy Act, which protects the personal information held by 250 departments and agencies of the Government of Canada.
The mandate of the OPC is to oversee compliance with these two acts. We exercise our mandate through six well-defined functions:
- We respond to information requests — over 11,000 a year;
- We receive and investigate complaints — over 200 a year against the private sector and over 600 against the public sector;
- We review privacy impact assessments (or PIAs) submitted to us by federal organizations about their programs or activities which may entail the collection of personal information;
- We audit the personal information management practices of organizations subjected to either act;
- We support Parliament by commenting on bills and amendments that touch on privacy issues; and
- We perform and support research and public education activities, notably through our Contributions Program. For instance, last year, through the Contributions Program, we financed a project conducted at the University of Victoria on First Nations privacy and electronic health record initiatives. The project touched among other things on the interaction between group interests and individual privacy, which is a significant issue for First Nations.
I will say more about the issue of group rights later on, and also give you some specific examples of our other activities throughout my talk today.
The Privacy Act
The most common interaction with the Privacy Act for First Nations will be on the part of individuals whose personal information is held by a federal government institution—individuals may want to know what information of theirs is being held, seek access to it and request updates or corrections as necessary.
The most significant personal information holdings related to First Nations persons are with Aboriginal Affairs and Northern Development Canada.
If you refer to our latest Annual Report, tabled last week, you will see that we have received only one complaint against Aboriginal Affairs and Northern Development last year. It was an access complaint, from an employee seeking access to their own personal information, and it did not raise specific Aboriginal law issues. You will also note that we received very few complaints against Indian and Northern Affairs Canada, and this is a constant trend over the years.
As I mentioned earlier, most First Nations organizations themselves, including Band councils, are not subject to the Privacy Act.
However, there are a few instances where Aboriginal-run government institutions are subject to the Act, including Land and Water Boards established under particular self-government agreements. These organizations are listed in the Schedule of the Privacy Act.
The Personal Information Protection and Electronic Documents Act
While determining the application of the Privacy Act to First Nations organizations is relatively straightforward, determining the application of PIPEDA is a multi-staged process.
Federal works, undertakings and businesses
The first determination is whether the organization is a federal work, undertaking or business (or FWUB), defined in the Act as “any work, undertaking that is within the legislative authority of Parliament”. These include but are not limited to banks, radio and television stations, airports and airlines, telecommunication service providers, and enterprises engaged in interprovincial transportation of goods and persons.
Band councils, as creatures of the Indian Act, and therefore under federal jurisdiction, are considered FWUBs. Band Councils must therefore protect personal information in accordance with PIPEDA.
Personal information of employees
A vast majority of the complaints we receive against First Nations respondents are complaints from employees against their Band Councils as their employers. Those of you who have been following the Blood Tribe case will remember that the complainant was a former employee of the Blood Tribe Department of Health, who alleged that her information had been improperly collected, used and disclosed by her former employer, and that she had been refused access to her personal information by her former employer.
In a more recent case, the complainant alleged that her personal information as well as that of her family members was improperly disclosed by other employees of the Band Council.
It may be that organizations created by Band Councils are also FWUBs. This assessment must be undertaken on a case-by-case basis. There is considerable case law involving the application of the Canada Labour Code to federal works which is relevant for FWUB determinations under PIPEDA. A key factor is the Aboriginal quintessence, or “Indianness,” of the activity undertaken by the organization.
Other factors, such as ownership and location of the organization, whether a majority of the employees are members of First Nations, and whether Aboriginals comprise the majority of the population they serve are often taken into consideration, while not being determinative.
While determining whether the organization is a FWUB will clarify whether PIPEDA applies to employee information collected, used or disclosed by the organization, First Nations organizations must also assess whether they engage in commercial activity as understood under PIPEDA.
Although most of the complaints we receive against First Nations respondents stem from an employer–employee relationship, we did receive at least one complaint where the Band was engaged in a commercial activity. In this instance, the First Nations respondent was the complainant’s landlord.
The complainant had alleged that the respondent had improperly disclosed his personal information by sharing his lease with a third party without his consent.
While our Office concluded that the complaint was well-founded, the Band was receptive to our recommendations, instituted improvements in its physical handling and storage of personal information, and provided its employees with privacy training.
Indeed, it is clear to us in the overwhelming majority of our dealings with Band Councils that their first concern is their members’ well-being. The issues we encounter are related to knowledge and capacity—not to bad faith.
In relation to all commercial activity on reserves—and as a former Assistant Deputy Minister at Indian and Northern Affairs Canada responsible for economic development, I know it is impressive—PIPEDA applies, as it does to any other business.
The outstanding question is whether provincial private-sector privacy laws apply to First Nations businesses on reserve. We are still conducting our legal analysis on this issue.
PIPEDA complaints against First Nations respondents
In the 10 years since PIPEDA came into force, we have received 39 complaints against First Nations respondents. This is too small a figure to draw sound statistical evidence, yet we are able to observe some very general trends.
The top three types of complaints against First Nations respondents are generally consistent with overall complaint numbers: (1) access and (2) use and disclosure are virtually tied for first place, with (3) collection coming in third.
The findings at which we arrive at the end of our investigations, however, are not consistent with our overall statistics related to PIPEDA.
- In more than one third of complaints against First Nations respondents, we found we had no jurisdiction (in most cases, we found the First Nations respondent was not conducting commercial activities), or the complaint was discontinued. (In 2010, this was the case for only 8% of total closed complaints under PIPEDA.)
- In another third of the cases, we were able to resolve the complaint early, facilitate settlement, or the matter was resolved during the course of the investigation or by the time the final report of findings was issued. (In 2010, this was the case for 59% of total closed complaints under PIPEDA.)
The qualitative observations we can make from the 39 complaints we have received against First Nations respondents in the last 10 years is that knowledge and capacity may be primary obstacles to compliance among First Nations groups or councils. When reading the case files, it is apparent that First Nations care about their members and their members’ rights, including the right to privacy.
Specific issue: Charitable organizations
The application of privacy legislation to not-for-profit organizations is one that is relevant to our discussion today, as a great number of charitable organizations are dedicated to providing services to First Nations communities both on and off reserve.
I have touched on this issue briefly when discussing the application of PIPEDA, and I would like to say a few more words about it now.
As you remember, the Canadian Privacy Act applies to federal departments and agencies, while the trigger for the application of PIPEDA is commercial activity. This puts most of the activities performed by charitable organizations outside the jurisdiction of PIPEDA—and I insist on activities, since not-for-profit status does not automatically exempt an organization from the application of the Act. Rather, it is the nature of the specific activities that is relevant.
Collecting membership fees, organizing club activities, compiling a list of members’ names and addresses, and mailing out newsletters are not considered commercial activities. Similarly, fundraising is not a commercial activity under the Act.
However, our Office has determined that some activities of not-for-profit organizations are indeed commercial activities under PIPEDA, such as providing daycare services for a fee. These activities are evaluated on a case-by-case basis.
Our message remains that all organizations, in all their activities, should take care when collecting, using or disclosing personal information. A policy of providing notice and asking for consent can be helpful in heading off disputes or misunderstandings, and can prevent harms from indiscriminate information handling practices, such as identity theft, fraud, unwanted contact, and spam.
Best privacy practices demonstrate that the organization is respectful of its members’ privacy. Given the sensitivities surrounding the human rights of First Nations persons, as well as the low population numbers in many First Nations communities that render anonymisation difficult, such an approach is all the more important.
Specific issue: Group rights
Although the Canadian Privacy Act focuses on an individual’s right to access his own personal information, it does indirectly deal with broader access issues in its relationship with the Access to Information Act and through some of the consent exceptions it includes.
One of these exceptions is comprised in paragraph 8(2)(k), which governs the ability of a government institution to disclose personal information without consent “to any [A]boriginal government, association of [A]boriginal people, Indian band, government institution or part thereof, or to any person acting on behalf of such government, association, band institution or part thereof, for the purpose of researching or validating the claims, disputes or grievances of any of the [A]boriginal peoples of Canada”.
The Australian Law Reform Commission report on Privacy Law
When considering the issue of protecting privacy—an individual right—in the broader context of group rights, some interesting questions may arise. The Australian Law Reform Commission (or ALRC) devoted a section of its May 2008 report of inquiry on Australian Privacy Law and Practice to the issue of privacy beyond the individual.
Specifically, the ALRC examined whether the Australian Privacy Act 1988 should “extend to groups of people who are unified by a common race, ethnicity, culture or other characteristic,” with a specific focus on the rights of Aboriginals.
The ALRC observed that while there is no direct protection of group rights in foundational instruments that form the basis of international human rights law, group rights are nonetheless recognized in some instruments such as the United Nations Declaration on the Rights of Indigenous Peoples and the International Covenant on Civil and Political Rights.
The ALRC also mentioned in its study that laws that target individuals who share particular characteristics are often necessary to ensure all individuals enjoy substantive equality—for instance, targeted legislation is often used to correct historical discrimination or to address special beliefs or requirements.
In its inquiry, which included extensive consultation with stakeholders, the ALRC considered the interaction between traditional laws and customs of Indigenous groups, and the Anglo-Australian legislative framework. Some matters that are addressed in Indigenous laws and customs—such as information that may only be shared among women, and restrictions on broadcasting names and images of deceased persons—do not fit neatly in a single Anglo-Australian legal category.
Some consider these issues are related to informational privacy, while others argue they relate to intellectual property or cultural heritage.
The legal policy issue that applies to Canada as well as to Australia, is whether the rights of Aboriginals would require holistic protection that overlaps intellectual property, privacy and cultural heritage rights in order to attain a broad range of objectives such as controlling access to Indigenous sacred sites, control over recordings of cultural customs and expressions, and privacy of some sacred knowledge of Indigenous groups.
We keep monitoring such developments in other Commonwealth countries, as part of our analysis in preparation for the second five-year review of PIPEDA, due to commence this year.
Resources for protecting privacy on First Nations reserves
Through its program activities, the OPC hopes to contribute to a deeper understanding of privacy and engagement among First Nations groups in a manner that is sensitive to, and respectful of, their unique cultural, social and political context.
For example, we consider privacy challenges that take a unique dimension in First Nations, such as:
- Genetic research, which may offer medical breakthroughs in homogeneous, tightly-knit First Nations communities, while at the same time, potentially jeopardize the most sensitive personal information;
- Governmental assistance to vulnerable groups, for example, former students of residential schools, which also call for the most sensitive personal information and therefore the highest safeguards to protect it;
- The collection of statistical data, which is essential to govern and provide services: Although it is usually aggregated data, it becomes easily traceable to individuals where the community population is very small;
- The specific challenges of safeguarding personal information held by a Band Council in a small community.
Although we do not provide legal advice, we do meet with stakeholders on a policy basis and always welcome the opportunity to discuss privacy matters with First Nations representatives.
We are currently drafting fact sheets on PIPEDA in the North and PIPEDA on First Nations reserves, which we hope will help small organizations in First Nations communities better understand and meet their responsibilities when handling personal information.
We also encourage all organizations, public and private, that run programs involving the use of personal information to perform a Privacy Impact Assessment, or PIA.
As some of you may know, a PIA is a process that helps determine whether initiatives involving the use of personal information raise privacy risks; it measures, describes and quantifies these risks; and it proposes solutions to eliminate or mitigate these risks to an acceptable level.
The Canadian government has been an international pioneer in the use of PIAs as a tool to ensure privacy is considered in the development of programs and initiatives. Earlier this year, we have published a guide that outlines our process for analyzing the PIAs that are submitted to our Office for review by federal departments and agencies. As we urge all organizations to conduct PIAs, we feel this guide could be used by all organizations.
Our analysis of PIAs is based on two legal references: the four-part necessity and proportionality test used by the Supreme Court of Canada in 1986 in the case of R. v. Oakes; and the Model Code for the Protection of Personal Information, which forms Schedule I of PIPEDA.
PIA review: Secure Certificate of Indian Status Card
One notable example from recent years is relevant today: the preliminary PIA submitted to us under the Privacy Act in 2009 by Indian and Northern Affairs Canada (or INAC) regarding the Secure Certificate of Indian Status card.
A new card was already in the design stage when the U.S. government announced stricter rules for identification documents that would be acceptable for Canadians wishing to cross the land border between the two countries.
Under “America’s Western Hemisphere Travel Initiative”, documents used to enter the U.S. must show citizenship as well as identity. Passports are acceptable, as are enhanced driver’s licences.
Provinces collect information from applicants for enhanced driver’s licences and forward it to the Canada Border Services Agency, where it is held in a database that can be accessed by the U.S. Customs and Border Protection agency when the individual arrives at a border crossing.
The enhanced driver’s licence is a voluntary option for drivers who want to use a licence instead of a passport to cross the border. INAC, however, proposed making all Secure Certificate of Indian Status cards automatically compliant with the U.S. border rules. That meant that all application information for the status cards would have to go to Canadian border authorities, and potentially to U.S. border authorities as well.
A key privacy principle is that personal data should only be disclosed to parties with a justifiable need to access it. Unrestricted sharing of information increases the risk of data breaches. This is particularly significant with Indian status cards, because First Nations citizens require these cards to access a wide range of entitlements under the Indian Act.
We conveyed our concerns to INAC and to the Assembly of First Nations. On the premise that First Nations peoples should have a right to choose whether to use the Secure Certificate of Indian Status card, a passport, or another acceptable document as a border-crossing instrument, we recommended that INAC amend the status card application form to include a specific opt-in provision enabling the card to be used at borders.
We also expressed concerns about other matters, such as the level of security of the related information technology, and the need for better notice and consent on application forms. And we called for detailed information-sharing agreements among all relevant parties.
In its response, INAC said it would no longer require all Secure Certificate of Indian Status cards to be compliant with the U.S. border regulations. New application forms have been developed that detail potential information-sharing arrangements and give applicants the choice to accept or decline the border-crossing features.
As a final example of our activities, we are planning on hosting in the late spring or early summer of 2012 a symposium on privacy and inclusion. We hope to attract a strong representation from First Nations groups at this event.
In closing, I would like to summarize the main trends from our work on privacy in the Aboriginal context in three points:
- First Nation respondents were either unaware of their obligations or lacked the appropriate resources or policies to meet these obligations, but were very receptive to making the necessary improvements.
- The importance of privacy as a human right is fully understood in this context.
- The issues of personal integrity, dignity and safety have their own dimension when considering privacy in the Aboriginal context.
- Date modified: