Update on Key Public Sector Issues
Remarks at the Canadian Access and Privacy Association Conference
November 22, 2011
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Good afternoon and thank you for the invitation to be here today.
I would also like to warmly congratulate Frank Work on his well-deserved CAPA National Lifetime Achievement Award. I am also a huge admirer of Frank’s commitment to and passion for privacy and access issues. He has been a tremendous advocate for the rights of Albertans. He will be missed.
I appreciate the opportunity to be here to exchange ideas and information about privacy issues in the public sphere.
When she was at this conference two years ago, Assistant Privacy Commissioner Chantal Bernier spoke about how your day-to-day decisions and actions breathe life and meaning into some of our most fundamental democratic values.
You are defenders of two principles that are essential components of Canadian society – transparency and privacy.
I’m sure it’s easy to occasionally lose sight of the significance of this role in the midst of the daily grind and heavy workloads.
That’s why events such as this one are so valuable. They provide the opportunity to take a step back, reflect on your role– and to recharge a bit.
I’d like to speak with you today about some of the major public sector issues my Office has been working on, and thinking about in recent months. There are several topics I wanted to touch on, so I’ve structured them into a “Top 10” list.
1. Annual Report to Parliament on the Privacy Act
As some of you will know, last week we released our latest Annual Report to Parliament on the Privacy Act. I’ll share a few of the highlights.
On the investigations side, we are continuing to put a greater focus on early-resolution strategies. The goal is to resolve more complaints without formal investigations in order to provide Canadians with solutions to their privacy concerns in a timely manner.
Roughly 14 percent of the 570 complaints we closed in the last fiscal year were resolved this way. That compares to just 6 percent a year earlier.
The strategy has had a positive impact on our complaint treatment times – the overall average fell to just over seven months from roughly 12 months the previous year.
We had close to 500 Privacy Act complaints proceed to full investigation. It will come as no surprise to those of you working for federal ATIP shops that the vast majority related either to problems people had in gaining access to their personal information or to the time it took for the government to respond to access requests.
2. Privacy Impact Assessments
Our annual report also noted the fact that we reviewed 87 Privacy Impact Assessments in 2010-2011 – 19 of them in greater depth because of the significance of the privacy risk or the broader human rights or societal issues involved.
Those included a plan by the Canadian Air Transport Security Authority to observe passengers in the airport pre-boarding areas for suspicious behaviour. We expressed several concerns, including the potential for inappropriate risk profiling based on characteristics such as race, ethnicity, age or gender.
As well, we reviewed a PIA submitted by Citizenship and Immigration Canada and related to the use of biometrics to identify all non-Canadians entering Canada. We made a number of recommendations to better safeguard the data and ensure it is shared with other nations only under the most stringently controlled circumstances.
I am pleased to say that, over the last several years, we have seen a steady improvement in the quality of PIA submissions – though there have been some glaring exceptions. Departments have become better at including the relevant information such as data flow descriptions and detailed privacy risk analysis in their reports. As well, there is stronger analysis and more attention paid to detail in the description of privacy risks.
3. Audits under the Privacy Act
We also released the results of two audits last week. One looked at the RCMP’s management of operational databases that are widely shared with other police services and government institutions – and I think the results are instructive for other departments.
While the RCMP has policies and procedures in place to safeguard sensitive information, we also found some troubling gaps. For instance, with respect to a database called the Police Reporting and Occurrence System, the RCMP has no process to withhold access to information relating to an offence for which a pardon has been granted or – even worse – that resulted in a wrongful conviction. We were pleased that the RCMP committed to addressing all of our concerns.
In a separate audit, we examined whether the Canadian Air Transport Security Authority – CATSA – and the thousands of airport screeners it hires under contract respect the privacy of the travelling public and are good stewards of their personal information.
We found that, while elements of a privacy management framework are in place, some significant gaps remain in practice.
Of greatest concern is that the agency collects personal information beyond its statutory authority. For example, CATSA officers sometimes alert police when they encounter a traveller on a domestic flight carrying large sums of cash. It is legal to transport money within Canada, and, in any case, the matter is unrelated to aviation safety and therefore lies outside the agency’s mandate.
We also found issues around the safekeeping of sensitive documents. For instance, incident reports turned up on open shelving units, on the floor and even in a room where passengers are taken for further screening. Moreover, the audit discovered a cellphone and a closed-circuit TV camera in rooms where officers view images generated by full-body scanners. Fortunately, these issues were addressed promptly when we raised them.
4. Ongoing need for comprehensive Privacy Act reform
The urgent need to modernize Canada’s public sector privacy legislation is not news to anyone in this room. As you know, this is something that I – and my predecessors before me – have been advocating for many years. Unfortunately, the federal government has so far demonstrated little appetite for taking on this project.
But that doesn’t mean we’ve given up trying!
5. Keeping up with PIPEDA – Discretion
As you may know, recent amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) have provided my Office with the discretion to decline complaints or discontinue investigations in particular circumstances.
Back in 1983, when the Privacy Act became law, the vision of government response under the ombudsman model required my Office to investigate all complaints filed by citizens.
That model is no longer tenable in a world of complex information technology, globalized data sharing and a heightened expectation among Canadians for rapid responses and solutions to the privacy challenges of this new landscape.
Some of the complaints we receive require investigations that can be very resource-intensive, not only for not only my Office, but for other government departments as well, and yet they may not necessarily turn on questions of personal information.
In my opinion, the personal information rights of Canadians are not well served by conducting full-scale investigations into every complainant we receive.
I would welcome Privacy Act amendments to provide for the discretion provisions I now have under PIPEDA.
This would allow us to focus our attention where it should be – on complaints that raise broad, systemic issues affecting all Canadians.
6. Keeping up with PIPEDA – Mandatory Breach Notification
Along the same lines, I would also like to see an amendment to the Privacy Act to make mandatory the reporting of significant breaches to my Office – as the government has proposed to do under PIPEDA.
I’d like to shift now to look at a few of emerging issues ….
Outsourcing can create challenges for personal information protection in the federal government.
The recent emphasis on shared government services and cost-savings mechanisms suggests that outsourcing, particularly of data processing types of services may become more common. As well, the growing emphasis on public-private partnerships could lead to more sharing of personal information outside of traditional government services.
When we discuss this issue with departments, we stress that outsourcing of current government functions, operations and oversight needs to be in line with Treasury Board Secretariat guidelines. This is particularly important for issues such as security requirements, employee access, inspections, audits and breach notification.
I can’t stress enough the importance of accountability and the need for contracts to include provisions for the government institution to audit the contractor for compliance with the personal information protection provisions.
8. Lawful Access
Over the past few months, we’ve seen a growing number of questions being raised – in Parliament, in legal circles and in the media – about potential lawful access legislation.
My Office has commented extensively on various legislative proposals – including the bill introduced during the last Parliamentary session.
Last month I wrote an open letter to the Minister of Public Safety to once more outline my concerns about the potential impact of possible legislation on the privacy of Canadians.
Our Office has always been clear that we will not stand in the way of effective measures that are necessary to address serious crimes such as terrorism and the exploitation of children. We agree that the Internet cannot be a lawless zone.
However, it is essential to ensure that the protection of Canadians’ right to privacy is properly respected. Privacy protection underpins our democratic freedoms. It allows us to exercise these freedoms openly, without fear, mistrust or censorship. This is why caution is so critical.
The provisions of the lawful access bills in the last Parliamentary session would have had a significant impact on privacy rights. They both expanded the legal tools of the state to conduct surveillance and access private information, and they reduced judicial scrutiny of the actions of law enforcement authorities.
When contemplating changes that would have such an important impact on fundamental rights and freedoms, the government needs to demonstrate the necessity, legal proportionality and practical effectiveness of these new powers. The government must also be prepared to demonstrate how the model it is proposing is the least privacy-invasive alternative possible.
No systematic case has yet been made to justify the extent of the new investigative capabilities that would have been created by the bills.
My provincial and territorial privacy colleagues share my concerns and we’ve unanimously called upon the federal government to take a cautious approach to legislative proposals to create an expanded surveillance regime that would have serious repercussions for privacy rights.
9. Improving service to Canadians
When the Prime Minister re-appointed me to last December, I spent a great deal of time thinking about what I felt I needed to accomplish during my last few years as Privacy Commissioner.
The issue that I put at the top of my list was service to Canadians.
For me, that means ensuring that our work meets the needs and expectations of Canadians.
As I mentioned earlier, one of the best pieces of news in our annual report was the fact that our complaint treatment times are significantly shorter than in the past. We will work to ensure that trend continues.
We are also continuing to develop tools to help Canadians and organizations, both private and public, to resolve privacy concerns without the intervention of my Office.
By equipping people with information about their privacy rights, they’re often able to effectively and quickly address issues directly with organizations.
When that fails, my Office – in appropriate cases – will attempt to reach a satisfactory solution through our early resolution process. Again, not every issue requires a time-consuming, expensive investigation.
Because service to Canadians is our priority, we are also working with ATIP coordinators to find ways to speed up the processing of access requests under the Privacy Act.
This is a joint venture. We are looking to you to respond quickly when there is a complaint and we come to you with questions as part of an investigation.
If a department doesn’t grant access to the complainant’s personal documents within a set period of time, we will rule that there is deemed refusal and we will refer the matter for judicial review.
A few months ago, we initiated two Federal Court applications against the Correctional Service of Canada for what we had determined to be deemed denials. The matters were then resolved very quickly and we were able to discontinue the applications. That’s good news for Canadians – although it’s my hope that we won’t have to take this kind of action very often going forward.
10. Supporting the ATIP community
I would also like to mention a few of the ways in which my Office is providing information and practical assistance to the public sector.
We’ve undertaken a number of initiatives to help departments prepare solid Privacy Impact Assessments. For example, we have invested a great deal of effort in helping institutions adapt to a new government Directive on the completion of Privacy Impact Assessments. We’ll be holding another workshop on PIAs in early January. This event will be jointly hosted with Treasury Board.
Earlier this year, we launched a detailed guidance document that sets out what we expect from PIAs – it’s titled Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada. If you don’t already have a copy, it’s available on our website or you can pick one up at our booth in the exhibiting area.
I would also like to mention a couple of other guidance documents.
A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century, is a reference document to help policymakers, practitioners and citizens integrate privacy protections with new public safety and national security objectives.
Another area where we have offered guidance relates to the increasing use of biometric information, such as fingerprints and facial images.
Biometric systems can contribute to highly reliable and robust identification systems, but can also raise significant privacy challenges, including the covert collection of biometric characteristics, cross-matching, and the unwanted disclosure of secondary information embedded in an individual’s biometric information.
To help institutions weigh the pros and cons, we have prepared a detailed primer called Data at Your Fingertips: Biometrics and the Challenges to Privacy.
My remarks this afternoon have taken us on a long and winding path, but I very much wanted to use this opportunity to touch on several current topics.
I want to stress to you that our door is always open. We are there to help when you have questions or are looking for advice. We also welcome your thoughts and suggestions on how we can better help you to face the daily challenges of your job.
Thank you very much for your attention. I believe we have time for questions…..