Privacy Act Reform
ARCHIVED - Government Accountability for Personal Information
Reforming the Privacy Act
Office of the Privacy Commissioner of Canada
112 Kent Street
Tel. 613-947-1698, 800-282-1376
This publication is also available on our Web site at www.priv.gc.ca.
- B. The need for the Privacy Act to provide the right incentives
- A. Adapted and responsive framework for the appropriate discharge of privacy obligations
- B. Government-to-Government Transborder Data Flows
- C. Outsourcing and public-private partnerships in the delivery of services and programs
- D. Comprehensive accountability framework for National Security Agencies
- A. Expanding Jurisdiction
- B. Protecting Unrecorded Information
- C. Strengthening Court Review
- D. Extending Access Rights
- A. Framework for Collection, Use and Disclosure
- B. Data matching, data aggregation and data mining activities
- C. Strengthening the Right of Access to Personal Information
- D. Addressing Potential Misuse of the Act
- E. Destruction of Documents
- F. Publicly Available Information
The Privacy Act is a first generation privacy law that has not been substantially amended since its passage in 1982.
- Proposals put forward by the Information Commissioner of Canada last September to update the Access to Information Act – expanded coverage, greater government transparency and accountability for its information holdings, and a broader public education and research mandate – will be equally valuable to the Office of the Privacy Commissioner.
The privacy challenges posed today in contemporary government are compounded by increased globalization and heightened concerns over national security, combined with higher public expectations that the federal government will respect the fundamental privacy rights of the public it serves. The challenges are not unique to the federal government – or to the Canadian federation. These issues cut across many jurisdictions and even defy the very notions of national boundaries and the exercise of sovereignty.
Some observers have noted that the federal government holds the private sector to a higher standard than it imposes on its own operations involving the collection, use and disclosure of personal information. This is problematic, particularly in light of the fact that the Canadian government has gained extraordinary powers over the informational privacy of citizens through a series of legislative measures and changes in machinery of government, particularly in national security.
Canadians, elected and non-elected officials, as well as civil society groups representing broad-based societal interests, should be engaged in a thoughtful, deliberate and informed discussion of reforming the Privacy Act.
To be effective, policy cannot be developed in a legal vacuum. The feebleness of the current legislation has created such a vacuum and the Privacy Act must be reformed to close the gap. Personal information privacy management frameworks are an integral part of sound information management practices and protection, but are not currently mandated.
New technological initiatives such as government on-line implicate privacy, as the walls that are inherently part of the data structure fade away. If we are to create overarching databases or merge existing databases of personal information, privacy must be built into the design stages of the new technology and systems, as must security.
The reporting requirements imposed on government institutions should be strengthened in the interests of transparency.
Parliamentary committees should have the appropriate support to review the personal information practices of the federal government.
The Privacy Act is urgently in need of modernization to address trans-border data flows. The Act should contain specific wording to define the responsibilities of those who transfer personal information outside the federal public sector into other jurisdictions and to address the issue of adequacy of protection in those jurisdictions.
The standard for disclosure set by the Privacy Act is very low. Most data protection statutes prohibit the disclosure of government-held information to a foreign state, except in very specific circumstances. This should be the standard for Canada and the Privacy Act should spell out the requirements to be included in any agreement, as well as accountability and reporting requirements concerning those agreements.
The Privacy Act should, at a minimum, also make it clear that, when government work is outsourced, the government institution remains accountable for personal information and that the information is considered to be under the control of the institution.
Guidance on contracts has been issued by the European Commission for several years now and compliance is expected. Now global organizations, inspired by the U.S. Sarbanes-Oxley Act, are moving on to more vigorous audit practices. The Government of Canada needs to meet these norms as well. Canada has just begun this process, with Treasury Board Secretariat guidelines issued in 2005.
The Privacy Act sets out fundamental rights of Canadians in their interaction with the federal state. The Supreme Court of Canada has recognized on numerous occasions that privacy interests are worthy of protection under the Charter, and has further stated that the Privacy Act has quasi-constitutional status. The importance of these rights has been magnified in the wake of the new state powers introduced under the Anti-terrorism Act. It is inappropriate in this day and age that the interests protected under the Privacy Act should be subordinate to other legislation.
The Privacy Act should also ensure greater transparency, accountability and oversight over the activities of national security agencies, including more stringent reporting requirements to Parliament.
The Privacy Commissioner is an ombudsman, with no order-making powers. The ability to truly fulfill the ombuds-role has frequently been frustrated by limitations in the Privacy Act. The question of order-making power will need to be carefully examined in the context of the Privacy Act reform. The Act should specifically empower the Privacy Commissioner to engage in mediation and conciliation, as is already the case under PIPEDA.
While OPC’s central function under both the Privacy Act and PIPEDA is to conduct investigations and audits, OPC also needs to advance privacy rights by other means – through research, communication and public education.
The scope of the Privacy Act needs to be expanded in a number of ways.
- Over the years, the government has created many entities that are not subject to either the Privacy Act or PIPEDA. As a statute with quasi-constitutional status, all bodies or offices through which public funds are expended should be subject to the Privacy Act unless Parliament specifically excludes them.
- The definition of personal information should be expanded to include both recorded and unrecorded information about an identifiable individual.
- The Federal Court should be able to review, not just claims of denial of access to personal information held by government, but also improper collection, use and disclosure of personal information. The Court should also be empowered to assess damages against offending institutions.
- The rights of access, correction and notation with respect to personal information held by a government institution should be extended to any person, not just those present in Canada.
The development of a robust privacy management regime that governs collection, use and disclosure of personal information has been a longstanding concern of this office. The deficiencies in the Privacy Act are readily evident when compared to the comprehensive set of fair information principles embodied in PIPEDA.
- Government institutions should only collect personal information that is reasonable and necessary for the particular purpose. They should specify the authority under which information is being collected, the uses to which it will be put, whether and with whom it may be shared, the consequences of not providing the information, and the right to make a complaint.
- Information collected may only be used for the purpose for which it was obtained or for a use consistent with that purpose. A “reasonable and direct connection” test should be applied in the case of consistent use.
- The Act is inadequate in its treatment of a government institution’s duties when it discloses personal information without the consent of the individual to whom it relates. Wherever possible, there should be a corresponding duty on the institution to inform the individual about the disclosure.
- A detailed review of the provisions allowing disclosure without consent should be conducted to strengthen and clarify wording.
Data matching has long been a concern of this office. Many believe that linkages or aggregation of personal information pose one of the greatest privacy threats we face today. Although there has been a Treasury Board Secretariat policy on data matching since 1989, many program managers asked about it in 2004 had never heard of it. The legislation should provide a framework identifying the principles governing data-matching and the responsibilities of the parties involved.
The framework that should apply under the Privacy Act in granting an individual the right of access to his or her own information should be based on maximizing the transparency of government (consistent with legitimate national security needs for secrecy) and ensuring a maximum amount of accountability of government to Parliament and Canadians.
The Privacy Commissioner, as well as the head of a government institution on the recommendation of the Privacy Commissioner, should be able to disregard any request that is trivial, vexatious, or made in bad faith.
Sanctions should be included in the Privacy Act for destroying, or altering, falsifying or concealing a record, as in the Access to Information Act.
The term “publicly available information” should be defined in the Privacy Act, as it has been in PIPEDA. Personal information should be released from government registries only in ways and for purposes consistent with the purpose for which the register is maintained.
The urgency of reforming the Privacy Act increases with each passing year. What is needed is legislation that is responsive to the complexities of contemporary governance, provides an effective framework to minimize risks to informational privacy in the face of new technologies, enables public accountability, and allows Parliament to fully assume its role of guardian of our fundamental values, including the right of informational privacy.
In an October 20, 2005 appearance by the Privacy Commissioner of Canada on the Annual Reports of her office, the Committee extended an invitation to provide proposals for Privacy Act reform. In response, the Privacy Commissioner is pleased to present this document, which contains commentary on the factors driving the need for reform of the federal Privacy Act, as well as general proposals and recommendations for changes to the Act. The purpose of this paper is to present the broad brush policy rationale and strategic directions to lay the foundation of a much needed — and long overdue — reform of the Privacy Act.
The Privacy ActFootnote 1 is a first generation privacy law that has not been substantially amended since its passage in 1982. The privacy landscape has changed dramatically over the course of the past two decades while the law has stood still. Many countries experience a disconnect between their legislative apparatus and the contemporary challenges posed by privacy management by both private and public organizations. Past a certain point, however, lags will impede on good governance and create significant risks for the state, civil society and the economy. In some respects, the federal government has reached this point with the Privacy Act.
There have been rapid technological changes in all aspects of government and in the activities it regulates. Elaborate and intricate systems are being built by governments and other organizations to collect, aggregate and share information: our consumer habits are registered, our use of government programs and benefits, our patterns as travelers ? virtually all aspects of our lives as citizens, students, workers, heads of family, tax-payers and consumers are being monitored in some way or another. The realities of ubiquitous computing and related phenomena such as the pervasiveness of video surveillance cameras reduces the private sphere and pushes even further the appropriation of personal information for a large range of purposes, some legitimate, some less so. Some of these intrusions are conducive to our democratic ethos and reinforcement of our institutions, many are much less so.
The privacy challenges posed today in contemporary government are compounded by increased globalization and heightened concerns over national security, combined with higher public expectations that the federal government will respect the fundamental privacy rights of the public it serves. Public concern over these issues is well documented in surveys conducted by independent pollsters.Footnote 2 The challenges are not unique to the federal government – or to the Canadian federation. These issues cut across many jurisdictions and even defy the very notions of national boundaries and the exercise of sovereignty.
Since her appointment, the Privacy Commissioner called on the Minister of Justice to introduce a much-needed reform of the Privacy Act. The present submission expands on those issues discussed with the Minister of Justice.
We have reviewed proposals put forward by the Information Commissioner last September to update the Access to Information Act of Canada when he appeared before the Access to Information, Privacy and Ethics Committee on September 29, 2005. Those proposals included a call for expanded coverage, greater government transparency and accountability for its information holdings, and a broader public education and research mandate. These proposals will be equally valuable to the Office of the Privacy Commissioner.
This submission also takes into account the recommendations of the Honorable Gérard V. La Forest in his November 15, 2005 report assessing the merits of merging the Offices of the Information and Privacy Commissioners.Footnote 3
Since the coming into force of the Personal Information Protection and Electronic Documents Act (PIPEDA)Footnote 4 in 2001, there has been growing pressure to provide similar personal information protections across both the public and private sectors. Numerous proposals in this submission are inspired by the higher standards that already exist in PIPEDA. In fact, some experts have noted that the federal government holds the private sector to a higher standard than it imposes on its own operations involving the collection, use and disclosure of personal information. This is problematic, particularly in light of the fact that the Canadian government has gained extraordinary powers over the informational privacy of citizens through a series of legislative measures,Footnote 5 and changes in machinery of government (creation of Public Safety and Emergency Preparedness Canada, Human Resources and Skills Development Canada, Social Development Canada, Service Canada, changes to enabling legislation of Canadian Border Services Agency, etc.). As the OPC has argued on several occasions, these changes in government powers and structures have not always been met by a comparable effort to strengthen oversight and control. Simply put, there is a disconnect between the surveillance infrastructures that have been put in place (many aspects of which are still under construction, for example “lawful access”Footnote 6) and the architecture of oversight and governance that is needed to prevent further erosions to the privacy rights and informational privacy of the citizens and residents of Canada.
The Privacy Act, because of its gaps, offers no effective counter-measures to prevent against the abuse and mismanagement of personal information holdings by either internal management and staff or external interested “parties”. The Act cannot effectively mitigate the inherent risks of the large and complex systems that are being designed and implemented to collect, process, aggregate and share the personal information of Canadians, residents and travelers in Canada. Contrary to the activities of the private sector, citizens and visitors cannot opt out of many federal government services or programs. Because of the government’s unique role and control over the delivery of a vast array of government services and programs, upon which millions of individuals rely without choice or options, the government has a special trust relationship with the citizenry and visitors. It also has special fiduciary and custodial responsibility for the significant personal information holdings it has on us as citizens. This trust makes it imperative that a strong legislative framework be designed and implemented to govern the collection, use and disclosure of personal information. This is not the case currently.
Canada is widely considered a leader in the domain of privacy. The passing of PIPEDA was widely hailed as innovative law by the international community. The unique institutions that Canada (Commissioners and Ombuds offices) has spawned, with their focus on mediation, conciliation and pragmatic problem solving, working with industry and governments, was regarded by many as an effective model, mid-way between the laissez-faire philosophy of some countries and the highly directive and coercive approach of others. This leadership position is at risk if the federal government allows the status quo to be perpetuated. Frustrated citizens, unable to obtain redress under the Privacy Act except for the most basic of rights, denial of access to their own information, may start taking action under PIPEDA wherever the Government of Canada has contracted services through the private sector, because they know the private sector must meet higher standards than the federal government.Footnote 7
Because of the central importance of the Privacy Act in determining the ”informational” relationship between the Canadian state and citizens and the quasi-constitutional nature of this statute, the OPC believes that the Government of Canada, and the Parliament of Canada should engage Canadians, elected and non-elected officials, as well as civil society groups representing broad-based societal interests in a thoughtful discussion on reforming the Privacy Act. Such a review took place in 1987, but the recommendations in the report Open and ShutFootnote 8 and in the testimony heard by the Justice standing committee, were never enacted.
The OPC has repeatedly emphasized the need for informed public debate on privacy laws whether they apply to the operations of government or to the activities of the private sector. Discussion of privacy issues has been spotty and targeted since the review in 1987, with a very limited consultation on electronic commerce issues prior to PIPEDA implementation, and the sole Senate committee hearings on the proposed privacy charter under Senator Sheila Finestone in 1995-96.Footnote 9 No sustained public consultation has taken place, even though drastic changes are being made to the way we treat citizens and their digital personae, through government online, the appropriation of data for various purposes in the electronic health record, and new surveillance of the population for public health and safety purposes. There is a need to talk to citizens about what we now know about them, a need not being addressed by the federal government. In this office, from our daily dealings with citizens, we can testify to how few actually understand the vast informational sea in which they live out their lives. This is not right, in a democracy, and the Government of Canada bears the responsibility for raising public awareness and fostering constructive public debate about the issues.
These issues have not yet been publicly discussed. What kind of privacy management regime do Canadians really want? What protection of their personal information do they expect of their national government? What role should the Parliament of Canada play in ensuring that the principles of personal information protection laws are adhered to by government departments and agencies? What are the current threats to the informational privacy rights of Canadians and residents posed by the development of new legislation, programs and systems that further probe into the daily lives of all of us, often without the slightest notification of intrusion and virtually no recourse for corrective action? These are fundamental questions which shape our future in all aspects of our citizenship. They will also shape our national sovereignty and collective identity.
To promote this debate, the OPC dedicated two full chapters in its 2004-05 Annual Report to the need for Privacy Act reform and the imperatives of developing a robust privacy management framework in the federal government. Law reform and privacy management are complementary; they must evolve together. The directions we propose for Privacy Act reform and for a privacy management framework are mutually reinforcing. To a large extent, we see Privacy Act reform as needing to offer a cogent and comprehensive framework that provides strong incentives for the federal community to:
- set robust and empirically verified standards for the development of procedures and systems that minimize the intrusion of data collection and protect against mismanagement and abuse of personal information by government staff and employees;
- develop performance indicators to report on the effectiveness of these systems to the Executive and Legislative arms of government and to ensure that the Canadian public is adequately informed of these measures and their implications for informational privacy;
- encourage the sharing and implementation of best practices in informational privacy management across the federal government and promote the exercise of management direction, self-correction, prevention and risk mitigation;
- set general process parameters (such as the conduct of Privacy Impact Assessments and Threat and Risk Assessments) to ensure that proper controls and monitoring mechanisms (including the use of internal audit and management oversight) are in place to minimize the risks to informational privacy resulting from the creation of large, interoperable systems that span across jurisdictions and organizations;
- encourage the codification of the practice of privacy professionals that contribute to the development of these systems and procedures through a carefully developed and authenticated certification and accreditation process and the development of codes of ethics that professionals engaged in privacy management need to set for their practice; and
- foster a process of continuous learning in privacy management across the federal government through the incorporation of personal information management skills development in public sector professions that handle highly sensitive information: human resources, the legal community, financial management --grants and contributions and other types of funds transfer, payment management, etc. In other words, the Privacy Act should provide a set of normative principles that would guide the design of a core curriculum for ATIP managers and staff, PIA specialists, etc. The Privacy Act, as it stands, is completely devoid of such a framework.
To be effective, policy cannot be developed in a legal vacuum. The feebleness of the current legislation has created such a vacuum and the Privacy Act must be reformed to close the gap. Personal information privacy management frameworks are an integral part of sound information management practices.
The Government of Canada has undertaken to develop an enterprise-wide system architecture for identity management. The initiative aims to offer a secure communications channel as well as a full suite of applications to ensure
- integrated identity management (including authentication),
- business and service transformation and integration,
- technical and information interoperability that will allow for the transfer of large amounts of personal information,
- common business, technology, rules and processes in key domains (e.g., security, privacy, technology, etc.) that will govern the full spectrum of data-sharing activities,
- identification of the scope of policy, and development of standards and guidelines for regulating data flows, and
- enterprise-wide management requirements for security and privacy for the entire federal government.
The OPC anticipates that, by the time the Privacy Act is modernized, TBS will have administratively built in many privacy protective policies and guidelines “from the bottom up.” This was the basic, inductive and pragmatic approach taken with PIPEDA: a committee made up of industry, government, consumer and labour representatives drafted a code, which was then adopted as a National Standard of Canada, and subsequently incorporated into legislation. This approach of mirroring law and practice worked.
The Office of the Privacy Commissioner observes that the need for the Government of Canada to engage in broad-based consultations on the reform of the Privacy Act is more pressing now than ever before, and that Parliamentarians must also be actively engaged in this debate.
Top of PageTable of ContentsA. Adapted and responsive framework for the appropriate discharge of privacy obligations
Canada has been remarkably successful in progressing towards the goal of government on-line. According to an annual survey of international government performance,Footnote 10 Canada ranked first of 22 countries for the fifth year in a row. Serving Canadians on-line is a government priority that promises less redundancy of information and better service to citizens. We must beware, however; e-government is upon us, but the legal structure to protect the personal information of citizens is a long way behind.
There are privacy implications to government on-line. When agencies and programs within government and across levels of government are separate, there are “walls” between them. Some programs restrict access to information through their enabling legislation and, in those cases, data are not shared. The Privacy Act permits data sharing, reinforced through the data matching policy,Footnote 11 but that policy has long since fallen into disuse and there is no effective audit and control mechanism to enforce it.
Now, however, enabling legislation increasingly is being amended to permit data sharing (e.g., CBSA enabling legislationFootnote 12). Protection for the citizen increasingly exists only in the walls that are inherently part of the data structure. Data held in separate databases created for specific purposes were effectively segregated by the mere fact that it was difficult to navigate across IT structures. Now, however, those walls are coming down as search engines improve, as databases go online, as common formatting becomes the norm. Thus, these walls which provided their own structural privacy protection, reinforcing the weak law and ineffective policy, are tumbling down.
The demands of e-government threaten the end of these protections. Data segregation may be antithetical to the concept of government on-line; certainly there is no doubt that it is less efficient and convenient.
When the walls come down, suddenly someone with a need to know only one piece of information has access to lots more. The people processing an application for CPP disability pension, for example, have a need to know personal health information. Other government officials do not need, nor should they have, access to that information.
In contrast, government on-line may demand interoperable systems that pool personal information and make it available to more users for more purposes. The greater the amount of information, access, and number of users, the greater the vulnerability of individuals to excessive government or bureaucratic surveillance. Information can be combined to reveal new information and create profiles of individuals. Profiling is the hallmark of surveillance societies. Dossiers on individuals, tracking their activities and their interaction with government, have no place in an open, democratic society.
Of course, while separate databases can have built-in protection against unrelated uses of personal information and/or profiling, they are not the only solution. If we are to create overarching databases or merge existing databases, privacy must be built into the design stages of the new technology and systems.
Another concern raised by government on-line is that of the security of the information. We know, for example, that federal institutions are failing to provide the vital IT security needed to protect the personal information of Canadians that circulates in the e-government environment. In February 2005, the Auditor General of Canada released a report on information technology security,Footnote 13 her first since the 2002 audit. She found that progress since then was unsatisfactory, despite encouraging signs of improvement. She concluded that government still does not meet its own minimum standards for IT security. Reviews and assessments of IT security performed in the last two years have indicated serious weaknesses in controls over access to data, programs, and networks. Even with the OPC’s limited scope and resources to do audits in this area, we can confirm that we have observed the same phenomena because so many privacy complaints we investigate stem from poor security and data handling practices.
The Auditor General urged the Government of Canada to pay attention to identifying threats and risks adequately, developing action plans to correct the weaknesses, and become fully compliant with IT policy and standards. The Privacy Act must mirror these obligations, requiring government institutions to appropriately safeguard the personal information they collect, use or disclose.
Finally, government on-line raises concerns about client authentication. Governments often need to identify with whom they are dealing, particularly when people are accessing benefits and programs electronically. As a result, they turn their thinking to e-identities and smart card-type solutions.
Authentication methods are fraught with privacy problems. Smart cards, for example, have the capacity to store or access large amounts of personal information relating to different programs and services. A single card that holds all the information about an individual’s interactions with government would accelerate the centralization and sharing of personal information and raise the problem of combined databases to a new level. Not to mention the identity theft concerns engendered by having such a portable and central identity record.
E-government may provide the critical push needed to make the Privacy Act a much more effective informational privacy framework. The Act must set out more stringent controls on access to the information pool. A better Act would also require greater justification for collecting information in the first place, one that needs to be clearly articulated. And a better Act would also demand a far stricter adherence to the principle that personal information must be used only for the purposes for which it was collected.
The reporting requirements under section 72 of the Privacy Act should be strengthened in the interests of transparency. This provision requires the head of every government institution to prepare for submission to Parliament an annual report on the administration of the Privacy Act within the institution during each financial year. The experience of the OPC is that reports under section 72 lack the necessary level of detail to render them useful to Parliament, to our Office or to Canadians. The reports typically consist of a collage of statistics on the number of personal information requests received and processed in a year. They rarely contain substantive information on privacy practices and policies being implemented or considered by government institutions. Almost never do they raise problems and issues the organization is facing. This is the type of information my Office would consider most useful in ascertaining the privacy sensitivity of government departments and agencies.
The OPC is encouraged by the recent annual privacy reporting guidelines issued by the Treasury Board of Canada,Footnote 14 which require Deputy Heads to report comprehensively on a broader spectrum of privacy management responsibilities, including those under the Treasury Board Policies on Privacy Impact AssessmentFootnote 15 and Data Matching.Footnote 16 To the extent that such policies may one day find a home in the Privacy Act, reporting requirements under section 72 of the Act should extend to all such activities of the government institution.
The OPC observes that the Government of Canada and Parliament, in their consideration of a reformed Privacy Act, should, notwithstanding specific requirements for national security agencies, include provisions to establish a level playing field in reporting on privacy management across the entire federal government. The OPC also observes that standing committees should have the appropriate support and resources to review the personal information practices of the federal government. These requirements would include, but not be limited to, the obligation to carry out Privacy Impact Assessments (PIAs) for new or substantially modified programs or policies (including new legislation), as well as the obligation to report on PIAs in the Annual Reports under s. 72 and, when and where appropriate, through the Departmental Performance Reports and other management representations to central agencies and Parliament.
Over the last two decades there has been a steady increase in the transfer of personal information from the Canadian government to governments of foreign states, particularly since the events of September 11, 2001. The Privacy Act is urgently in need of modernization to address trans-border data flows. The Act should contain specific wording to define the responsibilities of those who transfer personal information outside the federal public sector into other jurisdictions and to address the issue of adequacy of protection in those jurisdictions.
Paragraph 8(2)(f) of the Privacy Act authorizes disclosure of personal information under an agreement or arrangement between the government of Canada and the government of a foreign state.
The provision imposes only two duties on the disclosing institution: first, the disclosure must be made pursuant to an “agreement or arrangement”; second, the disclosure must be for the purposes of “administering or enforcing any law or carrying out a lawful investigation.” On its face, this provision would appear to permit, particularly in reference to the use of the term “arrangement,” the disclosure of personal data to a foreign state with an undertaking from the latter that the data will be used for a purpose authorized by the recipient’s domestic law, and affirmed with nothing more formal than a handshake. The Act imposes no duty on the disclosing institution to identify the precise use of the data, apart from satisfying itself that the data will be used to administer a law. Nor is there any other obligation on the disclosing institution to ensure that personal data shared with a foreign state is treated confidentially. The Act is simply silent on the disclosing institution’s duty to exercise any degree of control over data shared with a foreign state.
It is completely contrary to the intent of the Privacy Act that a government institution could disclose information to another institution or level of government without being obliged to thoroughly examine why the information is required, how it will be used, on what authority the request is made, and whether there are adequate safeguards to protect the information. Most data protection statutes prohibit the disclosure of government-held information to a foreign state, except in very specific circumstances. This should be the standard for Canada, particularly in light of the new threats imposed by the USA PATRIOT ActFootnote 17 to data provided by the Canadian government to US authorities.
This provision lags far behind international standards relating to trans-border flow of personal information. For example, EU Directive 95/46/ECFootnote 18 requires member states not to share personal data with a country outside the EU unless satisfied that the data importer accords the data “an adequate level of protection.” The adequacy of the level of protection afforded by the other country is determined by examination of a number of factors, including the nature of the data; the purpose of the disclosure; the rules of law, both general and sectoral, in force in the other country; professional rules (codes of conduct) and security measures which are complied with in the other country. Member states are also authorized to share personal information with a country the laws of which do not ensure adequate protection where adequate safeguards have been otherwise secured from the data importer by means of contract or some other bilateral legal instrument; in other words, where safeguards with respect to the protection of privacy have been secured through agreement. It would be appropriate to have specific wording in the Privacy Act that addresses the requirements to be included in any agreement under which personal information is to be transferred to a foreign jurisdiction.
Recognizing the generality of the disclosure provision in the Privacy Act, TBS has attempted to bring some clarity as to what government institutions are required to do in order to effect a disclosure under paragraph 8(2)(f). The TBS guidelineFootnote 19 states that the disclosure must be made in accordance with a “formal written agreement or arrangement,” and must contain the following elements:
- a description of the personal information to be shared;
- the purposes for which the information is being shared and is being used;
- a statement of all the administrative, technical and physical safeguards required to protect the confidentiality of the information, especially in regard to its use and disclosure;
- a statement specifying whether information received by the federal government will be subject to the provisions of the Privacy Act ?;
- a statement specifying whether information disclosed by the federal government would be subject to the provisions of the Privacy Act ?;
- a statement that the sharing of the information shall cease if the recipient is discovered to be improperly disclosing the shared personal information; and
- the names, titles and signatures of the appropriate officials in both the supplying and receiving institutions and the date of the agreement.Footnote 20
While this is a good start, an articulated framework is needed in some combination of legislation and/or regulation. In addition to the TBS guidelines, the framework should also address accuracy/reliability of data, retention limitations, limiting the amount of information disclosed to only that which is necessary, informing individuals where possible of the disclosure, notification of the data exporter by the data importer where secondary disclosure occurs (including any accidental or unauthorized disclosure), and compliance audits. In the interests of transparency, the information-sharing agreements should be available to the public. Canadians are entitled to know the extent to which their personal information is transferred across borders into the hands of a foreign government.
Paragraph 8(2)(f) should also be amended to state that personal information may only be disclosed where the information is required for the purpose of administering or enforcing any law which has a reasonable and direct connection to the original purpose for which the information was obtained.
Section 77 of the Act, the regulation-making power, should be amended to include a provision that allows the Governor-in-Council to make regulations prescribing the form and content of information-sharing agreements.
As reported in the 2003-04 Annual Report, the OPC conducted a preliminary scoping review of information-sharing agreements in place between Canada and the US. Of 21 agreements from 18 federal departments and agencies, approximately one-third were reasonably well drafted, covering most of the elements described above. Many of the agreements did not, to varying degrees, comply with privacy and security best practice principles and standards.
The following significant deficiencies were observed:
- Many of the agreements do not list the data elements nor provide a description of the personal information that will be shared.
- The protection clauses contained in the majority of agreements are general in nature, stating simply that exchanges will be subject to controls to ensure that the information is used only in an authorized manner and treated in a confidential manner.
- Only half of the agreements examined contained a third party caveat; that is, a statement indicating that the information received under the agreement will not be disclosed to a third party without the prior written consent of the party that provided the information.
- The majority of the agreements reviewed are silent on the issues of unauthorized use and disclosure, retention and disposal of personal information.
- Only three of the agreements examined contained an audit provision allowing the data provider to periodically assess the level of compliance with the terms and conditions of the agreement.
The OPC has identified transborder data flows, particularly with respect to the sharing of data across the US border, as a strategic priority. The office is currently conducting an audit regarding trans-border flow of personal information between the Canada Border Services Agency (CBSA) and the US. The objective of this work is to assess the extent to which the CBSA is adequately controlling and protecting the flow of personal information to foreign countries, in particular the US. The office will be reviewing the control CBSA exercises over disclosure to the US, including the identification and handling of any possible inappropriate disclosures. When this audit is completed, the OPC will be in an even better position to assess the rights and protections that apply to this information and to identify specific ways in which the Privacy Act could be strengthened.
The Office of the Privacy Commissioner observes that it would be timely and opportune for the Government of Canada and Parliament to consider a set of progressive legislative measures that offer an adequate level of protection for the personal information of Canadians and residents of Canada shared with other governments, including clear accountability and reporting requirements for government agencies and departments.
Top of PageTable of ContentsC. Outsourcing and public-private partnerships in the delivery of services and programs
The OPC approached TBS with its concerns about federal government outsourcing practices in the wake of the inquiry by the British Columbia Information and Privacy Commissioner into the implications of the US PATRIOT Act for outsourcing by that province. The results of the BC Commissioner’s inquiry were published in a report entitled Privacy and the USA PATRIOT Act – Implications for British Columbia Public Sector Outsourcing released in October 2004.Footnote 21
The OPC has been in active consultation with TBS over the past year concerning outsourcing issues at the federal level and is very pleased with the progress made by TBS, resulting in the recent posting of a guidance documentFootnote 22 that includes a practical privacy protection checklist for use by departments.
It is clear that considerable effort has gone into this document, and the OPC supports the work. The standards exceed the requirements of the Privacy Act in most respects, and clearly the Secretariat is continuing along the path of developing a privacy management framework that reflects current privacy and security requirements and the expectations of the public, not the far lower standard of the Privacy Act.
During the past ten years, as global corporations have stepped up to the challenge of complying with the growing data protection legislation that applies to their data holdings, they have tended to map their data flows and solidify their contractual restrictions. Guidance on contracts has been issued by the European Commission for several years now and compliance is expected. Now global organizations, inspired by the U.S. Sarbanes-Oxley Act,Footnote 23 are moving on to more vigorous audit practices. The Government of Canada needs to meet these norms as well, so this initiative on contractual guidance from TBS is welcome and long overdue.
The TBS document contains:
- a detailed risk assessment of contracting to determine if there is choice in the matter of contracting out and whether the data should be sent outside Canada;
- a guide to take the user through the RFP (Request for Proposal) stage, with questions, checklists, and sample documents;
- a user-friendly “invasion of privacy” test that goes through the sensitivity of the information, the expectations of the individual, and the probability and gravity of injury; and
- a brief summary of the provisions of applicable free trade agreements.
At a minimum, the Privacy Act should be amended to make it clear that the government institution remains accountable for personal information where decisions are taken to outsource departmental work and that the information is considered to be under the control of the institution. There are no provisions at present in the Privacy Act that address this.
As does section 30 of the B.C. Freedom of Information and Protection of Privacy Act,Footnote 24 the federal Privacy Act should require public bodies to make reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal of personal information. This obligation on the institution continues when the information is placed in the hands of a third party. A comparable provision exists under PIPEDA.Footnote 25 This proposal reflects Recommendation 7 from the British Columbia Commissioner to the federal government.Footnote 26
Consideration should also be given to introducing prohibitions and penal sanctions in the Privacy Act against disclosure in response to an order by a foreign court or other foreign authority. This reflects Recommendation 8 from the British Columbia Commissioner,Footnote 27 since incorporated into the B.C. statute by Bill 73, which became law on October 21, 2004.Footnote 28 In general terms, Bill 73
- extends the restrictions that already apply to public bodies to service providers and their employees,
- places restrictions on public bodies and service providers storing, accessing or disclosing personal information outside Canada,
- requires public bodies and service providers to report any foreign demand for disclosure of personal information,
- protects “whistle-blowers” who report a foreign demand for information, and
- creates offences for violation of the new privacy protection provisions, including fines.
Clarification should also be made in the law concerning the obligations of private sector entity contractors subject to private sector informational privacy laws. Generally speaking, the approach taken at present is to honour the higher standard. So, for example, where PIPEDA imposes certain obligations on the contractor, these must be included in the contract arrangements with the public sector agency.
The Office of the Privacy Commissioner suggests that the Government of Canada and Parliament consider amending the Privacy Act to make it clear that the information is considered to remain under the control of the government institution and that the institution remains accountable for personal information in the outsourced work.
Top of PageTable of ContentsD. Comprehensive accountability framework for National Security Agencies
In its submissions to the Parliamentary committees conducting the three-year review of the Anti-terrorism Act,Footnote 29 the OPC noted:
Canadians are increasingly aware of informational privacy issues and expect a reasonable and balanced approach to a national strategy to combat terrorism. The trends also suggest that the public demand for greater accountability, transparency, and control over agencies involved in national security is increasing.Footnote 30
The amendments to the Privacy Act proposed in this document are consistent with those objectives of accountability, transparency and oversight.
The Privacy Act sets out fundamental rights of Canadians in their interaction with the federal state. The Supreme Court of Canada has recognized on numerous occasions that privacy interests are worthy of protection under the Charter,Footnote 31 and has further stated that the Privacy Act has quasi-constitutional status.Footnote 32 The importance of these rights has been magnified in the wake of the new state powers introduced under the Anti-terrorism Act. It is inappropriate in this day and age that the interests protected under the Privacy Act should be subordinate to other legislation. PIPEDA takes primacy over other legislation, unless Parliament expressly declares otherwise.Footnote 33 So should the Privacy Act. Such a provision would not only bring the Privacy Act onto the same footing as PIPEDA,but would also affirm the quasi-constitutional nature of the informational privacy rights protected by the Act.
The Privacy Act and PIPEDA were amended by the Anti-terrorism Act, which deprived individuals of their rights where the Attorney General has issued a certificate under section 38.13 of the Canada Evidence Act.Footnote 34 This provision permits the Attorney General to override a decision of the court requiring disclosure of information. In its submission, the Office advocated the repeal of section 38.13, on the basis that some aspects of the section 38 procedures offend the principles of procedural fairness and open courts. With the repeal of section 38.13, the normal processes under the Privacy Act and PIPEDA would and should once again apply.
In the OPC’s submissions on the enabling legislation for the new department of Public Safety and Emergency Preparedness,Footnote 35 the office urged a stronger leadership role to be defined for the Minister relating to management and protection of personal information among the portfolio entities.Footnote 36 While the office’s suggestions were not adopted, we believe it would be appropriate to revisit the concepts within the context of Privacy Act reform. More generally, consideration should be given to amending the Privacy Act to require government departments and agencies, especially those with a national security mandate, to develop and implement a privacy management framework with an internal privacy audit capacity and a defined role and accountability structure to frame the privacy leadership responsibilities of the head of the institution. Security management frameworks, such as the new ISO/IEC 27001 series standards,Footnote 37 all emphasize that, unless someone is explicitly assigned to be accountable, no-one is accountable; it is the same with privacy. Both security and privacy regimes clearly have suffered from this fate.
The OPC recommends that the Government of Canada and Parliament, in their deliberations on a reformed Privacy Act, explore amending relevant Privacy Act provisions to ensure greater transparency, accountability and oversight over the activities of national security agencies including more stringent reporting requirements to Parliament. In other words, the proportionality principle should apply here: with heightened powers to collect, use, disclose, process, share and aggregate personal information about the citizens and residents of Canada, the government of Canada needs to meet higher standards of accountability and answerability of public officials to Parliament. These requirements must also be reflected in mandate letters and performance agreements of Ministers and Deputy Ministers and throughout the entire accountability chain of the Management Accountability Framework. A reformed Privacy Act is needed to provide the impetus for this integration to happen in the accountability framework, akin to changes brought to the Financial Administration ActFootnote 38 to strengthen financial management practices.
Consistent with the logic and practice of modern comptrollership, a reformed Privacy Act could also contain provisions that specifically require national security departments to harness their internal controls functions (including but not limited to internal audit) to reinforce privacy management practices. Because of the wide ranging powers of these agencies and the potential deleterious impacts on the lives of citizens, the Privacy Act could contain specific reporting and accountability provisions for national security agencies. A reformed Privacy Act could also set general parameters for Parliament, through the work of standing committees and the newly formed Committee of Parliamentarians on National Security, to exercise its oversight role over the use, collection and disclosure of personal information. The OPC would bring its privacy expertise and knowledge to the work of Parliament in the exercise of these duties.
A consistent area of critique and concern has been the effectiveness of the model chosen for the Office of the Privacy Commissioner. The Privacy Act establishes the Privacy Commissioner as an ombudsman, with no order-making powers. In the public sector, the ombuds-model serves as a critical mechanism for governments to regulate themselves and be held accountable for their actions.
The role of the ombudsman was described by the Supreme Court of Canada in Lavigne v. Canada (Office of the Commissioner of Official Languages):
An ombudsman is not counsel for the complainant. His or her duty is to examine both sides of the dispute, assess the harm that has been done and recommend ways of remedying it. The ombudsman’s preferred methods are discussion and settlement by mutual agreement.Footnote 39
Like investigative bodies, ombudsmen have substantial powers to interview anyone, to compel evidence and examine any records they need to reach a conclusion. The Federal Court of Appeal has recognized that the Commissioner’s statutory duty of confidentiality owed to the parties is an essential feature of an effective ombuds-model.Footnote 40
Unlike some apparently similar bodies, an ombuds-office does not issue orders or impose penalties. Ombuds-persons resolve disputes through persuasion, relying on their competence, knowledge and impartiality. They are not tribunals or mini-law courts, and their less formal approach makes the process less intimidating for citizens and much less costly for all concerned.
As an independent ombudsman, the Office of the Privacy Commissioner acts as an investigator and auditor, with full powers to conduct follow-up audits on well-founded cases and to monitor compliance.
The Privacy Commissioner’s ability to truly fulfill the ombuds-role has frequently been frustrated by limitations in the Privacy Act, however. For instance, the Privacy Act only authorizes the Privacy Commissioner to ask the Court to review a complaint that access has been improperly denied. The law is silent on Court review of improper government collection, use, disclosure or disposal of Canadians’ personal information.
The potential problems with the ombuds-model are as evident as its benefits. Its success depends on persuasion and cooperative discussion. The recommendations of an ombuds-person must be respected, given due consideration, and acted upon except in exceptional circumstances, else there is no ability to achieve balance, assist citizens and resolve issues. Governmental disregard of objections and concerns raised by the OPC puts the fundamental informational privacy rights of all Canadians profoundly at risk.
However, there are also problems with an order-making model. In his report, Mr. La Forest concluded:
There is a danger that a quasi-judicial, order making-model [sic] could become too formalized, resulting in a process that is nearly as expensive and time-consuming as court proceedings. It is also arguable that the absence of an order-making power allows the conventional ombudsman to adopt a stronger posture in relation to government than a quasi-judicial decision-maker. There is also some virtue in having contentious issues settled by the courts where proceedings are generally open to the public.Footnote 41
Mr. La Forest notes that it is, however, possible that the order-making model could prove to be a more effective way of vindicating the principles underlying the Privacy Act (and PIPEDA); the model has been successfully used in several provinces, without becoming overly formalized. Privacy Commissioners in Canada, whether empowered to issue orders or not, attempt first to resolve complaints informally through conciliation, mediation and other types of dispute resolution.
Mr. La Forest concludes, and the OPC agrees, that the option of granting order- making powers to the Privacy Commissioner should be studied in further depth. He also recommends, and again the OPC agrees, that the Act should be amended to specifically empower the Privacy Commissioner to engage in mediation and conciliation, as is already the case under PIPEDA.
The question of order-making power will need to be carefully examined in the context of the Privacy Act reform. To what extent would order-making power increase our ability to induce positive change and reinforcement in the personal information management practices of the federal government across the entire spectrum of personal data activities?
Daunting and complex problems are posed by trans-border data flows, by e-government initiatives that imply the construction of massive databanks, by outsourcing of services that involve access to the personal information of program recipients and citizens, and by the practices of data matching and linkages that allow government agencies to compile profiles on people and their activities. To what extent would order-making powers allow the OPC, as an institution advising Parliament and serving society, to be more effective in promoting better personal information management practices in the federal government? What would the general parameters of these powers be? How would they be executed? What would they involve? What would the resource implications of such powers be? What competencies and capabilities would we need to develop? There is a long and complex list of questions that would need to be addressed about the shape and form of these powers.
These powers would also need to be assessed in relation to their impacts on other roles currently performed by the OPC as an ombuds-office. Are there inherent role contradictions between the capacity to issue binding decisions and our ability to carry out our role as an ombudsman, in its many multifaceted dimensions (educators, reviewers and auditors, investigator, etc.)?
This examination should also draw from the experience of other Canadian jurisdictions. To what extent would the concept of a multi-functional tribunal along the lines of Alberta's and BC's models be applicable in the federal purview, especially in the critical domains of national security and public safety? What would the challenges of such a model be in areas of shared jurisdiction, health policy being a good example?
Also, the broader systemic and relational implications of order-making powers should be examined. What would the implications be of a new model for the powers of the Federal Court?
The body of scholarly knowledge on the concept and practices of administrative tribunals should be analyzed with a view to gauging, both conceptually and in practice, the effectiveness of alternative models (e.g., multi-functional tribunals) on informational privacy protection in the federal government and assessing the relative merits of these models in comparison with the current model.
While our central function under both the Privacy Act and PIPEDA is the investigation and resolution of complaints, we also need to advance privacy rights by other means – through research, communication and public education. The Commissioner lacks the legislative mandate under the Privacy Act to educate the public about their informational privacy rights with respect to information held by federal government institutions. PIPEDA, on the other hand, does grant her the express mandate to educate the public about their rights concerning personal information held by private sector businesses. The Commissioner should be equally empowered to sensitize business, government and the public under both laws.
Accordingly, the Privacy Act needs to be amended to expressly mandate the Privacy Commissioner to undertake research and prepare reports on informational privacy issues, educate the public about their informational privacy rights, and/or evaluate the informational privacy implications of proposed legislation.
The Act could be amended to expressly allow the Commissioner to:
- conduct or commission research that would further the purposes of the Act;
- develop and conduct public education and information programs to foster public awareness, understanding and recognition of the purposes of the Act and informed public debate over privacy issues;
- promote the purposes of the Act by any means the Commissioner considers appropriate;
- comment on the privacy implications of proposed legislative schemes or programs of public bodies; and
- disclose information pertaining to the activities of government institutions outside of the vehicle of the Annual Report.
In his report, Mr. La Forest notes that the Privacy Commissioner is
frequently involved in high-level debates about the long-term, systemic, and often transnational effects on privacy of proposed and existing legislation and policy, such as the government’s reaction to the threats of organized crime and terrorism and the privacy implications of novel surveillance and information gathering technologies.Footnote 42
It is also the role of the Commissioner “to educate the public about their access and privacy rights and inform them of the threats posed to these rights by various technological, social and legislative developments.”Footnote 43
Mr. La Forest specifically recommended, and the OPC agrees, that:
- The Access to Information Act and the Privacy Act should be amended to specifically empower the commissioners to comment on government programs affecting [the] sphere of jurisdiction. Ideally, there should be a corresponding duty imposed on government to solicit the views of the Commissioner on such programs at the earliest possible stage.
- The Access to Information Act and the Privacy Act should be amended to recognize the role of the commissioners in educating the public and conducting research relevant to their mandates.Footnote 44
When they were introduced, the Privacy Act and the Access to Information Act were intended to work together to make government more transparent, and thus more accountable, to the citizenry. As enacted, however, the legislation only applied to those government departments and other government bodies or offices identified in a Schedule to the Act. There has been continual confusion and discussion as to which entities should be included in the Schedule.
Over the years, the government has created many entities that are not subject to either the Privacy Act or PIPEDA.Footnote 45 And as government creates new institutions, a debate ensues on whether to add the new body to the Schedule. Such entities take the form of boards, tribunals, commissions, foundations etc. They may operate as partnerships or joint ventures receiving funds from both the federal government and provincial governments. The office is in the process of attempting to confirm the full extent of the gap in more detail.
This issue of incomplete coverage of government institutions has also been addressed by the Information Commissioner. In his September 2005 submission, he proposed that all entities through which public funds are expended be subject to the Act, unless Parliament specifically excludes them. He identified these entities as
- all departments and ministries of state of the Government of Canada
- all bodies or offices funded in whole or in part from Parliamentary appropriations,
- all bodies or offices wholly or majority-owned by the Government of Canada
- all bodies or offices listed in Schedules I, I.1, II and III of the Financial Administration Act; and
- all bodies or offices performing functions or providing services in an area of federal jurisdiction that are essential to the public interest as it relates to health, safety or protection of the environment.
As the Committee agreed with that proposal and recognized the interconnected nature of the two pieces of legislation, the OPC anticipates that the Committee would also agree that the Privacy Act should reflect this “all in, unless specifically excluded” approach.
Technology has effectively demonstrated that the Privacy Act’s definition of personal informationFootnote 46 as being “recorded in any form” is outdated. Unrecorded information, such as from real-time electronic monitoring (live surveillance cameras) or from biological samples, is beyond the scope of the Act. Yet the technologies can yield intelligible information about identifiable individuals. As such, it should benefit from legal protection. In our view, the definition of personal information should be expanded to include both recorded and unrecorded information about an identifiable individual.
The proposal is, in our view, pragmatic. Some provincial privacy laws and PIPEDA apply to unrecorded information. For example, a security company in the Northwest Territories mounted four security cameras on the roof of its building aimed at a main intersection in Yellowknife. For several days, 24 hours a day, staff monitored a live feed and reported a number of incidents to local police. The monitoring was intended to demonstrate the service and generate business for the company.
Although a public outcry quickly ended the demonstration, the Commissioner had the power to investigate under PIPEDA and issue findings that provide helpful guidance for other organizations. The Commissioner concluded that, while monitoring public places may be appropriate for public safety reasons, there must be a demonstrable need, the monitoring must be done by lawful public authorities and it must be carried out in ways that incorporate all legal privacy safeguards.
The Privacy Act would not have permitted an investigation in this situation, since no video recordings were made. Accordingly, the OPC has been engaged in discussion with law enforcers to define a set of governance principles to regulate the use of video-surveillance in public spaces. These discussions have been protracted in part because the Privacy Act offers no help in setting utilization and notification standards. A reformed Privacy Act needs to be responsive to the digital imagery and biometric applications of contemporary law enforcement surveillance and monitoring activities. In its current shape, it isn’t.
The Privacy Commissioner can receive complaints concerning the full array of rights and protections under the Privacy Act, including complaints of inappropriate collection, use or disclosure, failure to maintain up-to-date and accurate data, improper retention or disposal, and complaints relating to denial of access or correction. The Commissioner can make recommendations to the government institution and request notification of the actions they intend to take and report the institution’s response to the complainant.
If the response of the institution is not satisfactory, the Privacy Commissioner has no authority (other than to publicize this conclusion in an Annual Report) to require the government institution to remedy its deficiencies. The Act only allows for Court review of a government institution’s refusal to provide access to an individual’s personal information. Even when the Commissioner agrees that a complaint about inappropriate collection, use or disclosure has merit, neither the Court nor the Privacy Commissioner has any powers to provide a remedy. This was confirmed recently in a decision by the Federal Court.Footnote 47 This limitation also means the Federal Court is precluded from providing needed guidance, applicable to all government institutions, on what constitutes inappropriate collection, use or disclosure of personal information.
Inappropriate use or disclosure of personal information in particular has the potential to cause embarrassment or other harms to the person. However, the Privacy Act, unlike PIPEDA, does not allow for remedies for any damages caused by government actions.
Individuals, or the Commissioner acting on their behalf, should be able to ask the Court to review government collection, use and disclosure of personal information following completion of an investigation. In addition, the Court should be empowered to assess damages against offending institutions.
The Privacy Act provides individuals with the rights of access, correction and notation with respect to personal information held by a government institution. The Act currently requires that an individual be present in Canada to have these rights. This means that airline passengers, immigration applicants, foreign student applicants, and countless other foreign nationals have no legal right to examine or correct erroneous information in Canadian government files, or to know how the information is used or disclosed.
As the OPC noted in its 2004-2005 Annual Report, this is not consistent with international practice. For example, European Directive 95/46/EC requires that access rights be granted to every data subject, regardless of citizenship or place of residence.
It is becoming increasingly difficult to justify limiting access rights in the face of international mobility and the ensuing exchange of personal data. In January of 2005, the EU Article 29 Working Party issued an opinion that Canada provides an adequate level of protection for the transmission of Passenger Name Record and Advanced Passenger Information from airlines to the Canada Border Services Agency. This opinion was based on a consideration of Canadian law (the Privacy Act) supplemented with numerous commitments made by the CBSA. One such commitment was to administratively extend rights of access, correction and notification under the Privacy Act to persons not present in Canada.
The opinion went on to encourage examination as to whether this commitment could be legally recognized in the Privacy Act. The Working Party underlined the importance of non-discriminatory treatment of EU citizens in this respect and requested that the Privacy Act be amended as soon as possible.
The development of a robust privacy management regime that governs collection, use and disclosure of personal information has been a longstanding concern of this office.
The Privacy Act contains a much attenuated version of the fair information principles, with non-existent or overly-lenient controls on the information management practices of the federal government. The deficiencies in the Privacy Act are readily evident when compared to the comprehensive set of fair information principles embodied in PIPEDA.
Mr. La Forest refers in his report to jurisprudence of the Supreme Court of Canada that makes it clear that information collected by the government remains in a fundamental way that of the individual and must remain confidential and restricted to the purposes for which it was divulged.Footnote 48 He urges government to commit to openness and transparency in the service of democratic accountability and to further commit to the principle that information collected about an individual is private and should, with a minimal number of overriding reasons, be used only for the purpose for which it is collected.
Section 4 of the Privacy Act limits a government institution to collecting information only if it “relates directly to an operating program or activity of the institution.” A far more effective expression of privacy rights, typical of more modern data protection laws, is to require that the collection of information be reasonable and necessary for these programs or activities. This approach has been adopted in PIPEDAFootnote 49 and in a number of other jurisdictions both inside and outside Canada. While Treasury Board policyFootnote 50 has been to interpret the Privacy Act in this manner, fundamental rights should be set out in legislation, not left to the vagaries of policy statements.
Subsection 5(1) imposes on an institution an obligation to collect the information to be used for “an administrative purpose” directly from the data subject “wherever possible.”Footnote 51 Administrative purpose is defined as a decision-making process that directly affects the individual.
This obligation to collect directly does not similarly apply to governmental collections of personal information for non-administrative purposes — even though they may affect individuals. Information collected indirectly and without knowledge of the individual may be used to develop policies, practices and procedures which may ultimately impact on that individual or on groups to which government determines he or she belongs (e.g., income categories, training profiles, etc.). A framework is required in the Act to address collection of information for non-administrative purposes, including provisions for notification and consent of the individual.
Moreover, this section permits the head of a government institution to exercise discretion in deciding whether to collect directly or indirectly by selective application of the threshold test of “wherever possible.” Permissible collection of personal information from sources other than the data subject must remain a clear exception. For this reason, we suggest that subsection 5(1) be amended to make it clear that an institution must collect the information to be used for an administrative purpose directly from the data subject unless otherwise authorized under clear and specific exceptions set out in the Privacy Act.
Under subsection 5(2), a government institution is obliged to inform an individual from whom that institution is collecting personal information of the purpose for which the information is being collected. This is a much attenuated version of a basic privacy right. It should be expanded to require that government institutions specify the authority under which information is being collected, the uses to which it may be put, the institutions with which it may be shared, the consequences of not providing the information, and the individual’s right to complain under the Privacy Act.
Finally, some direction about how information is collected directly from an individual may be of assistance. As technology develops and changes, hitherto unforeseen intrusions become increasingly possible and contemplated. It should be made clear that, where a government institution is authorized to collect information, it must do so in the least intrusive, yet most transparent manner possible, and it must limit the information collected to that which is necessary.
Section 7 imposes on a government institution the obligation to use personal information only for the purpose for which it was obtained or for a use consistent with that purpose. While the notion of “consistent use” is central to the Privacy Act, it is also perhaps one of the most problematic concepts within the Act. Although this issue was identified almost 20 years ago in the review of 1987,Footnote 52 we have made no progress, except to ensure that the mistake was not repeated in the drafting of PIPEDA.
If “consistent use” is to be retained in the Privacy Act at all, it must be defined in a clear and limiting way. Consistency with the general mandate of a government institution should not be sufficient justification, nor should data-matching be able to take place under the guise of consistent usage.
Government institutions must be reminded that a proposed use must be consistent with the purpose for which the information was collected, and that the purpose must be related to a specific operating program or activity of the institution. It is, therefore, the particular program or activity which serves as the point of reference for determining consistent use, not the general mandate of the institution.
In sum, we recommend that section 4 be amended to require that personal information collection be subject to a requirement that it be reasonable and necessary for an operating program or activity of the government institution. A similar “reasonable and direct connection” test should be applied in the case of consistent use.
Section 8(2) of the Privacy Act sets out specific circumstances in which government institutions may disclose personal information without the individual’s consent. The Act is inadequate in its treatment of a government institution’s duties when it discloses personal information without the consent of the individual to whom it relates. Wherever possible, when information is disclosed without consent, there should be a corresponding duty on the institution to inform the individual about the disclosure.
The notification requirement would not supplant the ability of a government institution to disclose personal information without consent where necessary. In situations where it was appropriate to provide notice before the disclosure, prior notification might empower individuals to challenge a disclosure before it is made. As then-Commissioner Bruce Phillips noted in his 1991-92 Annual Report,
the Access to Information Act provides a mechanism for alerting third parties, such as corporations, whose sensitive commercial information may be shared. Yet, the Privacy Act provides no similar rights to individuals whose sensitive personal information may be disclosed. Does not personal information deserve protection from abuse that is at least the equal of that afforded to corporate information?Footnote 53
To date, the question has remained unanswered.
Where appropriate, government institutions should be prevented – unless failure to disclose immediately would result in some identifiable harm — from disclosing personal information when notification is required until the individual has been given a reasonable opportunity to either consent or object. The institution would retain the right to disclose the information over the individual’s objections, subject to court review at the request of the individual.
In some cases, prior notification of the disclosure of personal information might not be feasible, but notification without delay of the fact that a disclosure took place may be appropriate. In a situation where failure to disclose immediately could result in identifiable harm, for instance, an organization could inform the individual in writing of the disclosure after the fact. While this would not provide individuals with the ability to challenge the disclosure with a view to preventing it, it would add a necessary degree of transparency and accountability to the information management practices of an institution.
A disclosure without consent or notification would, therefore, be the exception under s. 8(2) rather than the default position.
We recommend that a full review of the provisions of s. 8(2) be undertaken to determine which disclosures could accommodate a prior notification requirement, which would be amenable to a post-disclosure notification, and the few circumstances in which notification would not be appropriate.
b) Authorized Disclosures
A detailed review of the permissible disclosure provisions in section 8(2) should be conducted to strengthen and clarify wording. The language in these provisions generally lacks precision; the following examples illustrate this concern.
- Section 8(2)(a) allows the disclosure without consent of personal information for the purpose for which the information was obtained by the institution or for a use consistent with that purpose. In keeping with our suggestions for narrowing and clarifying the collection and use provisions, this provision should be amended to adopt a “reasonable and direct connection” test for disclosure of information.
- Section 8(2)(b) permits a government institution to disclose personal information for any purpose in accordance with any Act of Parliament or federal regulation that authorizes its disclosure. Perhaps one of the most evident demonstrations of the weakness of this provision was provided by the Federal Court of Appeal in 2000 in the E-311 case.Footnote 54 The Court concluded that the disclosure provision in s. 8(2)(b) of the Privacy Act enabled Parliament to confer on any Minister, through a given statute, wide discretion to disclose information collected by the Minister’s department. The Privacy Commissioner had unsuccessfully argued for a more limited interpretation of the provision that would require the specifics of the permissible disclosures to be set out in the statute, rather than merely an open-ended discretion. The OPC suggests that section 8(2)(b) be amended to build in a requirement that the relevant statute must set out the specifics of the situations in which information may be disclosed.
- Section 8(2)(f) authorizes disclosures under an agreement or arrangement between the Government of Canada and the government of a province or a foreign state. As discussed in detail under Part II of this document, this provision needs to be much more specific as to the parameters of any such sharing and provide guidance on the kinds of contract provisions that are needed to safeguard privacy.
There have also been numerous issues of interpretation related to the other disclosure provisions in section 8(2), many, if not most, of which could be resolved through more precisely crafted language.
Data matching has long been a concern of this office. Many believe that linkages or aggregation of personal information pose one of the greatest privacy threats we face today. Privacy concerns regarding the practice were raised as far back as the 1987 Parliamentary review of the Privacy ActFootnote 55 which resulted in a recommendation that the Government establish ground-rules for data matching. Those rules found expression in a TBS policy published in 1989.
Under the TBS Policy on Data Matching,federal departments and agencies are required to notify the OPC of any data matching proposal. As reported in the office’s 2004-2005 Annual Report, few of these matches are actually reported, likely due to confusion among departments as to which activities attract a reporting requirement.
In the template on Privacy Impact Assessment developed by TBS,Footnote 56 there is a question that asks departments to identify whether any data-matching is involved. Interviews with users of the tools indicated in 2004 that many program managers had never heard of the data-matching policy. There has also been long-standing confusion as to whether data-matching includes not just traditional data matching but also data-linking, -mining and -profiling, and there are no clear distinctions between data matching for administrative as opposed to non-administrative purposes. The term itself conjures up images of reel-to-reel tapes being processed against each other, with a limited number of set terms to look for. That may have been the way data were mined in 1985, but it does not describe data management and exploitation in 2005. It is time the Act caught up with reality.
TBS is now conducting a review of the data-matching policy. The OPC has been consulted and the response from TBS to our concerns has been positive. We look forward to the results of the work of TBS, which we anticipate will bring significant changes to the Policy and which will be instrumental in informing the drafting of any legislative provisions pertaining to data matching.
Even with the anticipated improvements to the policy, there is still a place to set out in legislation a framework identifying the principles governing data- matching and the responsibilities of the parties involved. The legislation should include basic elements, such as definitions, a requirement for advance notification to OPC, and powers of the Commissioner to stop the proposed data matching from taking place if it is not up to standards.
These measures are warranted, given the absence of effective controls in the Privacy Act. In 2000, the Federal Court of Appeal issued an important decisionFootnote 57 that showed the very limited utility of the federal Privacy Act in controlling the onward disclosure of information collected for one purpose so that it can be matched with other data for a completely unrelated purpose. The Court found that the Privacy Act permitted the disclosure of customs information for use in an investigative data-match program for completely unrelated purposes – to determine if persons were fraudulently receiving Employment Insurance benefits while outside of Canada. The following year, the Supreme Court of Canada affirmed the decision of the Federal Court of Appeal.Footnote 58
In the case of data-matching for research and statistical purposes, a good example of a framework can be found in the departmental legislation for the Department of Social Development and the Department of Human Resources and Skills Development.Footnote 59 This framework was responsive to earlier concerns raised by the OPC pertaining to data-linkage activities of the former Department of Human Resources Development Canada.
Guiding principles under the framework include a consideration of such matters as the object of the analysis or research, whether it is possible to conduct the work without the information, and whether the analysis or research is in the public interest. The framework also prohibits departmental staff from using information that would allow an individual to be identified, unless authorized by the Minister. Further, any information used for policy analysis, research or evaluation purposes cannot be used for any administrative purpose. The OPC is very pleased to see the development of these kinds of models, but nevertheless believes that the requirements for setting adequate protection from and notification of data-matching, as well as the obligation for a public accounting of these activities, should be reflected in legislation.
The OPC recommends that the Government of Canada and Parliament define, in a reformed Privacy Act, the principles governing data-matching and the responsibilities of the parties involved. The legislation should include basic principles such as definitions, a requirement for advance notification to OPC, and powers of the Commissioner to stop a match if it is not up to standards. The OPC further suggests that the definition of data-matching be comprehensive to include the activities of data-mining and data aggregation, whether carried out directly by federal agencies or purchased from private vendors. The phenomenon of data aggregators selling profiles to government agencies as part of routine reliability and security checks is intensifying in many countries. While we are not aware of any specific instances at the federal, provincial/territorial or municipal levels, it would be surprising if Canada were an exception to this trend.
On September 29, 2005, the Information Commissioner of Canada presented his recommendations for reform of the Access to Information Act. The Privacy Act and ATI Act contain numerous parallel exemptions to the right of access to information.
The Office of the Information Commissioner stated that it was guided by the goals of maximizing the transparency of government consistent with legitimate national security needs for secrecy in running a country like Canada, and ensuring that there is, in future, a maximum amount of accountability of government to Parliament and Canadians.
The same goals are equally applicable to the framework that should apply under the Privacy Act in granting an individual the right of access to his or her own information. In addition to the goals of transparency and accountability, there are significant fairness issues that come into play under the Privacy Act, supporting the need to maximize disclosure where possible.
The Information Commissioner made proposals to strengthen the right of access by making exemptions discretionary instead of mandatory and by introducing the concept of an injury test where this does not already exist. Another proposal calls for making Cabinet confidences an exemption, rather than an exclusion, subject to the normal review by the Information Commissioner and the Federal Court. The OPC looks forward to future discussions with the Information Commissioner with a view to determining the appropriateness of parallel amendments to the Privacy Act. The OPC further suggests that, as Parliamentarians examine a reformed Access to Information Act, due consideration be given to the right of access to personal information afforded in the Privacy Act.
The Information Commissioner has proposed an amendment to the Access to Information Act to permit the head of a government institution to disregard an access request that is frivolous, vexatious or contrary to the purposes of the Act, on recommendation of the Information Commissioner.
The OPC has also encountered numerous situations where the right of access under the Privacy Act is clearly being used, not in a genuine desire to get access to information, but rather to further a personal interest or to target certain individuals or institutions for completely unrelated purposes. The amendment proposed to the Access to Information ActFootnote 60 is also appropriate for the Privacy Act.
Similarly, the right of complaint to the Privacy Commissioner is potentially open to abuse. Discretion should be granted to the Privacy Commissioner to deal in an appropriate manner with complaints that are trivial, frivolous or vexatious or are made in bad faith. Such a provision already exists in PIPEDA.Footnote 61 Consideration also needs to be given to the principles of due diligence and procedural fairness in the determination of what constitutes such complaints.
In addition, it would be important to grant the Privacy Commissioner greater discretion to deal in a more summary fashion with some complaints or some categories of complaints. This is a common feature of many newer regulatory frameworks and would allow for more strategic use of limited resources.
The Access to Information Act provides sanctions for any person who deliberately destroys, alters, falsifies or conceals a record, or directs anyone to do so, with the intent of obstructing the right of access provided by the Act. The same provision should be included in the Privacy Act and it should also include the intent of obscuring any action in contravention of the Act.
One exception to the Privacy Act’s use and disclosure provisions concerns material that is “publicly available.”Footnote 62 This provision has been the source of much debate over the years. It is clear that material held in such places as public archives and public libraries would typically be considered publicly available; however, it is less clear in other situations where the material, while technically available to the public, is not readily accessible or visible. The OPC has generally taken the position that information should be considered in the public domain only if it is reasonably accessible to anyone. The exception in the Act should not be interpreted so broadly as to throw all privacy considerations out the window merely because someone somewhere might be able to access the material.
The term “publicly available information” should be defined in the Act.
PIPEDA uses regulations to specify what is meant by “publicly available,”Footnote 63 thus limiting the extent to which an organization may collect, use or disclose such information without consent. Information contained in professional or business directories, public registries, and in records of judicial or quasi-judicial bodies may only be collected, used and disclosed where the collection, use or disclosure of the personal information relates directly to the original purpose for which the information was made public. Such restrictions would be equally appropriate to the practices of the federal government.
A related issue involves the practice of government institutions required by law to make certain information available to the public. Registries such as the Bankruptcy Registry or the Lobbyist Registry must, for reasons of transparency and accountability, remain open to public inspection.
Few if any government registries control what details they disclose or the uses that others can make of the information once disclosed. To avoid abuses such as bulk disclosures for marketing purposes, the Act should allow personal information should be released from government registries only in ways and for purposes consistent with the purpose for which the register is maintained. Institutions should not be permitted to disclose the registry’s entire population or even make it available for inspection without specific controls. These concerns have escalated with the ease of accessibility provided by the Internet.
Over the years, Privacy Commissioners have eloquently argued many of the causes identified in this submission. The urgency to reform the Privacy Act increases with each passing year. Much time and effort has been devoted by many public officials towards this goal. The questions that are raised in this document point to a need to examine OPC’s institutional role. To a large extent, the powers and authorities that are vested in the OPC will pre-determine its efficacy in the years to come. What is needed is
- progressive legislation that recognizes and is responsive to the complexities of contemporary governance in Canada, where the public sector increasingly interacts with the private sector in protecting the common good;
- a Privacy Act that will be effective as a framework to minimize the risks to informational privacy from government adopting new technologies and applications;
- a Privacy Act that provides a solid footing for public accountability; and
- a Privacy Act that will allow Parliament to fully assume its role of guardian of our fundamental values, including the right of informational privacy.
It is hoped that the general themes set out in this paper will assist in defining the issues and will further the public debate and interest around the need to reform the Privacy Act.