Information Law and Privacy
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Office of the Privacy Commissioner of Canada to the 10th Annual Seminar
November 6, 1998
(Check Against Delivery)
Ladies and gentlemen, madame, monsieur, chers collègues;
Thank you for agreeing to my substituting for the Commissioner who cannot be here. Bruce was very keen to come, especially because, as he put it, "who would ever turn down the chance to lecture a whole room full of lawyers who had to sit and listen, knowing full well they could not send the speaker a bill".
He sends his apologies and his warmest wishes for a successful day. Of course, the message will be the same; the advantage for me is that if you don't like it, I'm a smaller target for the buns.
When Bruce and Andrea first talked about his speaking to you, we had just begun our own 15th anniversary project; an exhaustive (and exhausting) clause by clause review of the Privacy Act. I think we're at 100 pages and counting. We agreed that we would give you some of the high, and lowlights so far. After 15 years, boredom has not set in; the Act still has the power to prompt fierce debates.
And now of course there is Bill C-54 to add to the mix. It's early days yet, so I don't propose to give you a detailed response. But I do have a few observations. The bill is the most significant advance in protecting Canadians' personal information since the Privacy Act was passed.
It is also long overdue. Canada lags far behind most Western nations, not to mention Quebec, in protecting personal data in the private sector. Even if the primary motivation for playing catch up was electronic, commerce, we're not going to stare this gift horse in the mouth. If the technology can motivate a solution, we're in favour.
The bill is the product of years of effort by public servants (including some in this audience), by individual Members of Parliament and committees, by business and non-governmental organizations. And I think Bruce Phillips has had a significant role to play. The efforts to achieve a consensus were extraordinary and demonstrate the best of the Parliamentary and democratic consultation process.
Perhaps the greatest danger now is the pursuit of perfection. Compromises have had to be made. It's also evident that witnesses will urge amendments on the committee. Some will be useful, some largely motivated by self-interest. Our challenge is to remain focussed on the goal; ensuring protection for our personal data in the private sector. Overall there is much that we can support, and there is much that needs our attention. But, the bottom line is we can work with Bill C-54.
One of its most encouraging features is the adoption of the ombudsman model for oversight. I know this view is not universally shared. But, think of it as one of the earliest examples of alternative dispute resolution. The power of the ombudsman role lies in its non-confrontational approach, in its reliance on mutual trust, problem solving, negotiation and with apologies to this audience, avoidance of legalistic procedures. And, if the good will is missing, I think you can argue that the power of adverse publicity carries much more weight in the private sector than in government.
I think one inevitable impact of the bill will be the need to revisit the current Privacy Act to harmonize its provisions with C-54. The bill enhances individuals' rights and expands the Commissioner's powers in the private sector. For example, it's hard to see why he should have specific audit and education powers in the private sector but none on his existing turf. We look forward to seeing both in the Privacy Act.
Now, let's turn to the current Privacy Act. The act has served us pretty well but, like many of us flirting with middle age, it's getting a little wonky at the knees. The three-year review and committee's report and recommendations, were comprehensive and helpful. But, the government responded to only a handful of the recommendations, and to those only with policy and administrative changes. One of these controlled the use of the social insurance number, and another for datamatches. Undertakings to cover Crown corporations and to give the Privacy Commissioner an education mandate evaporated. There has been no review since then and one is long overdue. The Act remains virtually as it was, 16 years ago.
I am not going to drag you through the Act clause by clause. I want to focus on a handful of concerns, some of which I think are hampering the intent of the law.
But, to begin with, it is time to formally recognize in the Act what the Supreme Court has affirmed; that privacy is a fundamental human right which warrants constitutional protection. As the Court observed in the Dyment case, "grounded in man's physical and moral autonomy, privacy is essential to the well,being of the individual. For this reason alone it is worthy of constitutional protection".
Such language would then set the tone and guide the interpretation of everything that followed.
Our concerns focus specifically on the Act's definition of "personal information". It is often in this area that we have difficulty in defending the privacy of Canadians, with a data protection act as our only weapon. The current definition was flexible enough to enable us to move from word processors and the central computers of 1982 to present-day information storage and CD-ROMs. But because it concentrates on recorded information, this act-like some provincial and international legislation-leaves the way open to much more intrusive practices, such as ongoing surveillance. As long as cameras monitor without filming or recorders listen without recording, this practice-undoubtedly the most repugnant and threatening to our individual liberty-does not come under the authority of the Act.
With the advance of technology, many jurisdictions are trying to cope with the problem. A possible approach is that taken by the Ontario act, which applies to the gathering of information, including non-recorded information. It authorizes the Ontario commissioner to review whether the information gathering serves the general purpose of the act. That puts some distance between the Privacy Act and the mere protection of data. This step is entirely consistent with the general purpose of the Act and must be taken if we expect the Act to provide us with genuine protection against the excesses of the surveillance technologies.
Another possible omission is the fact that the definition does not deal with biological samples, such as tissue and blood. This question has never been put to the test under our act. It could be claimed that such samples constitute personal information. Naturally, analyses of such samples would be covered by the Act, but the issue is less clear with regard to the right of access to a person's sample and the protection of the sample itself. As long as the sample remains in the hands of the government, it can be a source of information. This is the most important aspect that must be covered by the definition-the possibility of extracting personal information. The medium is not the crucial point but, rather, its potential to provide personal information, independently of the process or technology used.
We would prefer a more flexible definition that would apply to all information, regardless of the medium in which it is stored or the form in which the information is accessible.
Those of you who have followed the saga of data matching between Customs and Employment Insurance will not be surprised to see us tackle this question. It is time to examine the policy of matching data and to incorporate it in the Privacy Act. Data matching and data sharing agreements are a threat to the Privacy Act. The policy is more useful in breaches of the law than in its observance. We are rarely notified of data matches, despite the fact that departments have an obligation to do so; in fact, since the policy came into effect, only 15 have given us such notification.
In addition to being incorporated in the Act, the provisions on data matching should require assessments of their impact on privacy. When the purpose of matching is to detect fraud, institutions should be required to show that there are reasonable grounds for suspecting the persons concerned. In other words, data matches should not merely be fishing expeditions.
The Customs/Employment Insurance data match provides a good illustration for our concerns. Under this program, customs declarations filled in by travellers returning to Canada are matched with the employment insurance claimant data base in order to identify those who appear on both lists. There is no common link between these two activities. Moreover, there are no reasonable grounds to suspect one or more individuals in particular. Nor has anybody been identified as being in debt to the Crown. The purpose of the matching is simply to target a category of individuals who could have a debt. In our view, this is equivalent to carrying out a search without a valid reason. And that is why we have taken this case to the courts.
Also needed is a much tighter concept of the notion of "control" of personal records. This would prevent government institutions from circumventing the Act by contracting out such products and services as investigations and surveys, or distancing themselves from personal records like board members notes.
Another serious weakness in the Act lies in information-sharing agreements and arrangements between the federal government and other levels of government (including governments of other nations), and the private sector. While many of these agreements are essential for government operations, the scope of sharing permitted by the Act's broad language is an open barn door for even the slowest horse. There are hundreds of such agreements in existence, of which we can identify only a few. But, what we do know is not comforting. Much of the sharing is virtually invisible to citizens, and often to the departments themselves.
Also, given the routine and detailed exchanges underway, it is essential that federal departments be required to ensure that any personal information they disclose enjoys proper privacy protection in the hands of the recipients. At a minimum, the Act should require departments to obtain a contractual commitment to provide privacy protection equivalent to that offered by the federal Privacy Act, coupled with a right to take those measures necessary to ensure that the commitments are honoured. Similar legal requirements should be placed on any private enterprise taking over any program or activity previously conducted by the government of Canada.
You can also expect us to continue repeating that all exemptions should be subject to an injury test. Withholding information simply because the law allows, not because you have valid reasons, gives both the law and, I would argue, the institution, a bad name. It is also an abuse of the individual's right of access.
Section 22(1)(a) of the Act, for instance, authorizes federal investigative bodies to refuse to disclose information "pertaining to the enforcement of any law of Canada or a province". This is sufficiently sweeping as to permit nine investigative bodies to refuse to release virtually all personal information even when there is no demonstrable harm in disclosure. And there are already generous exemptions for genuine law enforcement investigations. This section should simply be repealed.
Another area ripe for overhaul is disclosing information without the individual's consent. The principle of consent is so fundamental to protecting privacy that the exceptions should be more narrowly drawn. I would suggest restricting disclosures to those that serve a demonstrable public interest. For example, for law enforcement, national security or to meet a legal obligation. The current list seems to serve administrative convenience more than public interest. If you argue that administrative convenience is in the public interest, then we are on a very slippery slope indeed.
One provision of section 8, public interest disclosures, has always been problematic. The Commissioner is advised (not necessarily before the fact) but can neither prevent nor delay the disclosure. The individual may be advised but has no means of challenging the government's contention that there is a public interest. Third parties are far better treated under the Access to Information Act. The Privacy Act needs a similar provision to allow individuals to delay disclosure at least while their objections are heard. Disclosure could be equally damaging or embarrassing for an individual.
As well, given the fundamental importance of Sections 4 to 8, Parliament should expand individuals' rights to appeal to the Courts about government collection, use and disclosure of personal data. The Court should be given the power to order remedies, including monetary damages, where appropriate.
While all of the amendments we propose have been vigorously debated, the broadest consensus among our staff forms, not surprisingly, around the Commissioner's structure and mandate. I can best summarize it this way, as we are independent, sort of, funded, hardly, effective, maybe, and if so, despite, rather than because of current arrangements.
With all due respect to Information Commissioner John Reid, the Privacy Commissioner seeks a speedy and humane end to section 55, the provision allowing the Information Commissioner to be Privacy Commissioner. The section seems to owe its existence more to history rather than logic. But, if nothing else, the coming of Bill C-54 should consign it to the dustbin.
The next round of review should establish the Privacy Commissioner apart from any other body. Privacy has always been a sufficiently important right to warrant its own clear voice. But if the growing threats from technology have not made the case, Bill C-54 makes it pressing. Passage of the bill will make our jurisdiction far broader. It will give us consultation, audit and education responsibilities beyond those of the Information Commissioner. And it will make business leery of any ties between the Privacy Commissioner and access to information.
And now, more than ever, the Commissioner needs to be, and be seen to be, Parliament's officer and independent of government. Being funded through the Department of Justice's envelope has always made the Commissioner profoundly uncomfortable. The structure opens the door to suspicions of conflict of interest or improper influence. More than once we have urged that a common structure be devised for funding all Parliamentary officers.
The office's recent experience with the Customs/EI data match underlined how vital it is that the Commissioner's power to seek Court review be expanded to include cases of improper collection, use, and disclosure. This is the core of the Privacy Act. These are the government practices that can have the most far,reaching impact on the greatest number. Finding a means to have this case heard consumed valuable time and hinged essentially on the consent of the Attorney General. Putting everyone through these hoops served no purpose other than, perhaps, testing the Commissioner's resolve. They should never have doubted that.
Well, the list goes on, but not your patience or my allotted time. We expect to share our findings with the Department of Justice, once the detailed review is completed. Like the list I have already given you, there will probably be few surprises. And I suppose it will be just one view, albeit one from the front lines. But there should be no hesitating, fifteen years has been long enough to test this law. It has served us well, but it is time to get it ready for the next millennium.
- Date modified: