Reflections on Reform of the Federal Privacy Act
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
June 2008
David H. Flaherty*
*Privacy and Information Policy consultant, Victoria, BC; Professor Emeritus, University of Western Ontario; 1st Information and Privacy Commissioner for British Columbia; author of Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, and the United States (1989).
The Office of the Privacy Commissioner of Canada (OPC) retained the services of David Flaherty in early 2008 to develop a reflective paper on reform of the Privacy Act. The views expressed in this paper are those of Dr. Flaherty only and do not necessarily reflect those of the OPC. For the Office's official position on reform of the Privacy Act, see "Government Accountability for Personal Information: Reforming the Privacy Act," June 2006, and "Addendum to Government Accountability for Personal Information: Reforming the Privacy Act," April 2008.
"Today's commonplace information technologies — the Internet and new surveillance technologies such as digital video, linked networks, global positioning systems, black boxes in cars, genetic testing, biometric identifiers and radio frequency identification devices (RFIDs) — did not exist when the federal Privacy Act came into force in 1983. Characterizing the current Act as dated in coping with today's realities is an understatement — the Act is tantamount to a cart horse struggling to keep up with technologies approaching warp speed."Footnote 1
"The federal Privacy Act is woefully deficient as a vehicle for protecting the privacy rights of Canadians. Time and again, Privacy Commissioners and privacy advocates have called for a thorough review and modernization of the legislation. The Privacy Act contains no effective mechanism to deal strategically with complaints, requiring that every complaint be examined – a potentially overwhelming, but unnecessary, burden. The Act was drafted well before the extensive penetration of computing power and surveillance technology into our lives. It was drafted long before the era of globalization and the extensive sharing of personal information across borders with corporations, with governments, and indirectly through corporations to foreign governments. It was drafted long before the era when the word terrorism began to fall from everyone's lips amid calls for ever greater amounts of personal information in the quest to enhance personal and national security."Footnote 2
"The Privacy Act is at the hub of the informational relationship between state agencies and individuals. If the legislative framework that governs this relationship is weak, the entire edifice of accountability is undermined. Privacy is too important to be left to the vagaries of internal policy and management."Footnote 3
Introduction
In what follows, I am taking advantage of the privileges of older age to write about matters that interest me on the basis of both memory and published material, especially from the years starting around 1974 when I began to take a close, critical interest in the development of data protection legislation in North America and Western Europe.Footnote 4 The purpose of these 'reflections' is not to produce an exhaustive, original piece of research, but rather to attempt to make a compelling and necessary case for immediate reform of an important, but now obsolete, piece of legislation. In so doing, I believe a return to the history of data protection is necessary, even if it is limited to a broad and general overview.
As someone trained as an historian, and with a career as an historian in my past, I am also well aware that there are relatively few original ideas in this world about almost anything, so I have enjoyed the task of revisiting and reconsidering ideas that I was exposed to at the feet of masters in the development of data protection legislation, and/or that I have borrowed from my friends, colleagues, and mentors in the global privacy community. I have also taken advantage of my circle of friendship in privacy matters to read and re-read the writings of many of my friends and also to interview some of them. Those who were willing and able to review earlier drafts are gratefully acknowledged below.Footnote 5
Some readers will be familiar with the annual rankings of Privacy International, a human rights watchdog group based in London, which place Canada near the top of the privacy-league rankings.Footnote 6 Given the global perspective of Privacy International and its driving forces, I am inclined to take such praise with only a wisp of satisfaction, knowing full well that Canada only looks good compared to some truly benighted nations, such as the United Kingdom and the United States, where gross invasion of personal privacy is a daily sport of the business community, politicians, and lawmakers.Footnote 7 Privacy International is blessedly unaware of, and/or turns a blind eye to, some of the least progressive aspects of Canadian privacy law and practice, such as the antiquated federal Privacy Act and the lack of resourcing of privacy functions at federal government institutions.
The collective goal of privacy advocates is robust data protection and security, with meaningful implementation over time, in all democratic societies. The operative words here are 'meaningful implementation over time.' While the Privacy Act was a progressive privacy statement in the early 1980s, it is now an outdated Act that no longer properly regulates how federal institutions collect, use, retain and disclose personal information. Data protection legislation (including the Privacy Act) is one, and only one means, to that end, as this essay will illustrate.
Reform of the Privacy Act should be made to appeal unanimously to the media, public servants, the political elite, the government of the day, and Members of Parliament, because privacy protection is a winning issue in an age of increased awareness and anxiety about identity theft and other forms of invasions of privacy. Widespread loss and misuse of personal information, fraud, privacy breaches, and the overall dissipation of personal privacy and the consequential loss of control over one's personal affairs has resonance with Canadians, notwithstanding innumerable counter forces like the necessity of personal and collective security. While polls show high anxiety about the preservation of privacy, lack of political leadership and commitment has hindered progress to date.Footnote 8 A primary goal of this essay is thinking about how to motivate such necessary change and to advance the cause of reform of the Privacy Act on the ground that such analysis and transformation is long overdue. The Privacy Act is a twenty-five year old house that has had little maintenance and refurbishment. It is now ripe for a major rehab job. Fiddling with the paint, or redecorating one room, will not do the job.Footnote 9
Shaping a revised law and then implementing data protection are complex activities (although the former is much easier than the latter). However, updating the Privacy Act is an act of due diligence and good housekeeping for the federal government on an issue of public policy that is much more manageable than the more intractable problems facing Canada. There are no good reasons for further delays.
The case for immediate reform of the Privacy Act will be based on the following arguments:
(1) Privacy is a fundamental, societal value, and Canadians deserve and expect meaningful privacy/data protection laws;
(2) The Privacy Act is an antiquated piece of legislation, which does not meet the "national privacy standard" set out by Parliament in the Personal Information Protection and Electronic Documents Act (PIPEDA);
(2) An effective data protection law is contingent on adequate statutory powers for a meaningful and efficient oversight role for the Privacy Commissioner of Canada, which means the power to make orders; and
(3) In order to have robust implementation of a data protection law, Parliament has to mandate a structure for privacy risk management in each federal institution, including Chief Privacy Officers, Privacy Impact Assessments, and privacy training.
The Constitutional Bases for Canadian Privacy Rights
It is important to emphasize at the outset the significance of privacy as a human value, as a human right, and, indeed, a constitutional right under the Canadian Charter of Rights and Freedoms.Footnote 10 Why is privacy important in Canada and to Canadians? Privacy is key in Canada because it forms an essential component of our collective social values and our legal landscape. Canadians lobbied hard for privacy protection in the 1970s and early 1980s. Privacy was first recognized as a human right in the Canadian Human Rights Act and was subsequently entrenched in the Canadian Charter of Rights and Freedoms. As a result, Canadians have come to expect and deserve adequate privacy protection as an essential component of our human dignity in Western societies.Footnote 11
Appropriate resourcing of the implementation of data protection may also be problematic and therefore requires an ongoing commitment to the human rights goals of the legislation, which Parliament and legislatures frequently forget. Data protection is part of a legal framework intended to afford reasonable expectations of privacy rights articulated by the courts under the Canadian Charter of Rights and Freedoms; a "privacy" law is supposed to be about protecting human rights, which gives privacy an elevated stature in the pantheon of Canadian values protected by law. Speaking for the entire Supreme Court in a 1997 case, Justice La Forest stated that "[t]he protection of privacy is a fundamental value in modern, democratic states; ?. An expression of an individual's unique personality or personhood, privacy is grounded on physical and moral autonomy — the freedom to engage in one's own thoughts, actions and decisions;?. Privacy is also recognized in Canada as worthy of constitutional protection, at least in so far as it is encompassed by the right to be free from unreasonable searches and seizures under s. 8 of the Canadian Charter of Rights and Freedoms;?."Footnote 12
A recent startling development in the Canadian courts may foreshadow the ultimate constitutional weapons that Canadians will have to use to seek to protect their individual privacy, that is, asserting constitutional claims to privacy against government actions that are perceived to intrude on the privacy rights of individuals. The short version of the story is that the Ontario government, in its wisdom, wanted to enhance access to adoption records. The Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, despite advancing strong privacy arguments in a vigorous manner, was unable to persuade the Liberal government to make it possible for adult adoptees and adoptive parents to prohibit access to their personal information when they did not want to be discovered. Several adoptees persuaded a talented crew of lawyers led by Clayton C. Ruby to challenge sections of the Adoption Information Disclosure Act in the Ontario Superior Court of Justice.
The result was a strong decision by Justice Edward Belobaba in support of the privacy rights of the litigants on the basis of section 7 of the Charter, resulting in the Ontario government revising the portions of the disputed law.Footnote 13 As the judge stated:
[78] This case, in essence, is about the applicants' right to privacy. The basic issue is whether the applicants have a Charter-protected right to privacy in circumstances such as these where confidential, personal information is about to be released by the government, retroactively, and without their permission, to the persons whom they would least want to have it?.
[83] In this case, ? the disclosure of the birth and adoption records under the new law , in circumstances where a reasonable expectation of privacy has been created, ? constitutes an invasion of the dignity and self-worth of each of the individual applicants, and their right to privacy as an essential aspect of their right to liberty in a free and democratic society has been violated.
The Ontario Liberal government did not appeal this decision and plans to institute a disclosure veto as Dr. Cavoukian and others had initially recommended.
The reality is that the Privacy Act is closely tied to the values and rights acknowledged under the Canadian constitution, which explains its quasi-constitutional status, as acknowledged by the Supreme Court of Canada in Lavigne v. Canada (Office of the Commissioner of Official Languages), [2002] SCC, no 53, para. 24. The Court also stated that the "Privacy Act is a reminder of the extent to which the protection of privacy is necessary to the preservation of a free and democratic society." (para. 25) The Supreme Court has also recognized, on a number of occasions, the quasi-constitutional status of the protection of personal information because of the role of privacy protection in the maintenance of a free and democratic society: H. J. Heinz and Co. Ltd v. Canada (Attorney General), [2006] SCC 13, para. 28. Given the quasi-constitutional character of the protection of personal information, the right to privacy that the law confers on an individual in Canada is qualified as a quasi-constitutional right to privacy. This presupposes a strong Privacy Act.
The History of the Privacy ActFootnote 14
The history of all law reform in English-speaking countries is a discouraging topic, especially that component of it which requires revising an existing piece of major legislation. The enormous amount of creative energy and political will required to enact such a law quickly dissipates once the honeymoon phase is over, and the hard slogging of implementation begins, and continues on interminably, with limited energy and finite human and financial resources for such purposes. That, surely, is the history of data protection in Canada in the case of the federal Privacy Act, which entered into force on July 1, 1983.Footnote 15 Except for the U.S. Privacy Act of 1974, this Canadian law is the oldest piece of unrevised national privacy legislation in the English-speaking world. By the standards of 2008, it is a sorry piece of privacy legislation, especially in comparison to the counterpart law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which now regulates the private sector in Canada (in the absence of substantially-similar provincial legislation).Footnote 16 To give but two examples, the private sector has to comply with a requirement to obtain information consent and to maintain security safeguards for personal information that have no direct counterparts in the Privacy Act.
It is worth celebrating the political sponsorship that brought the 1982 Privacy Act (Bill C-43) into existence. After the fall of the Joe Clark government in December, 1979, Conservative M.P. (and former Cabinet Minister) Perrin Beatty introduced as a private member's bill, Bill C-535, the Privacy Act, 1980, which was in fact the legislation that the Clark government had been working on to create a stand-alone federal privacy regime. The Clark government's greater interest was in introducing an access to government information (freedom of information) law. Public servants from the Department of Justice and the Privy Council Office simply revised Part IV of the Canadian Human Rights Act (enacted in 1977) at the same time on their own initiative. It had been the first piece of federal data protection legislation.Footnote 17
A Cabinet Discussion Paper, June, 1980, prepared by the Department of Justice, outlined the key elements of what became the new Privacy Act. It amended Part IV to ensure consistency with freedom of information legislation and also to improve privacy protection.Footnote 18 Francis Fox, as Minister of Communications, shepherded the Access to Information and Privacy laws through Parliament. Committed Justice specialists like Barry Strayer (now a judge of the Federal Court of Canada), Stephen J. Skelly, Q.C., and Gillian Wallace, Q.C. (subsequently Deputy Attorney General for B.C.) were the brainpower on privacy legislation in the federal public service during this creative period that began in the early 1970s. Similar legislative initiatives in the Federal Republic of Germany, Sweden, and the United States inspired this Canadian leadership, as well s such underlying forces as included the ongoing computerization of society (which appears to be a quaint phrase in the world of the Internet and the World Wide Web).Footnote 19
The key role of these politicians and public servants is a reminder that a committed cadre of subject-matter specialists is instrumental to both the introduction and further revision of any significant piece of privacy legislation. Coupling this commitment with political sponsorship from the government of the day is even more essential as happened again with the introduction of PIPEDA in the late 1990s, when the stimuli for action included protecting the trading interests of Canada in the face of the European Directive on Data Protection).Footnote 20 John Manley and Allan Rock were the key political sponsors of PIPEDA.
The Justice officials identified above were policy entrepreneurs in what privacy advocates would regard as the best sense of that term.Footnote 21 They were also part of a specialized international movement in advanced industrial societies that, for example, produced the highly-influential Organization for Economic Cooperation and Development's Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (1980).Footnote 22 Today's policy entrepreneurs are much more likely trying to impress their political masters by shaping policies that are highly-invasive of the privacy of individuals in the process of trying to promote national security and combat terrorism. In the aftermath of 9/11, achieving a balance of such competing interests is an almost impossible challenge for politicians, not least because there are real terrorists doing more than lurking in the weeds; privacy commissioners in Europe, Australasia, and Canada can do little more than "worry aloud" as such trump cards are waved in their faces. As I wrote elsewhere a decade ago, "the striking of balance within government is so much against the privacy interests of individuals that it is a wonder we have any privacy left once governments get through doing what is good for each and every one of us. What is good for government is always thought by those in government to be good for the public at large."Footnote 23 Governments may make all of the appropriate noises about sensitivity to privacy, but, as in the European Union, the real decisions, negotiations, and fine rule settings take place in legislative and political arenas, as illustrated by the decision to allow U.S. access to passenger air traffic data.Footnote 24
Creating the office of the Privacy Commissioner in 1982 as an independent Officer of Parliament with oversight authority was a major, innovative change. The powers were, and remain, those of an Ombudsman, that is, the incumbent can only give advice and issue recommendations but cannot make binding orders. Subsequent enactments of comparable laws in the larger provinces, starting with Quebec and then Ontario, B.C., and Alberta, have usually equipped the "Privacy Commissioner" with order-making power, at least in certain circumstances and for certain issues. Manitoba now appears to be following this model. As further discussed below, such empowerment should be legislated at the federal level as well, especially given the track record of these provincial commissioners in wielding such order-making power responsibly and intelligently and achieving positive results.Footnote 25 It is arguable that the optics of having regulatory authority is more important than the reality, since complaints about public sector violations of privacy in the provinces are usually dealt with by issuing reports containing non-binding recommendations.
As previously stated, the Privacy Act of 1982 was a piece of timely and progressive legislation.Footnote 26 But it is now a law that has been in force for twenty-five years of momentous changes in the automation of information and electronic data and the spread of the Internet and the World Wide Web. While it is not unusual for seminal pieces of legislation to remain unrevised even in the face of urgent necessity for improvement, the Privacy Act is especially weak in light of contemporary Canadian needs for robust data protection and security in the face of myriad challenges from hostile forces to the vanquished and diminishing valuation of individual privacy.Footnote 27
There have been efforts at reform. From 1984 to 1987, the House of Commons Standing Committee on Justice and Solicitor General reviewed the functioning of the Access to Information Act and the Privacy Act. With T. Murray Rankin, Q.C., then on the Faculty of Law at the University of Victoria, the present writer was a specialist consultant to this committee that led to its 1987 report: Open and Shut: Enhancing the Right to Know and the Right to Privacy.Footnote 28 This exhaustive study "led the Committee to conclude that both Acts have shown major shortcoming and weaknesses. In some cases, the current legislative scheme is inadequate; in others, there are issues not addressed at all by the Acts." From a privacy perspective, the report recommended controls on the collection of the Social Insurance Number and on computer matching. It also wanted civil remedies in damages and criminal penalties for breaches of the Privacy Act and a new provision mandating security of personal information. It is almost quaint to be reminded of some of the "emerging" privacy issues in the mid-1980s that concerned the Committee, including electronic surveillance in the workplace, urinalysis for drug testing, the use of the polygraph, and the oversight of the use of "microcomputers." Other recommendations for extension of privacy obligations to the federally-regulated private sector and to regulate transborder data flows were timely then and now.
The short history of the Mulroney government's response to Open and Shut was to do nothing in practice about revising the legislation, leaving many of the major inadequacies in the Privacy Act to remain to the present day. And, of course, many more weaknesses have emerged over time, as the pages below will discuss. In Open and Shut: the Steps Ahead, the government noted that the "Committee's report and other studies undertaken by the government have demonstrated that information law and government policy must respond to changing circumstances and rapidly developing new technologies. The government is committed to undertaking administrative improvements and legislative amendments to ensure that the Privacy Act is effective in meeting these new challenges for the protection of personal information." The lack of governmental follow-up had the effect of basing any potential reform primarily on administrative policy initiatives rather than on statutory changes. The Treasury Board Secretariat did develop new policies related to limiting uses of the Social Insurance Number, data matching, information management, communications, and security. However, many years later, it was still compensating for the lack of legislative reform with such initiatives as the Privacy Impact Assessment policy.Footnote 29
One of the unappreciated legacies of the second Pierre Trudeau regime to Brian Mulroney was the Access to Information Act.Footnote 30 That may help to explain Mulroney's unwillingness to do anything for privacy. Even today, hostility to reform of the Privacy Act may be based on even greater hostility to the Access to Information Act. Bruce Phillips, Privacy Commissioner of Canada from 1991-2000, believes that the government of the day and public servants cannot think of one without the other.Footnote 31 The Privacy Act was seen as the corollary to the Access to Information Act, whereas the two are relatively separate spheres of activity and governance. The first regulates the collection, use, and disclosure of personal information; the second controls the public's access to general information. It would certainly appear that open, accountable government is a greater threat to government and senior public servants than privacy protection, especially given the evident weakness of the Privacy Act in terms of trying to restrict what the public sector can do with personal information in its custody and/or control. But there is a strong, evident need to separate these Siamese twins for purposes of law reform.Footnote 32
This essay seeks to provide advice about modernizing the assessment of the Privacy Act found in the Open and Shut report by updating the report's analyses in light of the new challenges to privacy governance that have emerged through recent e-government and national security initiatives (among others).Footnote 33 An essential point is that while much has changed in terms of massive challenges to the privacy interests of individuals, there remains only a half-hearted commitment to implementation of the Privacy Act, because of the false fear that meaningful implementation would hamstring government activities involving the collection, use, disclosure, and retention of personal information for all kinds of purposes. The current Privacy Act provides Canadians with only the illusion of data protection. The reality is that the government of the day, and to a lesser extent Parliament, always has the upper hand in shaping or revising legislation impacting on the privacy rights of residents of Canada so as to meet its perception of the public interest. The only recourse is court challenges of the type described above.
The task of official and unofficial privacy advocacy is to articulate the privacy interests that are at stake in situation after situation so that the constitutionally and legislatively-protected privacy rights of individuals are diminished no more than is absolutely essential. This is an almost impossible burden for privacy advocacy in the twenty-first century for reasons explored in various parts of this essay, even if, as is the case with the present writer, one adopts a privacy pragmatist's approach rather than that of a privacy fundamentalist.Footnote 34 Fundamentalists might well adopt positions on Privacy Act reform that would have the effect of shutting down parts of the Canadian government. A fundamentalist might so limit data sharing among government departments, even for authorized purposes and under controlled conditions, that Canadian residents would be asked repetitively for the same personal information. A constitutional balance is essential between the privacy rights of the citizens and the need for government to perform critical functions.
The history of privacy law reform in Canada further raises the critical issue of the central roles of politicians and public servants in setting agendas and priorities for the country, including on such matters as data protection. As noted above, Francis Fox played a key role in the early 1980s after Perrin Beatty had shown the way forward. Justice Minister Allan Rock and Industry Minister John Manley stepped up to the plate in the mid-1990s and accepted the need for data protection for the private sector on an expeditious basis.Footnote 35 These commitments were monumental, one can argue, in giving political direction to the senior mandarins in Ottawa, including Kevin Lynch, the present Clerk of the Privy Council, to invest in the issue, as they wisely did.Footnote 36 Since at least two of the last Privacy Commissioners of Canada, Bruce Phillips and Jennifer Stoddart, have produced coherent and inclusive plans for reform of the Privacy Act, it is now up to the government of the day, especially the Minister of Justice, to make this activity a very high priority.Footnote 37
Current Argument for Reform of the Privacy Act
The Office of the Privacy Commissioner (OPC) has been advocating for a number of years the pressing need to review and update the Privacy Act. New challenges to privacy have emerged, notably with regard to potentially privacy-invasive communications and data processing technologies. The functioning of government has been profoundly transformed through e-government and integrative service delivery structures that span organizational boundaries and jurisdictions (e.g. Service Canada, etc.).Footnote 38 The economic and political environments—in Canada and abroad—have also changed dramatically since the days when the Privacy Act first came into force. Governments worldwide have adopted measures to protect national security, many of which undermine privacy rights. And with the increasingly global economy, more personal data are traveling across borders than ever before, with little or no Canadian framework protecting that data. The OPC's annual reports to Parliament have documented all of these points, and more.Footnote 39
With the adoption of the Personal Information Protection and Electronic Documents Act, the federal government currently holds the private sector to a higher standard than it imposes on its own operations involving the collection, use, disclosure, and retention of personal information. This is highly problematic, particularly in light of the fact that the Canadian government has gained extraordinary powers over the informational privacy of citizens through a series of legislative measures and changes in the machinery of government, particularly in the name of national security.Footnote 40 While such a re-balancing made sense in the immediate (and somewhat hysterical) aftermath of 9/11, all governments have little incentive to restrict their surveillance of the population in the light of multiple bureaucratic imperatives to collect and use more and more personal information to "solve" various problems. In the overall distribution of power in the federal public service, a small cadre of dedicated privacy specialists in the Department of Justice do not have much traction in the face of mighty Departments and crown corporations with massive databases and surveillance plans, each intended, the public is informed, to make Canada a better place. That is one more reason why the Privacy Commissioner of Canada needs order making power.
It is now commonplace in the 21st century for privacy advocates of all stripes, including privacy commissioners, to warn that we are living in surveillance societies. From a comparative perspective, the governments of Paul Martin and Stephen Harper have been relatively modest in their surveillance demands compared to the Labour government of Tony Blair in the United Kingdom with its introduction of national identity cards and massive data compilations ostensibly to help those in need, especially children, but resulting in a full-scale surveillance society. Richard Thomas, the Information Commissioner for the United Kingdom, has been especially articulate on this in the aftermath of the annual meeting of Privacy and Data Commissioners in London in November, 2006, which was devoted to an examination of this central theme.Footnote 41 Canadians require enhanced legislative protections to help foil a full-scale surveillance society in this country.
A related issue is the extent to which the federal government's Privacy Act is no longer comparable to those of provincial and territorial governments. The story is quite simple: for historical reasons of precedence in enactment, each one has improved mightily on the federal law. The latest enactment tends to have the most teeth and the most privacy protective requirements; the 2004 Ontario Personal Health Information Protection Act (PHIPA) is a case in point.Footnote 42 The public and private sector Acts in Quebec, British Columbia, and Alberta have also raised the bar in terms of their scope and allowance for order making power.Footnote 43 Provincial government bodies in Ontario, Alberta, and British Columbia, for example, have to live in mortal fear of their Information and Privacy Commissioners, since they can order them to act in a certain way or to stop doing something. While the Privacy Commissioner of Canada can give advice, government institutions do not have to listen to her.
In addition, the Personal Information Protection and Electronic Documents Act has superseded the Privacy Act as the new federal standard in Canada for privacy promotion and protection. The OPC correctly stated in its June, 2006 comprehensive report on reform of the Privacy Act that "[t]he Privacy Act contains a much attenuated version of the fair information principles, with non-existent or overly-lenient controls on the information management practices of the federal government. The deficiencies in the Privacy Act are readily evident when compared to the comprehensive set of fair information principles embodied in PIPEDA."Footnote 44
The Office of the Privacy Commissioner of Canada holds the view that the current situation is untenable, and that the Privacy Act should be renewed by Parliament, on an urgent basis, to better reflect emerging challenges to privacy and the desire of Canadians to have the federal government better protect personal information in its custody and control and across a much broader field of vision in terms of scope. Such views are irrefutable. There is also need for parity/comparability between the private and public sectors, since Canadians should have relatively uniform privacy rights, whether they are dealing with a bank, Air Miles, their family doctor, Canada Post, or Revenue Canada.
In June 2006, the OPC presented a comprehensive plan for reforming the Privacy Act to the House of Commons' Standing Committee on Access to Information, Privacy and Ethics. It contained a number of sound and insightful recommendations on how to improve the Act to provide stronger privacy safeguards.Footnote 45 A number of them are also reviewed and reflected in this essay. The OPC successfully encouraged the Standing Committee to conduct a review of the Privacy Act in the spring of 2008. The assistance of outside privacy expertise will be essential in this process, because the staff of this Committee, and the Library of Parliament, may not have the time and resources required for such a substantial overhaul. Such drafting work should be left to Justice staff anyway, after the Standing Committee has shown the way forward with specific recommendations.
The Need for Privacy Management for Electronic Government Services
While recognizing its value, the OPC is understandably concerned about privacy issues emanating from the growth of e-government in Canada---both at the federal and provincial levels--- and, in particular, the growth in cross-jurisdictional transfers of personal information for a wide range of government programs. As the OPC has stated, "[n]ew technological initiatives such as government on-line implicate privacy, as the walls that are inherently part of the data structure fade away. If we are to create overarching databases or merge existing databases of personal information, privacy must be built into the design stages of the new technology and systems, as must security."Footnote 46 These are essential points because the growth of electronic government services and of cross-jurisdictional transfers of personal information are powerful and desirable imperatives for serving the public and the public good. There is nothing inherently wrong in either practice so long as they happen under controlled conditions and on the basis of valid express or implied consent from individuals. At present, the Privacy Act does not contain a meaningful consent standard.
Adopting privacy by design, and as many Privacy Enhancing Technologies (PETs) as possible, are essential best practices for achieving robust data protection in these electronic government services, including ensuring identity management, access controls, data masking, encryption, lock-boxes, and real-time auditing as key components of privacy management for Canadian governments.Footnote 47 Such ballyhooed technologies have to be put to protective use as well. Government institutions need to pressure vendors to offer them. The ongoing problem is to persuade the proponents of electronic government initiatives to take privacy and security seriously in the early and ongoing stages of product development and implementation by a proactive approach to privacy advocacy; that is the role of privacy watchdogs at every level, including and illustrating the need for Chief Privacy Officers, with human and financial resources at their disposal, within each government institution.Footnote 48
The use and sharing of personal information across jurisdictions is of particular interest especially as it relates to service delivery. The relevant observation is quite simple. If the various levels of government in Canada have robust privacy laws in place, with independent oversight by a regulator, then such data sharing can be controlled by the application of the general and specific principles of each law (each of which is built around ten core privacy principles) and, more importantly, by entering into data sharing agreements among government entities that are essentially binding contracts.Footnote 49 Bureaucrats do not like having to negotiate such agreements, because they take time and they allow Privacy Commissioners, privacy advocates, and the media to get some sense of what is going on, or what is planned, and to help set the ground rules for data protection. But that is how governments should work to serve the public interest. The federal government simply believes that it can acquire whatever personal information it requires to do its job from other governments and related entities, especially those among the latter that it helps to fund. Data sharing agreements provide clear understanding, rules, accountability, and transparency for privacy protection.Footnote 50
If all relevant privacy laws and related implementation are in fact robust, then one protected enclave can exchange personal information with another protected enclave, under controlled conditions, for legitimate and authorized governmental purposes. Members of the public can then take some satisfaction that Parliament, legislatures, and the privacy watchdogs have a good idea of what is taking place in terms of data exchanges for service delivery (and in the private sector) on the basis of data sharing agreements . Privacy protection is not the enemy, but the friend, of efficient service delivery across all levels of government. Making all of this consensual in nature is but among the many "solutions" that are readily available to sensitive and sensible governments, even in the context of an enhanced security climate. If Canadians want specific services, they will make the pragmatic decision to consent to the collection, use, disclosure, and retention of personal information for such purposes. This is only one of many ways in which privacy can be a manageable issue. Reform of the Privacy Act reflects the need for due diligence and sound information management for federal institutions. They should "say what they do, and then do what they say," which is easier said then done.
The Need for Privacy Management for Transborder Data Flows
The Open and Shut report of 1987 identified the need to provide an effective framework for transborder data flows. Incredible developments in this area associated with the Internet, the World Wide Web, and outsourcing drive the need for further urgent examination, particularly as they pertain to increased personal data exchanges between Canada and the United States for the purposes of national security, public safety programs, and any other public or private sector purposes. As the OPC has already stated about one aspect of these exchanges, "the Act should contain specific wording to define the responsibilities of those who transfer personal information outside the federal public sector into other jurisdictions and to address the issue of adequacy of protection in those jurisdictions."Footnote 51 The OPC's 2005-2006 audit of the personal information management practices of the Canada Border Services Agency (CBSA) is exactly the kind of audit that the Privacy Commissioner of Canada should be doing in this regard.Footnote 52 Although the audit report contains a detailed description and analysis of how the CBSA should manage its data exchanges with the United States, neither the OPC nor the CBSA actually know how the Americans use such information.Footnote 53 This is unacceptable; the CBSA has an obligation to obtain relevant information from the United States in advance of such disclosures. In addition, the Privacy Commissioner herself stated on April 8, 2008: "Overall, the OPC concluded that the CBSA requires a comprehensive privacy-management framework to guide improvements to privacy related policies, systems, procedures and practices, including strengthening the monitoring of the day-to-day information handling practices."Footnote 54 This is not happening fast enough.
Data flows with other national jurisdictions must also be similarly managed for purposes of data protection in the public and private sectors. As the OPC has already stated, "most data protection statutes prohibit the disclosure of government-held information to a foreign state, except in very specific circumstances. This should be the standard for Canada and the Privacy Act should spell out the requirements to be included in any agreement, as well as accountability and reporting requirements concerning those agreements."Footnote 55 In addition, as the OPC has also eloquently stated, "[i]t is completely contrary to the intent of the Privacy Act that a government institution could disclose information to another institution or level of government without being obliged to thoroughly examine why the information is required, how it will be used, on what authority the request is made, and whether there are adequate safeguards to protect the information?. It would be appropriate to have specific wording in the Privacy Act that addresses the requirements to be included in any agreement under which personal information is to be transferred to a foreign jurisdiction."Footnote 56 This language should be included in a redraft of the Act.
One can also readily agree with the OPC conclusion that "Canadians are entitled to know the extent to which their personal information is transferred across borders into the hands of a foreign government."Footnote 57 This is nowhere more important than in Canada's relationship with the United States with respect to cross-border information sharing. The current situation may well strike a layperson as completely out of Canadian control; that should not be, and need not be, the case. But, again, some expert guidance is available and transferable, as in the document from the Treasury Board Secretariat on "Taking Privacy into Account before Making Contracting Decisions."Footnote 58 This wise advice is specifically directed to the approximately 250 federal departments, foundations, agencies of government, and crown corporations that are subject to the Privacy Act.Footnote 59 But unless each of them has someone actually minding their privacy shop and acting as a privacy conscience and as a source of privacy expertise for the organization, they will not even know that such guidance exists.
The Need for Privacy Management for Outsourcing and Public Private Partnerships
The OPC's proposals for reforming the Privacy Act contained several recommendations and proposals for addressing the protection of personal information from unauthorized uses and disclosures (or the risks thereof) that could result from outsourcing and public-private partnerships. The OPC briefly mentioned provincial models for managing such outsourcing (namely B.C.), which seek to ensure that the personal information of citizens is effectively protected when service arrangements involve outsourcing to private sector entities.Footnote 60
The B.C. Ministry of Health's outsourcing of the delivery of the administrative and technical components of the province's Medical Services Plan and the Pharmacare Plan to MAXIMUS Inc., a U.S. company, has been one of the most controversial of such outsourcing initiatives in Canada, producing a brouhaha about the reach of the USA Patriot Act in particular and a complex set of amendments to the B.C. Freedom of Information and Protection of Privacy Act.Footnote 61 While it is helpful to have rules, these were so excessive in the circumstances that 2006 amendments were required to allow B.C. public servants to use their Blackberries and laptops when traveling in the United States.Footnote 62 The business functions transferred to MAXIMUS BC HEALTH Inc. include assisting and processing enrolment and account changes for beneficiary services, processing all automated and manual medical claims and payments for medical practitioners and providers, supporting automated and manual telephone support services for medical providers and the general public, and supporting the various and complex technology services that enable the business services.
The irony is that this regulatory activity, the oversight of the B.C. Information and Privacy Commissioner, and the complex and detailed Master Service Agreement between the Ministry and the contractor mean that MAXIMUS BC HEALTH is subject to much more stringent data protection and security requirements in practice than the B.C. Ministry of Health itself, for example, or any of the health authorities in the province. The goal should be similarly robust data protection and security in place for government departments and outsourcers/private partners with independent oversight, such as now exists for MAXIMUS BC HEALTH and for Sun Microsystems of Canada for its electronic health record work in B.C. MAXIMUS has a Chief Privacy Officer, on-line privacy training, almost instant reporting of privacy breaches to the Ministry, automated auditing of staff access to personal information in systems, and careful monitoring of experience by senior management and the Board of Directors.
As the BC Ministry of Health recently stated, "[e]nsuring the privacy and security of personal information is a fundamental element of the contractual relationship with MAXIMUS BC."Footnote 63 To this end, the Ministry seeks ongoing assurances, through a rigorous, independent, and external auditing process, that "the significantly enhanced privacy and security arrangements required under existing and new legislation as well as rigorous contract parameters are met consistently and reliably by MAXIMUS BC." The outsourcing has also demonstrably resulted in the delivery of far superior service to the appropriate constituencies, especially the general public, than existed prior to outsourcing. Minister of Health George Abbott stated in July, 2006, that "British Columbians continue to receive a record-high level of service from the Province's Medical Services Plan and PharmaCare programs through Health Insurance BC. Our government committed to providing British Columbians with MSP and PharmaCare services through Health Insurance BC that were fast, responsive and accurate. ?We are seeing consistently high quality results from this program – a major change from the 1990s, when phone services were closed one day a week just to deal with the paperwork backlogs."Footnote 64
The Privacy Protection Schedule that the B.C. government imposed on MAXIMUS as a schedule to its contract is an excellent model that is being frequently emulated across the sectors in B. C. and now in the rest of the country.Footnote 65 Sun Microsystems of Canada Ltd., which has won a contract from the B.C. Ministry of Health to build the backbone for the electronic health record in the province, had to agree to similarly strict rules on data protection.Footnote 66 A revised Privacy Act should mandate such requirements.
British Columbia, as a consequence of the USA PATRIOT Act debate, has the leading edge practices and procedures in Canada to protect personal information when governments choose to engage in outsourcing and public-private partnerships. In particular, these provide lessons for enhanced privacy management in the federal public sector, especially since so many such personal information handling activities, or portions thereof, are already outsourced to myriad service providers in ways largely unknown, one suspects, to the Office of the Privacy Commissioner.Footnote 67 As the OPC has wisely recommended, the "Privacy Act should, at a minimum, also make it clear that, when government work is outsourced, the government institution remains accountable for personal information and that the information is considered to be under the control of the institution."Footnote 68 This recommendation is a very good illustration of how easy it is to prescribe for what is required to make outsourcing a positive benefit for all parties; the process does not require the development of ruses worthy of medieval theologians. One of the key privacy defences for MAXIMUS BC Health, for example, is that while it has "custody" of sensitive personal information, "control" remains very much with the BC Ministry of Health. This should always be the case in such outsourcing relationship and public-private partnerships. Government institutions always have to retain control of personal information collected, used, disclosed, or retained for their purposes; they also have to take steps that service providers and outsources are acting in compliance with the Privacy Act.
The Need for Chief Privacy Officers, Privacy Impact Assessments, and Independent Oversight as Privacy Management Tools in an Enhanced Privacy Act
Outside of the minimal accountability and reporting requirements set out for government institutions under the Privacy Act, the Treasury Board of Canada has established much of the accountability regime for personal information management in the federal government by issuing policy and administrative procedures.Footnote 69 But this Secretariat has not done much else, over time, to ensure the implementation of the Privacy Act across the federal government.Footnote 70 As I wrote in 1989, "[t]here is no continuing activist mentality on the implementation of data protection at the Treasury Board, especially outside the specialists in the Administrative Policy Branch. Neither the president of the Treasury Board nor the secretary had, or indeed have, any particular interest in conflicts with their political and public service colleagues about the protection of privacy?. The Treasury Board is not doing much more than it must under the Privacy Act, and it depends on the privacy commissioner to make the law effective."Footnote 71
Although the Open and Shut report gave higher priority to compliance activity at the Board, the results were short lived. In 1994 the Board did issue a helpful policy on "Privacy and Data Protection," which appears to have been largely ignored in practice.Footnote 72 Another positive exception was a burst of energy to guide and encourage the preparation of Privacy Impact Assessments at the turn of the century.Footnote 73 The web site of the Treasury Board states that the "President of the Treasury Board is the Minister responsible for government-wide administration of the legislation," but that has not resulted in meaningful activities for privacy protection beyond the most basic.Footnote 74 The more relevant statement is that "Ministers and Heads of Agencies are responsible for ensuring that their organizations comply with Access to Information and Privacy legislation." Again, this is nothing more than a pious platitude. In practice, it means that no one is minding the privacy shop for the government of Canada at government institutions.
It is time for the Chief Information Officer of Canada (in the absence of a Chief Privacy Officer) to step up to the plate on behalf of the Treasury Board even under the current structure. The CIO and the Treasury Board should not be allowed to take shelter behind the notion that it is up to the OPC, and individual departments, to be alone responsible for making the Privacy Act meaningful in practice, even in its current "privacy light" version.Footnote 75 In particular, the CIO can ensure an ongoing marriage between privacy and security specialists in mutual support of these intimately-related goals. A CPO would be of great benefit in this process. Privacy-intensive government institutions, such as Public Safety Canada, Transport Canada, and Service Canada, do not have Chief Privacy Officers in place.
The Treasury Board Secretariat does maintain a list of "privacy and access coordinators" for government institutions.Footnote 76 It would appear that more than 200 persons hold such a title in entities that range from being huge (Health Canada) to small (a local port authority). The task of a privacy and access coordinator is primarily to process requests for access to information under either the Privacy Act or the Access to Information Act.Footnote 77 That is at least what the positions have become over time, with a few exceptions such as Health Canada, which has a more coherent approach to privacy management. (See appendix 1 below) A senior coordinator wrote that "at this point in the history of our legislation, the title of ATIP Coordinator often conjures up only the image of those who retrieve documents and process access to information and privacy requests. Most Coordinators are primarily in the request processing business. It is a circumstance that occurs by default because of capacity. If there are limited resources and there is a choice of responding to requests or developing policies and guidelines, the former always wins out."Footnote 78 The coordinator role is almost always at a fairly junior level in the bureaucratic hierarchy; incumbents rarely have the clout to make a significant difference in their agency. In fact, even a Chief Privacy Officer would have problems making his or her own voice heard in such hierarchical power structures.
A critically-important improvement would be to amend the Privacy Act to require the appointment of Chief Privacy Officers (CPO) for the government of Canada and in each government institution, or at least in those that are privacy intensive (collecting, using, disclosing, and retaining a great deal of personal information on members of the public and employees). What is being recommended here is much more policy oriented than the current work of an Access to Information and Privacy Coordinator. A CPO should certainly raise the profile of privacy within any government institution and provide a focal point for the solution of ongoing privacy issues in a pragmatic manner.Footnote 79 Of course, they will require a very senior reporting relationship, appropriate human and financial resources to do the job, a Privacy Team/advisory group, general and specific privacy policies and related procedures and processes, the conduct of Privacy Impact Assessments for significant data bases, on-line privacy training for all staff, robust security practices, meaningful confidentiality agreements, Frequently Asked Questions, auditing, and a full range of security controls from identity management to role-based access.Footnote 80 In a number of these instances, the CPO can breathe life into policy work that the Treasury Board has already done, which now requires meaningful implementation.
Emerging experience in North America in the public and private sectors suggests that the CPO model can be the focal point in an organization for achieving systematic solutions to privacy issues.Footnote 81 The Conference Board of Canada, for example, has a Council of Chief Privacy Officers.Footnote 82 The U.S. Department of Commerce, the Department of Homeland Security, and the Internal Revenue Service have appointed CPOs. Major tech firms like IBM, Microsoft, Sun Microsystems, Oracle, and Hewlett-Packard have had CPOs for years. The Canadian Millenium Scholarship Foundation, a federal entity, has a CPO as well.Footnote 83 The Ontario government has a Chief Information and Privacy Officer.Footnote 84 The preferred approach would be to separate such positions because of the enormous responsibilities of both (comparable to the successful argument that Canada should continue to have a Privacy Commissioner and an Information Commissioner).Footnote 85
Although Health Canada decided not to officially appoint an Assistant Deputy Minister as the CPO for the agency, because of the lack of a precedent in federal institutions, it is worthwhile outlining what it has done (and what it wanted to do) to better manage privacy in recent years, because Health Canada has become a federal model in this regard. The Assistant Deputy Minister, Corporate Services Branch (CSB), was to be the Chief Privacy Officer (CPO) for the Department and, even though he does not have the title of CPO, he is accountable to the Deputy Minister for championing privacy initiatives internally and externally. This concept of a privacy champion in every government institution is very important for advancing a culture of sensitivity to privacy. In addition, the Health Portfolio Privacy Committee provides a senior level review of privacy issues and is a key mechanism for ensuring a horizontal and collaborative approach to integrate privacy policies and practices across the business lines of health portfolio institutions. The Committee reports to the Departmental Executive Committee through the ADM. The network of privacy contacts provides advice and support to the Health Portfolio Privacy Committee with regard to operational implications related to privacy.Footnote 86
Health Canada thus has developed a solid capacity for privacy policy work. (See appendix 1) Its Access to Information and Privacy Division (staff of 44) has both a Policy Unit (14 officers) and an Operational Unit (30 analysts). Organizationally, it allows for mobility between the units, particularly at the more junior levels. Both policy and operational personnel operate on a portfolio basis in that they are responsible for assisting and providing advice to specific program and service areas within the Department. One of the main advantages of having a policy unit is that Health Canada can maintain an active privacy training and awareness program in a very large and decentralized Department. The Privacy Commissioner of Canada recently advocated that all federal managers and executives should have privacy information management training, just as they are now required to have financial and human resource management training.Footnote 87
The concept of Chief Privacy Officers, with staff and financial resources, in place across all governmental and private sector concerns in this country is an idea whose time has truly come. The Government of Canada should emulate Ontario and appoint a Chief Privacy Officer to serve as the government's focal point for privacy advice across the entire government; each privacy-intensive federal entity should have similar officials in place for the same purposes. Such officials would be vital counterparts to the existing Chief Information Officers and Chief Security Officers, who are also crucial contributors to the data protection imperative.
Reform of the Privacy Act itself, however desirable, is not a magic bullet or a panacea that will cure all privacy ills in the federal domain. It can only be one component of enhanced privacy management for federal institutions, crown corporations, and other federal entities, such as the Canadian Blood Services, that are largely funded by the federal government and that now escape statutory regulation.Footnote 88 On-line privacy training on a repeat basis for anyone who works with personal information is absolutely essential for enhancing compliance.Footnote 89 The government itself must make its departments do their privacy jobs with commitment and resolution on an ongoing basis.
The OPC has argued that the accountability requirements, namely for privacy impact assessments and controls on data matching, should be mandated in the Privacy Act to ensure that federal departments and agencies adhere to them rigorously.Footnote 90 That makes excellent sense. An argument can be made that full-scale PIAs should only be statutorily mandated for the most intrusive and sensitive personal information systems.Footnote 91
In addition, the standards that have emerged for contemporary accountability regimes for personal information management in Canada and in other English-speaking countries mean that federal departments and agencies should be assuming and ensuring greater openness, accountability, and transparency for privacy management, and the Privacy Act should mandate such an approach. It is in the best interests of federal departments and agencies, especially those that are privacy intensive, i.e. holding large amount of personal information, to adopt sound management techniques for privacy risk management. The components of robust privacy and security management are now well known.Footnote 92 A revised Privacy Act should mandate as many of them as possible in a privacy management framework.
The Need for Order-Making Power for the Privacy Commissioner of Canada
The Privacy Commissioner of Canada needs more power in order to get the attention of the government and government institutions on an ongoing basis. As the OPC itself stated in 2006, "[t]he Privacy Commissioner is an ombudsman, with no order-making powers. The ability to truly fulfill the ombuds-role has frequently been frustrated by limitations in the Privacy Act. The question of order-making power will need to be carefully examined in the context of the Privacy Act reform. The Act should specifically empower the Privacy Commissioner to engage in mediation and conciliation, as is already the case under PIPEDA."Footnote 93 Most of this list makes perfect sense. The Commissioner should also have a statutory mandate to educate and inform Canadians about their privacy rights.
In the author's opinion and experience, the case for order-making power for the Privacy Commissioner of Canada, first in the public sector and later in PIPEDA, is a powerful and persuasive one. The Information and Privacy Commissioners in Ontario, B.C., and Alberta are as successful as they are because they are true regulators, even though they rarely exercise actual order-making power on the privacy side of their mandate.Footnote 94 It is the prospect of their doing so that makes all parts of government pay attention to them. The supposedly-superior merits of the ombudsman approach are the stuff of myth and legend and an unwillingness to learn from Canadian experience outside of Ottawa and the federal realm. It is time to break free of this paradigm. Politicians and public servants will pay more attention to the advice of the Privacy Commissioner of Canada if she has the ability to use order-making power in appropriate circumstances.Footnote 95 Of course, such decisions can be appealed to the courts, as is already the case in provinces with order-making power. Decisions in such appeals will further enhance the jurisprudence of privacy as illustrated by decisions of the Supreme Court of Canada quoted above.
The OPC's June, 2006 report on reform of the Privacy Act discussed the pros and cons of this issue of order-making power in a manner that at least gets away from certain stereotyping that surfaced in such discussions in the past.Footnote 96 The OPC called for further study of the issue and posed some relatively academic questions for consideration. It is time for greater boldness and indeed action. The OPC well stated the main current argument against the ombuds-person model, the argument of actual history. It stated: "The recommendations of an ombuds-person must be respected, given due consideration, and acted upon except in exceptional circumstances, else there is no ability to achieve balance, assist citizens and resolve issues. Governmental disregard of objections and concerns raised by the OPC puts the fundamental informational privacy rights of all Canadians profoundly at risk."Footnote 97 That is in fact what has happened over time; the Privacy Commissioner of Canada has become something of a toothless watchdog. At present, it is much too easy for federal departments and agencies to dismiss the Privacy Commissioner as only being able to give advice (which one does not have to take). They are not always careful listeners. The only real way for the OPC to get appropriate attention for its views from the government and Parliament is for the OPC to have order-making power. Even then, Parliament can always do what it wants in the exercise of parliamentary supremacy, and the courts can overrule a Privacy Commissioner.
Mid-way through my term as the first Information and Privacy Commissioner for British Columbia in the 1990s, I made this comment about my exercise of order-making power, which I think is still valid: "?I use it mainly to win agreement on my recommendations that are normally arrived at by joint deliberations with authorities that keep my colleagues and myself sensitive to the demands of daily bureaucratic life and the reality of service delivery to the public?. My power on any issue is also effectively limited in our democratic society by the fact that the legislature can in fact do almost anything it wants to invade personal privacy by law or regulation, despite my best advice to the contrary. Only an aroused public can seek to mitigate this Achilles heal of data protection."Footnote 98
There are unfounded fears that giving selective order-making power to the Privacy Commissioner of Canada will require an enhanced bureaucracy and substantially-increased expenditures from the public purse.Footnote 99 The evidence from the provinces does not support these fears. Order-making on privacy issues remains the exception rather than the norm, lay persons and lawyers are writing orders on Freedom of Information (FOI) and privacy issues, and staff sizes and budgets for combined FOI and privacy management are less than at the OPC.
Learning to Work With the Privacy Commissioner of Canada
When will federal politicians and public servants learn to inform and consult the Privacy Commissioner of Canada, for example, in advance of their latest scheme that may be highly privacy intrusive and that will likely lead to sensational media treatment, including the fact that the Commissioner had never heard of the system?Footnote 100 When will Privacy International, the premiere international privacy lobby group, be able to stop informing national Commissioners of developments that they should have known more than something about in advance, such as the Society for Worldwide Interbank Financial Telecommunication (SWIFT) debate in 2006?Footnote 101 SWIFT was disclosing significant amounts of personal information on international bank transfers to the U.S. government in response to legal subpoenas without being open and transparent about the practice. Will it always take a major privacy disaster, such as the loss of CDs with massive amounts of personal information on 25 million persons in the United Kingdom in November 2007, to result in enhanced resourcing and empowerment of these official privacy watchdogs?Footnote 102
One does not have to be very cynical to recognize that the federal government and federal institutions want to do what they want to do, when they want to do it, to meet the perceived political exigencies of the moment and to stay in power. Bennett and Raab observe that "[m]any parts of government wish to ensure that privacy considerations do not unduly constrain their intensive use and sharing of databases?."Footnote 103 Watchdogs like Privacy Commissioners can be a major irritant for even well-intentioned Ministers and senior public servants, who may be all too ready, for example, to trample individual rights in the rush to protect national security. Of course, even to write such a sentence may suggest that privacy advocates always want to trump other values. Such is far from the case in Canadian experience going back to the mid-1970s. It is hard to recall a Privacy Commissioner in Canada taking a foolish position or one that did not seek to articulate the privacy interests at stake in a particular situation requiring commentary. Even George Radwanski, whose career as Privacy Commissioner of Canada ended with his resignation on June 23, 2003 for his spending and borrowing habits, took strong and well-informed positions on many of the privacy issues he gave advice on.Footnote 104 It is sad but true that governments perceive a weak Privacy Commissioner as a positive good, thus offering only the illusion of data protection.Footnote 105 That situation has to change in the interests of the public, not least because of the constitutional protection accorded to the right to privacy in the Charter.
The Resourcing of the Privacy Compliance Function at the Office of the Privacy Commissioner and in Government Institutions
Canada could enact the best public-sector privacy law in the world, and it still would not mean much in practice if Parliament does not ensure that resourcing (human and financial) is put in place both for the OPC and for each government institution. Not a single 'Privacy Commissioner' in Canada is properly resourced to perform the full scope of his or her statutory duties. By any kind of civilized and/or comparative standard, the human and financial resources available to them are inadequate.Footnote 106 However hard the current staff of the OPC work, it is humanly impossible for them to do everything that is required, despite recent staffing increases. The plethora of issues requiring attention is literally overwhelming, in addition to all of the routine tasks requiring attention.Footnote 107 The primary work of achieving privacy compliance has to rest with each government institution; the OPC should be monitoring and auditing what they actually do.
Under-resourcing of all Privacy Commissioners across Canada has meant that, with rare exceptions, none of their staff members have really developed ongoing expertise on one kind of major data protection problem or another, such as biometrics, encryption, electronic health records, or almost any security issue.Footnote 108 Staff of these offices also have to be more disciplined so as not to chase every rabbit that surfaces in a daily media report of one sort of another that appears to affect the privacy interests of Canadians. If appropriate staff expertise exists, then those persons can manage the issue of the day and leave the rest of the staff to go about their main tasks. Self-discipline to focus on the essential priority components of meaningful and effective data protection has to be the main preoccupation at the OPC and across the country.Footnote 109 Giving policy advice, conducting investigations, audits, and site visits, and educating the public are more important than the processing of routing complaints.
More specialized policy resources in the OPC, including additional outsourcing to other competent privacy professionals, including at law firms, will also encourage government departments and crown corporations to consult with it more regularly and frequently to build in the data protection and security controls that are requisite in the design of all information systems containing personal information.Footnote 110 Even though there are several hundred thousand persons who are required to comply with the Privacy Act, including 217,000 public servants, the OPC cannot hope to be funded for exponential growth in budget or staff. It has 140 staff at present, who will have to work smart, and with considerable focus, to fulfill public expectations.
"Building in privacy by design" is the name of the data protection game, and privacy specialists at the OPC have to work with the relevant bureaucrats to achieve it.Footnote 111 Even if the latter have thought carefully about appropriate solutions, it is essential to give the OPC a high-level overview of what is being contemplated so that no one will be blindsided in the media or in Parliament further along the route of a specific development.Footnote 112 Unfortunately, government institutions fear that the Privacy Commissioner will try to "stop" an initiative if they are informed too early in the process. If everyone has to be onside in a government institution before making a timid approach to the privacy watchdog, that is a recipe for a privacy disaster in the making.Footnote 113 While the government should get its house in order on a particular issue or approach, consulting with the OPC should be an integral part of the process from almost the beginning so as to reduce the risk of nasty surprises for the government institution. For example, a government institution presenting the OPC with even a competent conceptual Privacy Impact Assessment should be well ahead in achieving privacy risk management.
The Oversight Role of the Standing Committee on Access to Information, Privacy and Ethics
The mere existence of the House of Commons' Standing Committee on Access to Information, Privacy and Ethics should be very important for promoting oversight activities, including the appointment or re-appointment of any Privacy Commissioner of Canada. Members of this Committee, supported by ongoing staff resources, need to develop some privacy expertise of their own to not only promote legal reform, as in the case of revitalizing the Privacy Act, but also to ensure that outstanding individuals are appointed to fill these critically-important posts in Canadian society. Of course, members also have a critical mandate to ensure that the Office of the Privacy Commissioner of Canada is doing its job effectively, pragmatically, and creatively.
Privacy advocates should perceive the new Standing Committee as a positive development. There is finally a committee that has the opportunity to pay ongoing attention to privacy matters and to become educated about them. It will soon learn which expert witnesses are both credible and helpful. Jennifer Stoddart has followed up on her substantial experience in briefing Quebec parliamentarians and government officials on such matters with ongoing appearances before the Standing Committee; this can only be to the good in terms of developing some real privacy expertise.Footnote 114
Each of the "Privacy Commissioners" of Canada dating back to 1978 and the appointment of Inger Hansen has brought his or her own style to the articulation of the job requirements.Footnote 115 Based on close observation of such officials in Canada, Western Europe, and Australasia, dating back to the 1970s, the argument of this writer is that they have to adopt a forceful, aggressive, dynamic, committed, yet pragmatic approach to fulfillment of their job requirements.Footnote 116 These are not jobs for shrinking violets or the insecure. After listing the seven roles of the Privacy Commissioner, Bennett wisely opined that "[t]his flexible and multiple set of powers and quite expansive mandate would give any observer the impression that the privacy commissioner is a person of considerable power within the federal system. Yet, the exercise of the powers of the office is essentially dependent on the style, character, skill and personality of the commissioner himself or herself and on how that person perceives and is perceived by the wider organizational environment."Footnote 117
The Standing Committee also needs at least several ongoing staff and consultants that can develop a strong background on privacy matters, much more than one can expect from clerks of such committees and their supporting researchers because of their general duties in these circumstances.Footnote 118 One remembers fondly the example of the U.S. House Subcommittee on Government Information in the 1970s and 1980s where, for many years, Robert Gellman was a one-man band of privacy expertise for members of the committee. There has never been a Canadian federal equivalent in Parliament over time, and there needs to be. Achieving meaningful and effective data protection requires the development of clear thinking and accompanying expertise on myriad topics. The House Standing Committee needs to play a strong role in pushing for Privacy Act reform as a matter of the highest priority and in the best interests of constituents.
Enhancing the Audit Authority and Audit Capacity of the Privacy Commissioner of Canada and of Government Institutions
I was fortunate in the 1980s to learn about the beneficial effects of auditing for privacy compliance in Germany, and since then I have become a bit of a broken record on the topic.Footnote 119 As Information and Privacy Commissioner in B.C., I pioneered the idea of site visits as an elemental form of both auditing and consciousness-raising. Experience as a consultant since 1999 has reinforced my views of the central importance of audits and site visits to promote and achieve compliance. How else can one really find out what is happening in practice? In an ideal world, government institutions will plan or commission ongoing internal and/or external privacy audits and then present the results to the OPC. There is delicious irony in the resources that the B.C. Ministry of Health is devoting to privacy audits of MAXIMUS BC HEALTH, when such audits are not common in the Ministry itself or in B.C.'s health authorities across the province, especially with the envisioned roll-out of electronic health records. The current Privacy Commissioner of Canada is investing significant resources in the auditing process and conducting some very important audits of key personal information systems.Footnote 120 She also requires authorization to release the results upon completion of the final audit report.
Reform of the Privacy Act should now require that federal departments and agencies use their internal and external auditors to add privacy and security auditing to their routine activities. Even filling out a privacy check list would be a significant eye opener for government institutions that have little idea about the actual state of their data protection compliance with a broad range of statutory requirements, except for the number of requests each year for access to personal information and/or the number of privacy complaints received. Such a checklist can also incorporate best practices to help keep government institutions out of privacy trouble.
The Need for the OPC to Move beyond Complaint Handling
In his report on the proposed merger of the offices of the Information Commissioner and the Privacy Commissioner, Justice Laforest stated that in "keeping with the ombudsman function, the primary duty of both the Information and Privacy Commissioners is to independently and impartially investigate and make recommendations with respect to complaints from persons alleging that a government institution has breached their rights under the Access to Information Act or Privacy Act."Footnote 121
This simple and accurate description in fact highlights a critical deficiency in the current Privacy Act. In the 21st century, as noted above, responding to complaints is only a very small part of what a privacy watchdog needs to do to seek to control bad surveillance, at least compared to the need to give systemic and specific advice, to conduct general and specific investigations, and to carry out audits and site visits.Footnote 122 As Bennett and Charles D. Raab have said of the multiple role of the Privacy Commissioner, she is expected at some point to perform seven interrelated roles: ombudsman for citizen complaints, an auditor of organizational practices, a consultant on new and existing information systems, an educator of the public, policy advisor, a negotiator, and an enforcer.Footnote 123 Bennett and Raab conclude that the more general and proactive powers are the more important ones. Each of these roles requires resourcing, commitment, ongoing leadership, and actual results in the face of multiple demands and competing priorities. Justice La Forest specifically recognized, later in his report, that "[t]he Privacy Commissioner, in contrast [to the Information Commissioner], is more frequently involved in high-level debates about the long-term, systemic, and often transnational effects on privacy of proposed and existing legislation and policy, such as the government's reaction to the threats of organized crime and terrorism and the privacy implications of novel surveillance and information gathering technologies."Footnote 124 This is currently, and has to remain, a key focus for the OPC.
Under-resourcing of the Office of the Privacy Commissioner of Canada has meant almost unbelievable, and certainly unacceptable, delays in conducting investigations and responding to privacy complaints from the general public. These delays for complaints are routinely more than a year in practice.Footnote 125 The solution is to authorize the OPC to focus only on meaningful complaints and to pay less or no attention to what it deems to be less important, or repetitive complaints; the Privacy Act should reflect this right to prioritize, since responding to complaints is only one facet of making data protection meaningful.
In a January 15, 2008 submission to Industry Canada on revision of PIPEDA, the Privacy Commissioner asked for discretion in responding to complaints, because of "the lengthy and increasing delays we face in handling complaints while at the same time [we should] be in a position to take a more pro-active approach in addressing more systemic and pervasive issues through research, public education, Commissioner initiated complaints and audits?. Privacy issues have traditionally arisen in the context of discrete transactions between an individual and an organization and have come to light as a result of individual-driven complaints. Today, major privacy issues arise from more systemic threats resulting from rapidly-advancing information technologies, particularly those enabled by the internet. Such new and emerging threats affect society as a whole, at such a pervasive level, in such complex and obscure fashion, and on such a daily basis, that in most cases, the average person would not even know about them, let alone complain about them. One has only to think of the vast array of surveillance technologies and nanotechnologies which are becoming commercially available, RFIDs, social networking, behavioural on-line marketing etc. Increasingly, data protection authorities around the world are recognizing that this is where our efforts must be directed if we have any chance of curbing these privacy threats as they emerge."Footnote 126
The same forceful arguments should be applied to shaping an approach to complaint management under the Privacy Act. In fact, the latest formulation of the required change from the Privacy Commissioner of Canada wisely reads as follows: "Providing discretion for the OPC to more efficiently and expeditiously deal with complaints which have less systemic and societal significance, enabling the OPC to invest more resources in complaints that will have a significant impact on improving the state of personal information management across the federal government."Footnote 127
The Importance of Requirements for Privacy Breach Notification
Canada has moved quickly into the world of requirements for privacy breach notification to both Privacy Commissioners and to affected individuals. To date, it has largely been an issue under privacy legislation for the private sector. But when the New Brunswick Department of Health and Wellness lost several tapes of patient information in transit between that province and British Columbia in October, 2007, the N.B. Minister of Health determined that over six hundred persons needed to be notified of the loss and of the risk to their identity through identity theft.Footnote 128 MAXIMUS BC HEALTH, the custodian of the Medical Services Plan database, simultaneously flagged the accounts of affected British Columbians to monitor for unusual activity. This embarrassing episode (data tapes were not encrypted while in transit with a local courier firm) required significant amounts of senior executive time to manage in the legislature and in the media. Cabinet members were not pleased with several days of bad publicity. The B.C. Information and Privacy Commissioner immediately announced his own investigation of what had happened (adding to the embarrassment of the government and the Ministry of Health).Footnote 129
The CIBC fax fiasco is another case in point from the private sector, where brand and reputational damage was significant. The connection among these episodes and Privacy Act reform is that federal institutions will not be able to escape similar obligations and costs in the event of such breaches. Few will have breach notification guidelines in place and will have no experience in what to tell frightened clients in the face of another privacy crisis. Fortunately, both the OPC and Treasury Board Secretariat have now provided guidance on these matters.Footnote 130 It will be essential to include statutory requirements for the handling of privacy breaches, including mandatory reporting to the OPC, in a revised Privacy Act, as the Privacy Commissioner has recently recommended.Footnote 131 Mandatory reporting of significant breaches and the resulting costs, embarrassment, bad publicity, and negative media will likely do a great deal to promote enthusiasm for effective privacy management to minimize such breaches, especially among those who do not take privacy risk management seriously. There is also a need to fashion sanctions for negligent breaches.Footnote 132
So What Can and Should Be Done to Improve the Privacy Act? Some Final Reflections.
The following timely words belong to a summary comment from the Privacy Commissioner of Canada in June, 2006: "The urgency of reforming the Privacy Act increases with each passing year. What is needed is legislation that is responsive to the complexities of contemporary governance, provides an effective framework to minimize risks to informational privacy in the face of new technologies, enables public accountability, and allows Parliament to fully assume its role of guardian of our fundamental values, including the right of informational privacy."Footnote 133 That is a full and necessary agenda for the government of Canada and the Minister of Justice in particular.
A series of propositions require articulation to bring this series of reflections on reform of the Privacy Act to a conclusion:
- The current Privacy Act is highly-inadequate for needs of thethe 21st century. Simply in terms of the ten privacy commandments in the national privacy standard, it is weak on eight of them, including lack of accountability;Footnote 134 deficiencies in openness; failures in identifying purposes; absence of meaningful consent standards; not a success in limiting collection; failure to limit use, disclosure, and retention; absence of data quality tests to ensure accuracy; and a complete absence of security safeguards.Footnote 135
- There is a clear lack of political will to revise the Privacy Act; it is not a captivating topic for the government, politicians, or bureaucrats. IT SHOULD BE; the public should demand no less.
- Few politicians in power care about privacy, except if a privacy crisis needs to be urgently managed in the usual manner, i.e. fending off the Opposition, the media, and concerned portions of the public. At best, privacy is a generic concern that does not rise to the level of the need for action. Politicians need education so that they understand what privacy protection is all about. Constituents deserve at least that much from their elected representatives.
- Freedom of Information only appeals to Opposition politicians, not to politicians in power. It has no appeal, and is only a bother, if not a threat, to the government and public servants and their control of access to general information. This is a deplorable state of affairs, given the fact that open, transparent, and accountable government is fundamental to democracy in Canada. FOI and privacy are separate domains when it comes to needed law reforms.
- National security and law enforcement interests can sideline even the most reasoned and pragmatic approaches to revitalizing the Privacy Act, because they are so powerful and so aligned with the U.S. government with a sorry record of national data protection for the public sector that is even worse than Canada's. But there is no reasons that national security and law enforcement concerns cannot coexist in an atmosphere of mutual respect for the rules of the road.
- The government needs to be persuaded that privacy protection is a "conservative" issue, a "liberal" value, and a potential win/win that transcends political ideology and affiliation.
- Public servants were given no new resources to implement the Privacy Act and the Access to Information Act with predictable unhappiness over time. These pieces of legislation have left a bad taste behind. An imperative for a revitalized Privacy Act is appropriate resourcing of its implementation at government institutions.
- Sparring factions in the Department of Justice (the Charter people versus human rights versus access and privacy specialists) will never agree among themselves, because of their competing turfs and their respective technical expertise; their political and bureaucratic masters will have to tell them what to do and how to do it. That is a task for the Minister of Justice and his Deputy Minister.
- If concrete proposals for revision are at hand, it might be possible to hook reform of the Privacy Act to a government reorganization or housekeeping bill that amends several statutes at the same time. The key is preparation for such an eventuality.
- What would the Privacy Commissioner of Canada ask for if she had a meeting with the Minister and/or Deputy-Minister of Justice? Or the Clerk of the Privy Council, who was Deputy-Minister of Industry Canada when PIPEDA made headway? The OPC is prepared for such an eventuality and should be pushing for such meetings, not least because it has nothing to lose in the face of more than a generation of inertia on the part of key stakeholders. The public interest is at stake.
- Emphasizing the need for security safeguards as a core component of privacy protection, and one of the ten privacy principles, might be an easy sell for the government, politicians, and senior public servants, especially since the Privacy Act contains no security standards at all. That position is indefensible.
- While the U.S. has not seen fit to engage in a major overhaul of its 1974 Privacy Act, the U.S. federal government has developed extensive sectoral legislation to regulate specific problems, especially in the private sector. Parliament should try to ensure that major pieces of new or revised legislation include progressive data protection measures that are commensurate with what an improved and enhanced Privacy Act should look like. A precedent is the confidentiality rules in the federal Statistics Act.Footnote 136
- Informed U.S. observers, like Bob Gellman, say that they do not really know how to fix their Privacy Act; the situation in Canada is quite different.Footnote 137 Bruce Phillips produced a plan late in his term for what to do to fix the Act and presented it to the Deputy Minister of Justice.Footnote 138 As noted in several places above, Jennifer Stoddart has suggested the additional broad topics that now need to be addressed and has additionally proposed "quick fixes" for reform.Footnote 139
- Most importantly, Canada and its provinces have excellent recent models of enhanced and improved legislation, starting with PIPEDA for the federal private sector, B.C. and Alberta's Personal Information Protection Act (PIPA) as much more coherent approaches to private sector regulation than PIPEDA (with its clumsy structure), and Ontario PHIPA, which I regard as taking a very intelligent and intelligible approach to data protection for the very complex area of the protection of health information (public and private sectors). See below.
- PIPEDA has the great advantage of being built around, in a sense, the Canadian Standards Association's Model Code for the Protection of Personal Information with its emphasis on the ten privacy commandments (which are almost invisible in the current Privacy Act).Footnote 140 One might also simply propose extending the best elements of PIPEDA to the public sector. The Privacy Act must at least feature such a principled approach.
- If one accepts a commonly-asserted dictum that fashioning data protection is not rocket science, it would take a relatively short time to develop instructions for legislative draft persons in the Department of Justice. The recommendation would be to build on what is in the current Privacy Act and then add on the best parts of PIPEDA, the PIPAs, and especially PHIPA. There is no need to re-invent the wheel.
- It is highly relevant to point out in this context that an act like Ontario PHIPA, addressing the most complex issues of health data protection, does not unduly harness or restrict the Ontario health care industry, led by the Ministry of Health and involving a large number of health regions, individual hospitals, labs, pharmacies, and doctors' offices. While it is a suitably complex piece of legislation, PHIPA has the effect of creating a large sandbox in which these health information custodians can collect, use, disclose, and retain personal information in compliance with a set of detailed rules, which are subject to the independent oversight of the Ontario Information and Privacy Commissioner.Footnote 141 In particular, health information custodians are permitted to share personal health information for legitimate purposes within this protected enclave. In terms of mandatory privacy risk management, such health information custodians are required to publicize their statements of information practices and to have Privacy Officers (contact persons) and privacy training in place for their agents. Requirements of either express or implied consent from individuals inform the entire process.Footnote 142 All of these Ontario ideas, which are reflected in other provincial privacy laws, are worthy of serious consideration for a revitalized Privacy Act. Again, the essential need is for the federal government to learn from the experience of others and to regain its position as the leader in Canadian data protection.
Appendix 1: An Overview of the Privacy Responsibilities of Health Canada's Policy Unit
- Supports Health Canada in adopting a corporate-wide approach to manage privacy and mitigate privacy risks;
- Provides privacy policy advice to Branches and Regions as designated on the Portfolio list on a wide array of initiatives involving personal information, such as secondary uses and de-identification and re-identification of personal information;
- Develops policies and guidelines in collaboration with program officials to assist them in implementing programs and services in a manner consistent with privacy principles;
- Manages the Departmental Privacy Impact Assessment Program;
- Delivers the privacy training program to Departmental audiences and participates in the ongoing development, revision and updating of the program;
- Assists the Operational Unit by developing procedures to streamline the processing of privacy requests;
- Supports the health sector's response to privacy challenges by working with federal/provincial/ territorial stakeholders and national associations to develop pan-Canadian solutions, particularly in resolving issues associated with the deployment of Electronic Health Record Systems;
- Cooperates with other federal departments and agencies to advance national and cross-sector privacy issues, for example works with Industry Canada to ensure that the concerns of health providers are addressed in any revisions to the Personal Information Protection and Electronic Documents Act.
Alternate versions
- PDF (274 KB) Not tested for accessibility
- Date modified: