Privacy

Commissioner

ANNUAL REPORT

1994-1995

The Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 995-2410, 1-800-267-0441
Fax (613) 947-1501
TDD (613) 992-9190

© Canada Communications Group
Cat. No. IP 30-1/1995
ISBN 0-662-61956-0

This publication is available on audio cassette, computer diskette and on
the Office's Internet home page at http://www.privcom.gc.ca

Privacy Commissioner of Canada
Commissaire à la protection de la vie privée du Canada

July 1995

The Honourable Gildas L. Molgat
The Speaker
The Senate
Ottawa

Dear Mr. Molgat:

I have the honour to submit to Parliament my annual report which covers the period from April 1, 1994 to March 31, 1995.

Yours sincerely,

Bruce Phillips
Privacy Commissioner

Privacy Commissioner of Canada
Commissaire à la protection de la vie privée du Canada

July 1995

The Honourable Gilbert Parent
The Speaker
The House of Commons
Ottawa

Dear Mr. Parent:

I have the honour to submit to Parliament my annual report which covers the period from April 1, 1994 to March 31, 1995.

Yours sincerely,

 
Bruce Phillips
Privacy Commissioner

Gerard J. C. van Berkel

Gerry van Berkel died on January 5, 1995, barely six months after retiring as general counsel to the Privacy Commissioner, a position he held since the Office was created in 1983.

He was both an extraordinary human being and an unusual lawyer. The poet Marvell's words are apt: "He nothing common did or mean, upon that memorable scene". He had an expansive view of the law, seeing it as an instrument for human betterment, rather than a code of strictures for human regimentation. He was often heard to say that "the law should not stand in the way of helping people", and this attitude, animated by his common sense and compassion, made him an ideal counsel for an ombudsman's office.

Gerry van Berkel had been a government lawyer for three decades, having served as well in the Department of Labour and the Canadian Human Rights Commission. Wherever he went, he left behind a legion of friends and admirers. The staff of this Office were the particular beneficiaries of his mature wisdom, his wit and his patience; not to mention his good humoured tolerance of their gratuitous and unschooled legal opinions.

But they also knew him as a raconteur of note, chef extraordinaire, mean pop pianist, gifted cabinetmaker, but above all, devoted family man and loyal friend. All in all, a formidable work of the Creator in whom he had an abiding faith.

To him, in love and respect, this report is dedicated.

Mandate

The Privacy Commissioner is a specialist ombudsman appointed by and accountable to Parliament who monitors the federal government's collection, use and disclosure of its clients' and employees' personal information, and its handling of individuals' requests to see their records.

The Privacy Act gives the Commissioner broad powers to investigate individuals' complaints, to launch his own complaint, and to audit 110-odd federal agencies' compliance with the Act. He also conducts research on his own behalf or at the request of the minister of justice.

Mission

The Privacy Commissioner's mission is

• to be an effective ombudsman's office, providing thorough and timely complaint investigations to ensure Canadians enjoy the rights set out in the Privacy Act;
• to be an effective privacy guardian on Parliament's behalf, performing professional assessments of the quality of the government's adherence to the Privacy Act;
• to be Parliament's window on privacy issues, arming it with the facts needed to make informed judgements through research and communications;
• to be the primary national resource centre for research, education and information on privacy.

Highlights

• Federal government leadership needed now to protect Canadians' privacy in the private sector— starting with the banking, telecommunications and interprovincial transportation sectors where it has jurisdiction (page 6)
• Changes to the census to better protect Canadians' privacy— and an outstanding issue (page 33)
• End to random drug testing of Forces' members (page 16)
• How to devise an electronic privacy system— Public Key Infrastructure (page 8)
• Safeguards for the public's and employee's tax files during internal Revenue Canada investigations (page 22)
• Removal of gratuitous personal details from public bankruptcy files (page 70)
• Improved controls on disposal of surplus assets— computers, diskettes and file cabinets (page 60)
• 1307 complaint investigations and almost 10,000 inquiries handled; a record 1,783 new complaints (page 31)

Table of contents

There is a tide...

There is a tide in the affairs of men,
Which, taken at the flood, leads on to fortune;
Omitted, all the voyage of their life
Is bound in shallows and in miseries.

--Julius Caesar, Act IV, Scene III

Right on, Mr. Shakespeare! Nowadays we're not so elegant of speech. Translated into 1995-ese, we'd probably say "Let's move it", or something even more blunt. But the meaning is the same: the time for action is now.

Events have moved swiftly in the past year. We are now at that critical point at which decisions must be made which either will "lead on to fortune" or to "shallows and miseries".

Those decisions in the main are in the hands of our governments, so this is a plea to them to meet this opportunity with courage and foresight, resisting along the way the inevitable pressure from special interests for weak-kneed half-measures. Timidity in defence of human rights is no virtue.

But first let's step back for a moment and scan the landscape across which we are travelling. Most people now are aware of the immensity of the changes which technology is working on society. Information technology in particular is throwing dazzling lights of knowledge across the worlds of commerce, academia, science, medicine and government, in fact every aspect of human life. But we must take care that the light does not blind us to our duty to ensure that we reap those benefits without sacrificing older values essential to the protection of human rights which are the foundation of civilized society.

Over centuries of evolution of Western thought, one constant has been the acceptance of the individual's right to defend that uniqueness by exercising some control over the ability of others to intrude or impose. The technology revolution is making a shambles of that right.

"Information" is not a single substance or entity. It is not just data. It is not a product or a commodity. Whether conveyed by voice, recording, printed word, picture, digitized code, sign language or sight, information is the expression of all that we know and are. Personal information expresses the substance of individual lives; in short, all the things which distinguish one human being from another, which certify the uniqueness of each individual.

"Privacy", in fact, is not a word adequate to describe the problem. In the technological context, some experts describe it as "the right to informational self-determination", or the right "to control what others know about you". These are good descriptions, but they only reflect a more profound underlying issue— the degree to which, in the new information age, we will respect each other as individual human beings.

Brave new words

Previous reports have attempted to alert Parliament and public to the lethal threat to the preservation of some reasonable degree of personal privacy posed by the indiscriminate or unthinking application of information technology. Now, it must be said, there has been a significant change in the level of public awareness. Poll after public opinion poll has demonstrated rising public uneasiness. Routinely they show 80 or 90 per cent of those interviewed are concerned about the assault on their privacy. They suspect, rightly, that much is going on which is not explained adequately to them, and that worse may be to come.

These polls frequently also show that such fears are coupled with a strong appetite for government action. The public knows the world is changing swiftly, and is anxious not to be left naked in an environment more threatening to personal autonomy than anything we have known before. From a state of general indifference, privacy protection has forced its way, if not onto centre stage, at least to reasonable prominence on the agenda of issues worthy of attention.

Doubtless this is less the result of any individual effort than the accumulation of evidence obvious to almost everyone— this is not simply an abstract philosophical problem but one that affects everyday life. Whatever the reason, we have attained the necessary pre-condition to effective action. However, we must not confuse recognition with solutions. There is much talk but few results. But compared with a few years ago, even that is real progress.

One thing is abundantly clear. The next year or two will tell the tale, whether as a society we care enough about our personal autonomy and individuality to defend it against the clamant pressures of the economic bottom-line, or are content to see ourselves digitized into data subjection.

There is nervous optimism. Optimism because there is strong support in important quarters for enhanced privacy protection in the age of information technology. One such notable support is the committee work of the government's Advisory Council on the Information Highway (of which more later). The nervousness stems from the power of private interests to resist change, coupled with a prevailing climate which militates against government action in the commercial sphere. Even times such as these, however, offer no justification for failing to protect those defining values. Easy times and not-so-easy times come and go. Respect for human rights must remain the bedrock of society, immune alike to breeze of prosperity and blast of hardship.

The issue is clear: the preservation of a private life in the information age depends upon our retaining some control over what the world knows about us. This control has all but disappeared except in the limited areas where privacy laws exist; principally in the public sector. Only stronger legal defences can restore control.

There is now almost universal agreement with these two propositions. The Canadian private sector, which generally operates free of any legislated privacy rules (except in Quebec) now recognizes the rising tide of public concern. Many businesses have attempted to meet this concern by drafting their own privacy codes. And there's the rub. While conceding a problem, there is still much opposition to the idea of anything more than "voluntary" or "self-regulated" observance of privacy rights. That's to say, we know there's a traffic problem but please, no traffic cop.

Optional privacy rights?

Reluctantly, and by stages, this writer has come to the view that "voluntarism" is inadequate. The reasons are several. The first; collection of personal information, much of it without our knowledge or consent, is now a huge business and getting more huge all the time. As individuals, we have a right to exercise some control over this traffic, but all the jawboning of recent years has had little impact.

The second reason; technology is accelerating this process, and the longer it proceeds devoid of enforceable standards, the worse the problem will become.

Third, such protections as now exist are in danger of erosion, because of impending interconnectivity between public sector data bases, which are covered by privacy laws, and private sector data bases and transmission systems, which are not.

Fourth, Canadians are entitled to uniform standards of respect for their privacy rights no matter where they live or in what business they are engaged, a situation which can never be achieved if left to the whims of the marketplace.

Fifth, public confidence in any system is unattainable without provision of just rules equally and fairly applied to all segments of society, public and private sector alike, and fortified by a mechanism for independent oversight and complaint resolution— in short, a traffic cop.

Holding the system accountable

Lest we be deflected by uninformed arguments about creating "massive bureaucracies" and "armies of government snoops", let's examine some recent experience. Less than two years ago, the Quebec legislature amended its privacy laws to extend their reach to cover private businesses in the province. The Quebec Commissioner reports that the transition has taken place smoothly, business continues to be done, the sky has not fallen, no-one has complained about excessive or unwarranted intrusions by government snoops. And the bureaucratic explosion? The Commissioner, although he has received about 300 complaints involving the private sector, has added fewer than half a dozen persons to his staff.

For that matter, this Office in its twelve-year lifetime has investigated about 10,000 complaints covering more than 110 government departments, agencies and tribunals, yet has never had a staff of much more than about three dozen persons. In addition to those investigations, this small staff has audited the information management practices of roughly a third of the government's operations, and conducted active research, policy and public affairs programs. So much for bureaucratic bloat.

Another argument gaining some currency is that each sector of the commercial world should have its own privacy watchdog, e.g., the Canadian Radio-Telecommunications and Television Commission for the communications sector, the Canadian Transportation Commission for transportation, the Office of the Superintendent of Financial Institutions for the banks, and so forth. Unless people are willing to discard all their concerns about bureaucratic growth, level playing fields and uniform standards, these arguments should get the quick dismissal they deserve. Not a single jurisdiction in the world where business is governed by privacy laws (and that includes most of Western Europe, Britain, New Zealand and Australia) has ventured down that thicket-strewn path.

The danger of having various industry privacy agencies is the tendency to develop cultures highly reflective and sympathetic to the industries they regulate. There must be genuine independence of thought from those whose interest, first and foremost, is privacy. We do not have separate police departments for each offence but one department with several specialties. The police act on behalf of the whole community and are expected to apply a common standard equally across the whole of that community.

Charting the course

Therefore I put the simple proposition: if the world is changing in ways which threatened established and accepted rights, then so must change the laws which are needed to fortify and defend those rights.

The conclusions are inescapable:

• privacy protection cannot be left to the whim of the marketplace, but deserves and needs to be re-enforced by legislated standards;
• legislation must cover both the public and private sectors;
• action is needed at both federal and provincial levels, and steps must be taken to seek the maximum attainable harmonization of law and enforcement;
• legislated standards must be supported by an independent oversight and compliance mechanism, without which the standards would be merely ineffectual statements of good intent;
• the social and technical impact of information technologies needs systematic assessment by an independent, expert body similar to the U.S. Office of Technology Assessment.

Both provincial and federal governments occupy important jurisdictional positions in the information world. Ideally, both levels would implement complementary legislation more or less simultaneously, supported by similar oversight methods, resulting in uniform and complete coverage of the Canadian information spectrum. Realistically, such an outcome is likely to demand far more time than the urgency of the situation demands. Technology continues its onward rush; if none acts until all act, much that could be saved will be lost.

No time to take our time

Given the national nature of the problem, the responsibility naturally falls upon the national government to exercise leadership. It is a fortunate happenstance that some of the major sectors of commerce fall within federal jurisdiction. These include telecommunications, transportation and banking, three of the most important sectors to collect and use personal information. The federal government thus has the opportunity to seize the initiative and, acting within its own jurisdiction, make the federally-regulated private sector subject to the federal Privacy Act— as it is subject to federal human rights, official languages and labour laws.

This action could be supplemented by adding to the Privacy Act provisions specifically tailored to the private sector, such as the model privacy code developed by the Canadian Standards Association.

This second option has some appealing advantages. It would embody in law a set of rules devised by a committee representing a broad cross-section of Canadian private enterprise. The major improvement between the situation today and the one this approach proposes is that observance of the CSA standards would become a legal obligation and would be supported by a system of independent oversight. A further advantage is the potential for provincial acceptance, since the enterprises represented on the CSA committee operate in both jurisdictions. In addition, the code has won the endorsement of several provincial privacy commissioners as an excellent basis for legislation. Thus we have at hand a set of privacy rules which, given the necessary teeth, already enjoy substantial acceptance at both federal and provincial levels.

In summary then, the federal government should strengthen Canadians' privacy protection by

• extending the Privacy Act to those areas of the private sector which fall within its jurisdiction, and
• convening a federal provincial working group to seek harmonization of privacy laws in the private sector under provincial jurisdiction.

To end at the beginning, the tide is at the flood. Let's not miss it.

On such a full sea are we now afloat,
And we must take the current when it serves,
Or lose our ventures.

--Julius Caesar, Act IV, Scene III

Update: Privacy, Security and the Information Highway

Few subjects have spilled more ink or prompted more sound bites during the past year than the information highway. Lost in the hype was the Information Highway Advisory Council's call on the federal government "to act to ensure privacy protection on the information highway".

The council is a joint industry/consumer/academic group appointed by the federal government to develop a strategy for Canada's information highway. Among the issues it examined were protecting privacy, and a related concern— protecting security of interactive systems and the data they carry.

Privacy and security are not the same, of course. The distinctions are important— a secure data network may protect against intrusions by unauthorized users but it offers the subjects no protection against overzealous collection and misuse of their personal information, nor against inappropriate disclosures by the controllers and authorized users.

Protecting privacy

The council's discussion paper, Privacy and the Canadian Information Highway, set out the privacy threats and asked Canadians to comment on the balance between freedom of information and the threat to personal privacy posed by the information highway.

Public responses (including one from this Office) convinced the council that Canadians are worried that their personal, medical and financial records are at risk on the information highway and they want effective privacy protection. The council concluded that the federal government had to take the leadership in protecting personal information.

Although its final report is not expected until this fall, the council has already acknowledged publicly the need for a national standard— covering all the public and private sectors— to protect Canadians' privacy in an electronic environment. To accomplish this, the council recommended

• establishing a level playing field by developing national, flexible privacy framework legislation to set a minimum fair information standard, and citing the Canadian Standards Association draft "Model Code for the Protection of Personal Information" as that standard;
• establishing a federal-provincial-territorial working group to implement the principles across Canada;
• updating and harmonizing the government's own privacy protection policies, legislation and guidelines;
• setting up a working group to coordinate the development and application of privacy enhancing technologies for delivery of government services and information.

Particularly heartening is the council's recognition that while voluntary standards are useful for engaging business in privacy protection, government must pursue development of effective oversight and enforcement mechanisms, otherwise what becomes of clients of companies that decline to "volunteer"?

Ensuring security

Security is a critical issue in interactive networks, to protect both stored data as well as personal and business communications.

Nevertheless, the council recognizes that no security measure or technology can offer absolute protection for information. It recommends a basic level of security that "provides a reasonable expectation that private communications and personal information will be protected". The market would be left to devise and sell enhanced security protection for more sensitive data.

Striking the right balance between privacy, civil and human rights, law enforcement and national security on the information highway will require extensive study and public consultation. One method of securing communications and data on the highway is to build a public key infrastructure.

In the interests of starting the debate, some definitions are in order.

From post box to E-mail to public key infrastructure--a primer

Security of the mail has long been critical to public trust in the postal service. We expect our mail to be delivered to the addressee in a way which ensures the confidentiality of the message. We seal it in an envelope and entrust it to a postal system which collects, routes and delivers the communication.

Essential to the process is our knowledge that the system is confidential and protected by law. No matter how many truck drivers, sorters and letter carriers handle a letter, we rely on the system to deliver it to its destination unread, unaltered and intact.

Electronic Mail or E-mail is simply a communication sent electronically by connected computer systems rather than by letter mail. But electronic mail offers no sealed envelopes to protect confidentiality or trusted system to ensure safe delivery. Neither the sender nor the recipient has any control over (or knowledge of) who reads their E-mail while in transit. A message sent in the open over a computer system means anyone with access to the system can read, record, monitor, tamper with or destroy the communications before it arrives at its destination.

One solution to protecting E-mail is encryption, and, to confirming the source of messages, authentication by digital signatures.

Encryption

Encryption renders a plain text message unintelligible to all but the intended recipient who has the key to decipher the code. The message is encrypted using mathematical processes, called algorithms, to transform plain text into cipher text and vice versa. Algorithms are simply coding systems for concealing the meaning of a text— analogous to conventional locks.

Along with algorithms, encryption also uses keys. Keys can be numbers, characters, or phrases (in the form of digital bits) used by an encryption algorithm to lock or unlock the transformed message. The encryption key fits with the algorithm to lock or unlock it.

Secret key v public key encryption

Two encryption methods are popular today: the secret, shared single-key type and the public/private two-key type.

In a single, shared key system, both the sender and the recipient must share the same, secret key to either encrypt or decrypt the message. The drawback of this traditional system is that the sender and recipient must share the key with each other. When there are many correspondents, the sender must share a different key with each of the intended recipients and all must be kept securely.

The second method, known as public key cryptography is based on having an associated pair of keys: a public key (known to many) to encrypt the data; and a private key (known only to one party) to decrypt the data. While the keys make a matched pair, one cannot derive the private key from knowing the public key.

In this system, someone wanting to receive confidential information can distribute their public key widely; for example, in a directory. Anyone wanting to send a protected message to that person could look up his or her public key and use it to encrypt their message. The message could only be decrypted by the person holding the corresponding private key. No one else, not even the person who encrypted the message, could decrypt it.

Digital signature--identifying the sender

Electronic communication systems must also be able to authenticate both the sender and the message. A handwritten signature serves as tangible proof of the origin of a conventional letter (a signature can also differentiate an original document from a copy) but one cannot physically sign an electronic document— merely indicate who it is from.

Electronic messages can be altered, or the sender simply masquerade as someone else. Several politicians have recently had electronic words put in their mouths on electronic chat groups and bulletin boards. Electronic communications require that trusted digital equivalent of a handwritten signature.

Public key encryption can provide that trusted signature by reversing the roles of the public and private key. The sender simply encrypts the message with the recipient's public key and attaches a signature block encrypted with his or her own private key.

The recipient can open the message in the normal way with his or her own private key and also verify the sender's identity by decrypting the signature block with the sender's public key.

Appending a signature block that has been encrypted with the sender's private key is like signing and sealing the document. Only one person is associated with that particular private key; the identity can be verified by the corresponding public key and cannot be denied.

Authenticating the message--the "hash" code

Along with the signature block, the sender's encryption program also creates a unique mathematical summary or picture of the message being sent. This is called a "hash code". The recipient's encryption program reads the message, creates the hash code of the message received (a "rehash") and compares it with the hash code in the sender's signature block. If the two codes match, the message has not been altered.

Building a public key infrastructure

Encryption protects the confidentiality of E-mail and digital signatures prove the origin and authenticity of the message. Used together, they can provide electronic privacy.

But one question remains: Who will be the trusted delivery and address system— the equivalent of the traditional postal service? How do we obtain our public/private key pair, how can we be assured that a certain public key is linked with a certain individual, and how do we get each other's public key?

The answer lies in creating a trusted authority to generate the key pairs, to certify the validity of those keys, and to manage the secure distribution of the keys. In short, this means a central administrator to vouch for the identity and validity of the public/private key users and to maintain system security. The authority must also provide key management, such as producing a directory of public keys to ensure that users have access to one another's public keys, and issuing public notices of compromised or revoked keys.

The federal government has recognized the need to develop an infrastructure and has taken preliminary steps to assess departmental needs, propose a concept of operation and work with the private sector to develop a model and uniform standard.

However, vigorous public debate is needed before the government hands any agency the keys to the kingdom.

Update: A Model Privacy Code for the Private Sector

The most ambitious attempt to protect privacy in the private sector has been the Canadian Standards Association's work to produce a model code for Canadian business. The CSA initiative brought together a working group of disparate private and public sector representatives to devise a privacy standard to which all could subscribe.

The members include representatives of public and private sector users of data, organizations representing the data subjects (employees and consumers), the technology industry, and the federal and Ontario privacy commissioners.

The work has been hard but there has been considerable success. The group circulated its first draft for public comment on December 31, 1994 and the verdict is in. The code's statement of fundamental principles is at least as good as— and arguably better than those contained in the Privacy Act.

The first principle makes each organization responsible for the personal data under its control and requires it to designate an individual to be accountable for its compliance with the fair information principles. These are identifying the purposes for collecting information, ensuring the individual is informed and consents, limiting collection and gathering by fair and lawful means, limiting collection, use and disclosure, ensuring accuracy, protecting the data, making its personal information handling policies and practices "readily available", providing individuals access to their personal data and establishing their right to challenge its accuracy and completeness, and providing individuals with the means to challenge the organization's compliance with the principles.

The code is thorough and complete, and it was conceived by the private sector to be relevant to the private sector. This is a hopeful beginning.

The Office embarked on the CSA project four years ago, committed to support any scheme that would meaningfully advance Canadians' privacy rights. A model voluntary code was in keeping with the times. But as the threats from technology evolve, so must the solutions. It is evident that a self-regulatory and entirely voluntary code is out of step with both the enormous social implications of technological change, not to mention rising public concern. Depending on an entirely voluntary privacy scheme in an era of Internet, Pharmanet, electronic wallets and smart cards requires a suspension of belief.

Statements of good intent are no longer good enough. Canadians need and deserve better. Anything less than enforceable privacy rights and independent oversight will be ineffectual. Stacking an individual's privacy rights against the potential economic returns of, for example, database marketing is, at best, an uneven fight. Voluntary codes not only deprive the public of legal protection, but may well deceive us into relying on a chimera.

The greatest significance of the CSA Code may lie, not in its proposed form as a voluntary code for business, but in its embodiment into national framework legislation— a national standard of privacy protection against which all sectors can be held accountable. The Information Highway Advisory Council has recognized the code's place as the basis for legislation, coupled with an effective oversight mechanism. The Commissioner can only applaud.

However, the bottom line is that the rules must be clear, everyone must play by them, and they must be enforceable. Optional privacy protection is simply not good enough.

Update: Biomedical Privacy

The watch on drug testing

The watch on federal government drug testing schemes continues. Mandatory drug testing, lauded as the quick fix to employee drug abuse, is a serious privacy intrusion--surrendering a bodily substance to allow others to ascertain one's past behaviour.

The invasiveness of the procedure and its overtones of surveillance demand that advocates of testing (and there are many) justify the intrusions by demonstrating that drug abuse is a problem in the workplace, that drug testing achieves some valuable objective such as increased safety, and that other, less intrusive, measures would not.

Some have read the position as somehow supporting use of illicit drugs. Hardly. The message is clear--dealing effectively with drug abuse requires education, support, treatment and, in some cases removing workplace conditions that may well cause or exacerbate employees' problems. Massive mistrust of employees and finger-pointing are not the answer.

National Defence drops random tests

One of the first tests of the Office's position came in a May 1992 Order-in-Council authorizing the Department of National Defence (DND) to conduct a broad range of testing programs on members of the Canadian Forces. The program included random testing for deterrence, post accident, suspected cause and as part of a drug-related probation or treatment program. The program targeted illegal drugs, not alcohol, the most widely used and, one might argue, the most frequently "abused" drug in the Canadian Forces.

A thorough analysis of members' drug and alcohol use, using DND figures collected from its 1989 Canadian Forces lifestyle survey, showed that, like their civilian counterparts, Forces members rarely report using illegal drugs. About six per cent of Forces' Members used marijuana within the last year, slightly less than the public at large. However, members drink more frequently; 84 per cent of members reported having a drink in the past year, compared with 78 per cent of the Canadian public.

Since DND's own survey failed to demonstrate that its members had a serious problem, the Commissioner wrote to the Chief of the Defence Staff early in 1994 opposing widespread random testing of Forces' members.

In February 1995, current Chief, General A.J.G.D. de Chastelain, wrote to advise that he had indefinitely suspended the random testing component of the program--one of its most objectionable features. He reserved the right to "reopen the issue if future circumstances dictate".

This is an important event in the annals of Canadian drug testing. General de Chastelain's decision to suspend random drug testing is a blow for common sense and sets an example for public and private sector organizations contemplating drug testing as the "fix" for perceived workplace problems.

DND will rely on education and counselling but will continue testing following an accident to determine whether alcohol or illicit drugs were a factor. DND's own reports found that drugs were not a factor in any of the nine accidents investigated over a two year period.

Dusting for dope

The news is less promising in the private sector. In late March, an American company launched a home drug testing kit--"Drug Alert"--targeted at worried parents and suspicious employers.

The kit contains a piece of pre-moistened cloth that can be wiped across doorknobs, desk-tops and clothing to pick up traces of illicit drugs. The cloth is then placed in a sealed envelope and returned for analysis. The company promises to detect the presence of about 30 illegal drugs.

Assuming the testing process is accurate, the information it produces is ambiguous. The test does not confirm that the person used drugs; it merely shows contact with traces of a drug which could be completely innocent. Contact with other drug users could leave a residue sufficient to generate positive test results. Anyone who handles American (and likely Canadian) paper money may pick up traces of cocaine, given the bills' frequent use as straws for inhaling the powder.

The most disturbing aspect of the kit is its marketing to capitalize on parents' understandable fears of childrens' use of drugs. American "war on drugs" rhetoric spills over the border, misleading parents into believing there is an epidemic of drug abuse among Canadian students. Some students are indeed using illicit drugs but recent statistics demonstrate that while the levels of use fluctuate, all are down from the rates in the 1970s.

The kit is a device for spying on children and a surreptitious invasion of privacy. The consequences of error for parent-child relationships could be fatal. We once feared invasions of privacy by the state, then by the private sector. Must we now fear our own family?

There appears to be no federal law preventing such surveillance. Several provinces have statutory privacy torts and Quebec's Civil Code and human rights charter protects citizens against spying. Parents who choose to invade their children's privacy and betray their trust this way could find themselves facing a civil lawsuit. They could also find the tables turned. Having had their own trust betrayed, children could try the tests on their parents. Is this the course we want our society to follow?

There is also evident appeal to employers. Unlike urinalysis, this type of test does not require the knowledge or consent of the employee and need never attract the attention of human rights bodies. The Commissioner's strong objections to urinalysis pale beside those about secret drug testing. Although he has no legislative authority to prevent such testing, he is not afraid to lead the chorus for laws against its use.

DNA testing in criminal investigations

There has also been significant progress on the DNA testing front, specifically legal controls on forensic DNA tests.

If nothing else, the O.J. Simpson trial has brought this once-arcane technology into the living rooms of the nation. Forensic DNA analysis is a valuable identification tool which can help convict or exonerate individuals suspected— or even convicted of a crime. The most recent Canadian example of its use is the case of Guy Paul Morin. Mr. Morin had been accused and convicted of the sex-related murder of a child. Late in January 1995, advanced DNA testing proved conclusively — ten years after his arrest— that he had been wrongly convicted.

However, the intrusiveness of this technique warrants careful regulation of the circumstances in which a criminal suspect should be required to supply DNA.

The federal government recognizes the power of this evidence and need for its regulation. With this report in the final throes of preparation, the House of Commons passed Bill C104 amending the Criminal Code and the Young Offenders Act to allow forensic DNA testing. The Bill is before a Senate Committee. Once passed, it will provide a legislative framework for taking and using DNA in criminal investigations. (Still to come are amendments governing establishment of DNA databases.)

Although the legislation appeared— at least to the public— to have been thrown together in a hurry, in fact the Department of Justice issued a consultation paper in September 1994 on obtaining and banking DNA forensic evidence. The paper paid considerable attention to the privacy implications of DNA analysis, capturing many of the recommendations in the Office's 1992 report, Genetic Testing and Privacy.

In January 1995, the Office responded to the Justice consultation paper, acknowledging the utility of forensic DNA analysis but entering several caveats. Bill C104 deals with, or undertakes to deal with most of these in a final round of amendments, promised for later this year. The amendments will address the storage and use of the samples (or their analysis).

Many of Bill C104's rules on collecting and using DNA samples mirror the Office's recommendations. For example,

• a judge must authorize the collection from the suspect;
• testing is limited to a series of "designated offences", primarily sexual and/or crimes of violence;
• a DNA sample must be relevant to proving the offence, investigators must have DNA from the crime to compare with the suspect's sample;
• analysis of the samples are to be used only to confirm or negate a match between samples from the crime scene and the suspect;
• DNA samples (and any analysis of that sample) must be destroyed immediately if the accused is acquitted, or within a year if the Crown does not proceed with a charge, withdraws the charge or enters a stay.
• Some of the Office's recommendations were not specifically incorporated in the current bill. The most important of these is rules establishing whether, how and for how long authorities keep the actual sample or only the analysis of the sample. The Minister has undertaken to deal with the important and sensitive issue of banking the samples or the analysis in subsequent amendments to be introduced later this year. Also needed is a provision establishing defendants' rights to get access to samples from the crime scene to allow for independent testing.

One of the remaining issues concerns police matching the analysis of a sample obtained under a warrant for one crime, with samples gathered at other crime scenes. We look forward to discussing rules for storage and subsequent uses of the data at the second round of amendments. This issue is simply too important for any misunderstanding.

A model genetic Privacy Act

Bill C104 is cause for cautious optimism. But controlling forensic uses of DNA is just the first step. We are less optimistic about the prospect for protecting genetic privacy in other areas— among them employment, insurance and human reproduction. The time may be right for other federal departments and indeed, all governments, to turn their minds to regulating these other collections and uses of DNA analysis.

The publication by Boston University School of Public Health early this year of a model "Genetic Privacy Act" may kick start the process in Canada.

The drafters of the model legislation offered this summary of its philosophy:

[T]he overarching premise of the Act is that no stranger should have or control identifiable DNA samples or genetic information about an individual unless that individual specifically authorizes the collection of DNA samples for the purpose of genetic analysis, authorizes the creation of that private information, and has access to and control over the dissemination of that information.

The rules protecting genetic privacy must be clear and known to the medical, scientific, business and law enforcement communities and the public. The purpose of the Genetic Privacy Act is to codify these rules.

The Genetic Privacy Act, though drafted for an American audience, contains much that could be carried into Canadian law. Armed with this legislative template, Parliament has even less excuse for delay in addressing the increasing threat to our genetic privacy.

Update: Safeguarding Tax Files

There are now stringent safeguards on using taxpayer information for monitoring Taxation employees, thanks to the efforts of Revenue Canada, the Union of Taxation Employees and the Office.

A union representative wrote to the Commissioner setting out members' misgivings about proposed amendments to the Income Tax Act and the Excise Tax Act (see 1992-93 report). Their concern centred on broad proposals allowing Revenue Canada to use taxpayer information to supervise, evaluate or discipline its employees. This would subject Taxation employees to harsher monitoring than other federal employees and diminish taxpayers' confidentiality by allowing Revenue Canada to use their tax files for purposes unrelated to filing a tax return.

Taxations' need to ensure the integrity of the tax system was not in question. But the proposals were drafted so broadly that there was potential for abuse. Setting out these uses in the Income Tax Act overrides a provision in the Privacy Act which prohibits using information obtained for one purpose (filing tax returns) for another purpose (supervising employees). The Commissioner wrote to Revenue Canada and the House of Commons Finance Committee recommending stringent safeguards.

Revenue Canada offered to prepare draft guidelines establishing criteria and setting out controls for managers wanting to examine taxpayer and employee tax files during an investigation. They also offered to have the Office review the draft. Staff made several suggestions and the guidelines are now final. They include:

• not examining an employee's tax return as part of the annual performance review;
• protecting the confidentiality of taxpayers' returns used as evidence during grievance or arbitration procedures;
• requiring an assistant deputy minister's authorization to use a tax return in an investigation of suspected serious breaches of either act (such as using insider information for personal benefit or altering a return to benefit or hurt someone else);
• establishing an audit trail by keeping records of requests and supporting reasons in the security division;
• protecting the confidentiality of taxpayers whose tax returns are used as evidence in legal proceedings against employees (for example, by banning publication of those records, concealing the taxpayers' identities, or hearing selected evidence in camera).

The deputy minister also agreed to have employees notified each time a director requests access to their tax returns.

The Office will audit compliance with the guidelines.

Update: The Privacy Patchwork

In Canada.

In June 1994, Alberta passed its long-awaited access to information and privacy law. Beginning October 1995, the Freedom of Information and Protection of Privacy Act will provide Albertans with access to general government records, as well as to their personal information held by the government, municipal agencies, universities, school boards and health care agencies. The Act will also protect Albertans' privacy by establishing controls on provincial ministries' collection, use and disclosure of their personal information. The commissioner (who is also the provincial ethics commissioner) is responsible for investigating complaints and monitoring compliance and has the power to make binding orders.

By September 1994, the government of the Northwest Territories had also passed its Access to Information and Protection of Privacy Act to open its agencies' records to public access and give territorial residents the right to access and request correction of their personal information held by these agencies. The Act will come into force in December 1996. Its controls on the collection, use and disclosure of personal information by territorial agencies brings the Northwest Territories in line with the rest of the country's privacy protection regime. Complaints will be investigated by an ombudsman.

The revised Nova Scotia Freedom of Information and Protection of Privacy Act came into force in July 1994. The Act, the fourth version of the Freedom of Information Act since 1977, is the first to include specific provisions protecting the privacy of provincial residents by controlling provincial government collection, use and disclosure of their personal information. Nova Scotians also have the right to access and request correction of their personal information held by ministries, municipal agencies, school boards and universities. Complaints are handled by a government-appointed Review Officer.

Prince Edward Island is now the only province or territory without any form of access to information, privacy or data protection law. However, following the March 1994 provincial throne speech, a legislative committee looked into the need for a freedom of information and privacy law. The committee recommended adopting such a law and its report includes suggested wording, apparently inspired by the Alberta legislation. If the government adopts the committee's recommendations, Prince Edward Island could fill the last hole in the public sector patchwork as early as 1996.

Of course, the private sector remains unregulated, except in Quebec.

...And Abroad

The European Union Council of Ministers adopted its Directive on Data Protection on February 20, 1995 and has referred it to the European Parliament for ratification. The directive, first proposed in September 1990, spells out rules to protect Europeans' privacy and to control the processing and flow of their personal information. Clause 25 of the directive may pose some difficulties for Canadian companies doing business with Europe because it prohibits member countries from exchanging personal information with non-member countries lacking adequate data protection laws. With the exception of Quebec, Canada has no privacy legislation protecting personal information held by the private sector, and proposed voluntary codes do not meet the directive's adequacy test.

In the Courts

Privacy and Access of equal weight

The Federal Court of Appeal, in its recent decision in Minister of Finance v. Michael A. Dagg (A-675-93), confirmed that the Privacy Act and the Access to Information Act have equal status and that disclosure of personal information under the Access Act is subject to the provisions of the Privacy Act. Given the implications of the trial judgment— second class status for the Privacy Act— the Privacy Commissioner intervened.

Mr. Dagg, a private consultant, asked the Minister of Finance to provide him with employees' after-hours sign-in sheets for specific days between September 1 and 30, 1990. He wanted to determine how many members of the Economists, Sociologists and Statisticians Association (ESSA) worked overtime on a regular basis. Dagg intended to calculate the total number of hours worked and sell this information to ESSA for use during the next round of collective bargaining. The Minister provided him with a copy of the sheets requested, but deleted the names, identification numbers and signatures of the employees.

Mr. Dagg complained to the Information Commissioner, who agreed that the details were personal information. Dissatisfied, Mr. Dagg appealed the department's decision to the Federal Court. Mr. Justice Cullen concluded that the information was not personal but of a "predominantly" professional nature. He stated that government institutions were only bound to protect information whose predominant characteristic is of a personal nature. He added that "when there is any doubt as to whether information constitutes "personal information" which should or should not be released to members of the public, the benefit of the doubt is to be given to the interpretation which favours disclosure...".

The Minister of Finance appealed the decision to the Federal Court of Appeal.

The Chief Justice, writing for the Court of Appeal, overturned Mr. Justice Cullen's decision. The Court stated clearly that both statutes should be construed on the same footing. Both must be read together since section 19 of the Access to Information Act incorporates by reference certain provisions of the Privacy Act. Nothing in the language of either statute suggests that one is subordinate to the other. They are complementary and must be construed harmoniously in order to attain Parliament's objectives.

As for the "predominant characteristic" test, the Court held that it is clearly wrong, since it amounts to an unwarranted attempt to amend the definition of personal information in section 3 of the Privacy Act. The Chief Justice pointed out that the definition is broad, enlarged by nine classes of information or illustrations and four classes of exceptions. Information is either personal or it is not— there is no class of predominantly personal or predominantly non-personal information. Whether an employee is at a particular place at a particular time is information personal to that employee.

Denied adjudicators' notes--case goes to court

The Privacy Commissioner has taken a second case to the Federal Court (the first case was settled on the courthouse steps). He has asked the Court to review a Canada Labour Relations Board (CLRB) decision to deny a complainant access to Board members' notes.

The complainant had taken a complaint against his union to the CLRB which hears industrial relations disputes from organizations under federal jurisdiction.

Dissatisfied with the Board's decision, he asked to see the panel members' notes. (Although Board hearings are public, the proceedings often are not recorded— and were not in this case.) The Board refused to process the notes under the Privacy Act, considering they belong to panel members. The notes are not kept in CLRB files and, therefore, the Board argues that they are not under its "control".

The Commissioner considers the notes are taken as part of an administrative process. They are not the personal property of board members but are prepared to fulfil their duties and so are under the control of the CLRB. The Act gives individuals the right to know what information is held about them in organizations subject to the Privacy Act.

The Commissioner's application asks the Court to order the CLRB to review the notes under the Privacy Act and to provide the complainant with access to his personal information, subject to any exemptions.

The hearing is expected to be held in the fall.

Consulting the Commissioner--MPs' pensions

Departmental staff often call the Office to discuss balancing the public's right to know and an individual's privacy. A recent case illustrates the murky depths beneath what appears to be a placid surface.

"Letting the facts get in the way of a good editorial

A political debate continues to swirl around the alleged profligacy of federal MPs' pensions and the Federal Court is now reviewing a department's denial of access to related information. This is a minefield for comment. Nevertheless, some gaps need filling.

In order to pursue the Great MP Pension Debate, an individual asked Public Works and Government Services (PW&GS) to provide "Under the Member of Parliament Retiring Allowances Act (MPRAA) as of September 1, 1993, name of current recipients, identity of survivors, total amount paid for each and breakdown of member/government contributions".

The department refused the request, arguing that the information was personal and therefore exempt under the Access to Information Act (subject to some specific exceptions). The applicant complained to the Information Commissioner who supported PW&GS' position, with one exception— the names. Since former MPs and their terms of office are listed in public documents, the Information Commissioner recommended the department disclose the names of MPs receiving pensions. Public Works sought this Office's advice.

The Privacy Commissioner's role is not to advise departments when to release personal information. The Act clearly makes that the responsibility of the head of the agency who has both an intimate knowledge of the records and is answerable for their care. The Commissioner simply sets out the factors the department should consider before releasing personal information. Departments have the option of

• seeking the individuals' consent to the disclosure;
• determining whether there is a "public interest" sufficient to outweigh any invasion of privacy, or
• concluding that the information is "publicly available".

The department asked pension recipients for consent to release but many refused. The head did not consider the public interest sufficiently outweighed the individuals' privacy interests and so did not use his discretion to release the information.

"Publicly available"

The argument in favour of disclosure in this case then focuses on the contention that the information is publicly available because names of former MPs could be assembled from the public record— for example, the Canadian Parliamentary Guide and the Canadian Parliamentary Handbook. Indeed the handbook lists serving MPs for every riding in every election between Confederation (or creation of the riding) and 1988. The reader could determine who has accumulated six or more years service and therefore qualified for a pension.

However, this merely establishes MPs' eligibility, not their actual receipt of a pension. There are sufficient variables— buy-back options or return of contributions for breaks in service and the inclusion of hundreds of MPs who have since died— to make the public data incomplete.

The case begs several questions. If the information is already publicly available, why is a Court action — or, indeed, any action — necessary? How will releasing only the names respond to the applicants request? Why are there apparently several versions of the "correct" list? Why would the department be compelled to release a specific list of pension recipients because a general list or former MPs is publicly available? When the names of other surviving beneficiaries (spouses and dependents) are removed, will the list be accurate and complete?

Finally, how does knowing which MPs are collecting a pension help the public judge the appropriateness of the pension plan when all the information needed to assess the plan itself— the breakdown of MPs' and government contributions, interest, disbursements, withdrawal allowances and account balances are already open to public scrutiny?

The department rejected the Information Commissioner's recommendations and the matter is before the Court.

Investigating Complaints

Intake of new complaints recovered from last year's breather and hit an all-time high of 1783. This is an increase of 493 or 38 per cent over the 1290 received in 1993-94. Staff completed 1307 investigations, of which 595 were well-founded, 645 not well-founded and 26 were resolved. The remaining 41 were abandoned or discontinued at the complainants' request.

The increase in complaints can be attributed at least in part to a 78 per cent increase in time limit complaints; in many instances the direct result of staff cutbacks and government re-organization. As well, a quarter of the 729 time limits cases were lodged by four individuals against the departments of National Defence, Revenue Canada and Correctional Services Canada.

Time limits and denial of access complaints continue to make up the majority. However, complaints about improper collection, retention, use and disclosure of personal information ("privacy" complaints) climbed 22 per cent to 348 in 1994-95. Of these, 66 per cent concerned improper use and disclosure, 20 per cent improper collection and 14 per cent improper retention. Use and retention complaints are more complicated to investigate, often require travel (thus demanding more days to complete) and extend overall turnaround time.

Contracting out--an update

Last year's report discussed the Commissioner's concern that individual's privacy rights were being denied when departments contracted out services— the case in point was harassment investigations.

At issue was individuals' access to documents gathered by an individual or company not subject to the Privacy Act but performing services under contract for a government institution that is. Some of these contracts specify that consultants are not to provide witness statements or other personal details but to deliver only the investigation report. In other cases, consultants have simply refused to disclose the information to the department, maintaining that they have promised the witnesses confidentiality. The legal question is, who has "control" of the records?

There has been progress. In a case this year against Public Works and Government Services, the deputy minister agreed that contractor's notes are under the department's control and to have them reviewed to respond to the complainant's application under the Privacy Act.

Informal v formal access

One issue discussed with Correctional Service Canada this year is the method it has established for giving inmates access to their personal information.

Inmates have rights under the Privacy Act, including rights of access and correction, and the right to complain to the Privacy Commissioner— and ultimately to the Federal Court, if they believe they have been improperly denied access. However, to benefit from independent oversight, inmates must apply under the Privacy Act. CSC processes Privacy Act requests formally at ATIP Directorate at Headquarters.

But inmates have another option. The Corrections and Conditional Release Act also gives them rights of access and correction to information held by CSC. Generally, CSC encourages informal requests because they are processed in the institution and so speed up the process. Each institution designates a staff member to help inmates phrase their requests. However, there is no recourse to an independent investigator.

Although informal access is praiseworthy, the inmate should have the choice. Institutions should not establish processes that force an individual to forego rights under the Act for the sake of expediency. Some inmates will choose the formal process under the Act, either because they do not trust the institution or because they want to retain their right of recourse to an independent body.

The "resolved" category

Regular readers will notice a new category of complaint finding this year— the Commissioner considered several cases "resolved". The Office has struggled with past complaints for which "well-founded" appeared too harsh to fit what essentially had been miscommunication or misunderstandings. The power of an ombudsman's role is the flexibility to solve problems— resolution is an ombudsman's stock-in-trade. Resolved cases are those in which

• there was a misunderstanding or miscommunication between the complainant and department about what information was being sought. Both parties agreed to a mutually satisfactory solution;
• the individual claimed specific information was missing, the department maintained that it had disclosed the records but readily agreed to send it again;
• the department had the right to exempt the information, but was persuaded by the investigator to exercise its discretion to release it; or
• the investigation identified inconsistent processing of large volumes of information for an applicant, and the department was persuaded to release more information to make the disclosure consistent.

The following are selected from the 1307 cases completed this past year.

Counting privacy in--the census

This year saw the Office complete its longest and most labour-intensive investigation— 33 complaints about the last census. The results more than justify the time— they led to significant changes planned for Statistics Canada's next census in 1996.

The census is the federal government's most extensive, expensive and potentially most invasive collection of personal information. Many would also argue that it is also the most valuable to society and the economy.

The challenge is to seek a reasonable balance between the value of a census to the nation, and the inherent intrusiveness of any questionnaire. Where does a democracy draw the line between its need for reliable data and a healthy reluctance to compel citizens to provide detailed information about their race, religion, lifestyle and health for a data collection that is never destroyed?

This debate is broader than the mandate of a privacy commissioner and perhaps one that needs airing. In the meantime, investigators concentrated on the collection, use, retention and disclosure of Canadians' personal data. To prepare, staff examined the history of the census, its justification and uses of the data, and comparable collections in other countries. With information in hand, staff attempted to resolve the 26 outstanding complaints. (The other seven were either not well-founded or discontinued.)

The complaints fell into two broad categories; those concerning the "intrusiveness" of some of the questions, and those alleging that Statistics Canada's confidentiality guarantees were undermined by its collection procedures. First, the questions.

The "intrusive" questions

Most complainants objected to questions about their race, religion, fertility, housing, physical and mental health, or the number of "person(s) living elsewhere who stayed overnight". One woman, under a psychiatrist's care, was so upset by the question about mental and physical health that her husband tore up the form. Other complainants argued that any questions other than to determine the number of persons in the household were outside the definition of a census, and they were under no obligation to answer.

The research revealed that for almost a century the census has been more than a simple head-count. Census data is used to calculate transfer payments to provinces, chart economic and social change, and forecast Canadian society's needs for schools, medical services and highways. Statistics Canada also sells aggregate data (stripped of personal identifiers and combined with the information of at least 100 other individuals) in various electronic formats including CD-ROM, diskettes and magnetic tape. It is also testing making aggregate data available on Internet.

Nevertheless, some perceive the questions as intrusive, particularly for the one in five who receive the long form. Given the personal nature of the data, the ability to link it to individuals, and its permanent storage, there were serious privacy issues.

The Office began a lengthy consultation with Statistics Canada; both parties were determined to deal with the privacy issues without bringing the census to a grinding halt. In an effort to reduce the intrusions, the 1996 census will omit the question about "person(s) living elsewhere who stayed overnight" from both short and long questionnaires. Questions about religion and fertility will be dropped from the long form and two questions about the respondent's dwelling will be eliminated from the short form which will now be limited to basic demographic information.

To respond to the Commissioner's concern that the justification for many of the questions was unclear, Statistics Canada will also redesign the accompanying Guide, making it easier to read and explaining why the information is needed and how it will be used. It will also establish a Census Help Line during the census collection to answer the public's questions about confidentiality and privacy, as well as help callers complete the questionnaires.

Security of the collection process

To deal with complaints that Statistics Canada's collection procedure threatened respondents' privacy, investigators examined census representatives' oath of office, their hiring and training, as well as the procedures for collecting and handling census information.

The 1991 census procedures did seem to pose risks to the security of the information. Statistics Canada's training of census representatives put inadequate emphasis on privacy protection principles or the public's growing privacy concerns. The agency agreed to expand these issues in training for the next census.

Many complainants worried that neighbours serving as census representatives reviewed the completed questionnaires. The complainants had assumed that their answers would be reviewed by a faceless bureaucrat at Statistics Canada headquarters in Ottawa, not someone they knew.

Statistics Canada will try to reduce the chances of census representatives collecting information from someone they know by assigning them to enumeration areas outside their neighbourhood. This can be difficult in rural areas where the best way of ensuring all households are enumerated is assigning someone thoroughly familiar with the area.

Although Statistics Canada will continue this process, it agreed to explain the role of census representatives clearly on both drop-off and mail-back envelopes. Respondents who do not want their information seen by the local representative can have someone else collect the completed return or mail it to the nearest regional office.

Allowing census commissioners and representatives to work out of their homes also worried a number of complainants who thought the prospect of their completed forms on the family dining table seriously undermined the security of the collection. Statistics Canada provides specific instructions to census representatives on protecting the information they collect, and the agency is confident that the representatives are well aware of security responsibilities.

The centralized edit test project

An important project which could eliminate many of the collection irritants is Statistics Canada's test of a centralized edit collection for the 1996 census. In the test area (10 Ottawa-area electoral districts— 400,000 individuals) all census questionnaires will be mailed directly to respondents who will then mail their completed forms to district offices for editing and follow up, rather than to the area census representative.

This will eliminate door-to-door drop-off of the questionnaires, the need for census representatives and, therefore, the likelihood of neighbours reviewing completed questionnaires, as well as worries about security in representatives' homes.

Problems with missing or incomplete questionnaires which district office staff cannot resolve by telephone will be assigned to field representatives who are not local. This should reduce substantially the possibilities of having forms processed by a representative whom the respondent knows.

If this pilot project is successful, Statistics Canada intends to use it nationally in the 2001 census.

Other complainants objected to having to share a single questionnaire with other household members. They argued that this effectively forced them to disclose information to others to whom they may not be related. Statistics Canada delivers only one form to keep collection and processing costs to a minimum. While most households do not need— and would probably protest— receiving separate questionnaires, Statistics Canada will offer individual questionnaires to anyone not wishing to share a form.

In summary, the Office has persuaded Statistics Canada to make several significant changes to census collection to reduce the intrusion into Canadians' personal lives. Those changes include:

• eliminating some of the questions from both short and long questionnaires;
• simplifying the questionnaire and guide so respondents better understand the questions and why they are being asked;
• employing, wherever possible, census representatives in areas where they are not likely to be known;
• offering respondents the option to mail their completed questionnaire to a regional office so that local enumerators do not see their information;
• explaining clearly in the accompanying information the role of the local census representatives;
• training and sensitizing census employees to maintain the strictest principles of confidentiality and privacy in all phases of the census;
• modifying the edit and follow-up procedures to minimize the burden placed on respondents;
• establishing a Census Help Line; and
• testing the Centralized Edit System.

The best privacy solution--destruction

One issue that is vital to Canadians' long term privacy is the current procedure of keeping microfilm copies of completed census questionnaires and all other documents that link the responses with identifiable individuals.

The Statistics Act absolutely prohibits Statistics Canada from disclosing personal census information to anyone for any reason. Records for censuses before and including 1901 are kept at the National Archives and are available for public research. But documents from all subsequent censuses remain under Statistics Canada control and no one outside that agency— not even the National Archivist— has access.

The best privacy protection would be destruction of all personalized records from the 1991 census (as well as all other census records not already in the public domain) once Statistics Canada has processed the data to ensure its accuracy and quality. This solution would require Statistics Canada to seek an amendment to the census retention and disposal schedule approved by the National Archivist under the National Archives of Canada Act.

While Statistics Canada is prepared to destroy the 1991 records, National Archives officials are very reluctant. This issue will take time to resolve.

However, should National Archives prevent Statistics Canada from destroying personalized census data, the Chief Statistician must notify Canadians that their personal data will be kept for indefinite storage, and eventually transferred to the National Archives. Canadians must know why the information is collected, how it will be used, how long it will be retained and to whom it will be disclosed. These are the principles at the heart of the Privacy Act, ones the government's most important personal data bank must live by.

De-personalizing census data is the critical element in achieving citizens' full cooperation, as well as a permanent solution to recurring privacy concerns about the census.

Private detectives and "shadow" files--privacy at Canada Post

A letter carrier's allegations about Canada Post's improper collection and disclosure of medical information and denial of access to health and employment records were serious enough. However, they were merely the tip of the iceberg.

While searching the records, the investigator found evidence that Huron Division managers hired a private detective and put the employee under surveillance. The investigator also found a cabinet full of "shadow" files the manager maintained on employees which he considered his own property and not to be reviewed under the Privacy Act.

The woman had fallen and hurt her back while delivering mail and made a Workers' Compensation claim. Despite having undergone back surgery, facing a second operation, and a consensus among her own surgeon and Canada Post-appointed doctors about the cause and extent of her injuries, managers doubted her compensation claim. They believed her injuries were caused by earlier car accidents and not the fall. They asked Corporate Security for authority to put her under surveillance outside working hours. They were refused.

Frustrated, they hired a former postal inspector to conduct the surveillance, not only on the complainant but on two other employees who were also under management scrutiny. Although security officials denied any involvement, the investigator established that one of the staff knew the former postal inspector and recommended him to management to conduct the surveillance.

The managers hired the detective (under the guise of other postal duties) to follow and photograph the complainant during her Compensation leave, hoping to prove her back injury was fabricated. When they were unsuccessful, they shredded what they thought was most of the evidence. However, the investigator found photocopies of the surveillance photographs in the Workers' Compensation component of her Occupational Health, Safety and Environment (OHS&E) files.

OHS&E staff denied any knowledge of the surveillance and could not say how the photographs got there. Certainly, they were not there six months earlier when the woman was given access to what she thought was all her personal information.

In fact, the investigator also discovered that she had not been given the entire 165-page Health Care component of the OHS&E files. Canada Post claimed the omission was inadvertent. However, this file contained most of the references to the surveillance.

Canada Post attempted to continue withholding information about the surveillance from this file, claiming that releasing it would jeopardize a lawful investigation (section 22(1)(b)). The Commissioner rejected the exemption.

The investigator also discovered that the complainant's manager in Huron Division had three large volumes--over 750 pages--of personal information concerning her employment, payroll, attendance, grievance, OHS&E and the requests for surveillance. Canada Post had not reviewed the material to respond to the woman's privacy request because the manager maintained that the files were his own personal property. Ultimately the manager was compelled to turn over the files which Canada Post processed and sent to the complainant.

Other complaints about Canada Post's information handling were also justified, including OHS&E collecting medical information directly from the complainant's orthopaedic surgeon without her consent, and departmental officials failing to remove disciplinary documents from the complainant's employment files despite specific instructions in arbitration and grievance decisions.

Canada Post headquarters' officials acknowledged that managers kept their own personnel files for convenience but were unaware that Huron Division was conducting surveillance. They have stopped the abuse. The staff involved were either disciplined or removed, or have resigned. Canada Post wrote to the complainant to apologize for the surveillance and she has gained access to all the available material.

Although there is only one "official" set of personnel files at Canada Post, many managers keep personnel records in their offices for administrative purposes. Canada Post's failure to review these records to respond to employees' access requests is a source of repeated complaints to— and repeated reminders from— the Commissioner's Office. While these files should mirror official files, employees wanting access should specify that they want all material searched— including any managers' files— just to be certain.

The Privacy Commissioner considered all but two of the 15 complaints well-founded.

Three individuals complained that the RCMP improperly disclosed their arrests to their employers.

In the first case, an RCMP officer disclosed details about the complainant's arrest to the Matsqui penitentiary where he worked. In the other case, a constable notified a bank manager that two of his employees had been arrested for shoplifting.

The RCMP defended the officers' actions, claiming it was in the public interest to ensure employers knew of employees' arrests and pending charges. The RCMP believed that the correctional employee's security clearance might be affected, and that the bank employees may have held positions of trust.

Nevertheless, the Privacy Commissioner considered the complaints well-founded for several reasons.

First, the RCMP failed to follow the procedure for public interest disclosures set out in the Privacy Act. Only the most senior officials in an agency should make the decision to release personal information "in the public interest", and then only after carefully weighing whether the public interest "clearly outweighs" any invasion of the individual's privacy. The government is also required to notify the Privacy Commissioner prior to the disclosure, giving him an opportunity, if appropriate, to alert the person to the impending disclosure of their information.

Second, the RCMP has its own procedures for informing employers that employees' actions may have undermined their reliability. They were not followed. Rather, staff in the local detachment made the determination without first obtaining approval from senior headquarters staff who are authorized to make such decisions.

Third, in both instances, the information was not yet a matter of public record. Had detachment staff waited until charges were laid, the disclosure may have been allowed.

Recent annual reports have reminded departments not to contract out their privacy responsibilities when contracting out work. The contractor is simply an agent of the department. Any personal information it obtains or prepares belongs to the department and is protected by the Privacy Act. That means making it accessible to the person it concerns, protecting it from unauthorized disclosure, making it available to the department to audit contract compliance, and respecting retention and disposal criteria at the end of the contract.

Despite repeated cautions, applicants continue to have difficulty getting access to personal information collected under contract.

For example, a woman recently sought the Office's help to obtain supporting documents collected by a contractor hired by National Defence (DND) to investigate her complaint of sexual harassment. Although DND gave her a copy of the final report, it did not contain a list of witnesses interviewed, the questions asked, and their responses.

The investigator found DND had no supporting documents. He asked DND to have the contractor turn over the documents in order to meet its obligation to provide the complainant access to her information. The contractor refused in order to protect the witnesses' identities.

The Commissioner was willing to pursue the matter but the complainant wanted no further action. Nevertheless, the Commissioner intends following up several similar outstanding complaints against DND (among others) and to obtain the contractors' documents for the complainants. The complaint was well-founded.

Two Canadian Armed Forces' members complained that their military service numbers had been included on mailing lists used by political candidates during the 1993 federal election campaign. Both noticed that the mailing label on campaign literature from their local candidate included their service number.

The investigator established that DND provided Elections Canada with the name, military number and postal address of all eligible CAF members under authority of the Canada Elections Act. Military members may select a permanent place of residence (often where they enlisted) or their current posting address. The Chief Electoral Officer must then provide this information to the returning officer of the selected riding, who makes it available to district candidates, on request.

Since there is clear legislative authority for DND to disclose the military service numbers to Elections Canada, and for Elections Canada to disclose the numbers to political candidates, the complaint was not well-founded. Nevertheless, the Commissioner was concerned that providing military service numbers seemed an unnecessary invasion of privacy since Elections Canada acknowledged they were not absolutely required. Elections Canada agreed to seek an amendment to the Canada Elections Act to eliminate the need for DND to provide the number. This will be one of a number of amendments expected to be introduced during this session of Parliament.

Two complainants questioned why their housing cooperatives collected and then gave CMHC detailed information about their income in order to demonstrate that tenants were entitled to rent subsidies.

The co-ops provide accommodation for low and moderate income families and individuals. Tenants who qualify for subsidy pay a percentage of their income as rent; CMHC pays the remainder. CMHC also helps finance a project's mortgage.

In one case, members of a Vancouver cooperative challenged the project's right to request copies of tenants' income tax assessments. The project manager argued that the co-op needs sufficient proof of income to justify CMHC subsidizing tenants. Since there was some suspicion that some tenants were not reporting their true income, he argued that income tax assessments were the most prudent and reasonable means of verifying income.

The second person complained that during an audit of a Scarborough, Ontario co-op, CMHC auditors took away a complete list of all tenants whose rent was in arrears, including the amount of arrears, as well as a printout of rent payments made by all tenants.

CMHC enters agreements with non-profit groups to subsidize non-profit housing under the National Housing Act (NHA) and its regulations. The agreements require co-ops to gather information about the financial status of subsidized tenants to justify the CMHC subsidy and to maintain proper evidence to support CMHC's audits of tenant subsidies.

The Commissioner concluded that CMHC was authorized by the NHA to obtain sufficient information (and relevant copies) about tenants and their income status to determine their qualifications for subsidy. The collection was a logical balance between the individual's right to privacy and CMHC's right to be satisfied that the financial assistance it was providing was justified and reasonable. The complaints were not well-founded.

An immigration lawyer questioned the amount of information Immigration and Refugee Board can legally obtain from Citizenship and Immigration Canada about applicants for refugee status. He also challenged the Board's powers to review information about other family members during its assessment of a claim.

The Board demonstrated that assessing refugee claims is part of the overall immigration process and, as such, it has the right under the Immigration Act to review personal information collected by Immigration before deciding the refugee's claim. Exchanging personal information with Immigration Canada is consistent with the purpose of the original collection and so meets the requirements of the Privacy Act. The Act prevents disclosing personal information without the individual's consent unless that is the original purpose or consistent with that collection.

The Commissioner concluded that it was reasonable for the Board to consider information about other family members when reviewing an applicant's refugee claim. IRB must often verify information when, for example, a claimant is less than honest or the Board suspects the claimant is making multiple bogus refugee claims.

The complaint was not well-founded.

One of this year's complaints illustrated a potential clash of individual rights— the privacy rights of female correctional officers and the spiritual beliefs of Aboriginal inmates.

A Member of Parliament complained that one of his constituents, a corrections officer at the Saskatoon Regional Psychiatric Centre, had been asked to notify her supervisor when she was menstruating. The woman said that she had first been approached by two Aboriginal resource staff while she was guarding a sweat lodge ceremony during the first visit of a traditional healer. The resource staff explained that Aboriginal cultures believe a woman's menstrual period intensifies those powers normally associated with procreation. Proximity to these increased powers are believed harmful to men and sacred items in the sweat lodge.

According to the complainant, when she told her supervisor about the incident, he asked her to advise the manager on shift when she was menstruating so she could be re-assigned.

The investigator was unable to confirm either conversation. The resource staff denied having broached the subject with the woman. And the supervisor denied having asked for the information. He said he simply offered to have her report to a female manager and be assigned to other duties, should she want to respect Aboriginal beliefs.

Faced with contradictory statements and no witnesses, the investigator had to conclude there was no evidence to support the complainant's allegation that CSC had tried to collect information about her menses. There could well have been a misunderstanding; her supervisor's somewhat ambiguous response may have exacerbated the situation. It is obvious that any female employee would regard discussion of her menstrual cycle as a private matter and potentially offensive.

Following the Office's investigation (and an internal investigation by the psychiatric centre) the centre issued a standing order advising staff about Aboriginal Offender Programs. The last item, entitled "Special Gifts of Woman Within Aboriginal Spiritual Beliefs" states:

In order to show respect for and work with Aboriginal people, individual involvement and assignment of duties should be on a voluntary basis, where possible.

The centre's executive director confirmed that female staff are not (and never have been) required to advise supervisors or anyone else about their menstrual cycle.

The Commissioner concluded that there was no evidence to substantiate the complaint.

Securing the tax phone line

Occasionally callers do not wait for an improper disclosure but call to alert privacy staff to a potential problem. One case concerned Revenue Canada's automated Tax Information Phone Service (TIPS) which taxpayers can call for basic information about their return or refund.

The complainant, an employer, was concerned that he, and presumably other employers, could call the TIPS line and get employees' tax details because they had the gate-keeping information— employees' social insurance numbers and dates of birth. The employer was prescient; another complainant had his identification stolen and subsequently used to obtain information from TIPS.

The investigator, armed only with a SIN and month and year of birth, called the TIPS number. She was able to confirm that an individual receives quarterly GST refunds and when the refund would be mailed, the individual's RRSP deduction limit for the filing year, and the amount of income tax refund owing.

Clearly the TIPS gate-keeping measures were inadequate and more stringent protections were needed.

Revenue Canada was reluctant to consider changes that would make the system more difficult for taxpayers to operate; TIPS is a convenient and cost-effective way to answer taxpayers' most common questions— it handled more than two million last year.

Revenue Canada rejected the Office's suggestion to assign taxpayers a personal identification number (PIN). It was too impractical and expensive— issuing PINs to every taxpayer would cost over $4,500,000 in mailing costs alone. Several other options for a third piece of identification were considered and rejected because the identifier was too easy to guess or was not collected in the tax database.

The final proposal resolves the issue. TIPS callers will now be asked to provide their "total income" from line 150 of their tax return. Other callers would be unlikely to have this detail and it would be hard to guess or steal.

Government shares tax, income and social benefit details

Another complaint underscores the need for Canadians to understand that the federal government may disclose their information without their consent in a number of circumstances set out in the Privacy Act. While the Act controls federal government disclosures of personal information, it does not prevent departments from fulfilling their legal mandates nor shield individuals who are less than frank on their tax returns.

The widow of a Canadian war veteran complained that Revenue Canada disclosed her interest income to Income Security Programs which reduced her Old Age Security Spouse Allowance and Guaranteed Income Supplement. Income Security, in turn, gave the information to Veterans Affairs Canada which cancelled her Foreign War Disability Pension.

The investigator confirmed the allegations were substantially correct. Income Security Programs did not contest the woman's claim. It routinely verifies Old Age Security applicants' income with Revenue Canada, and it had disclosed the interest information to Veterans Affairs. Both departments demonstrated that the disclosures are authorized by law, and so comply with the Privacy Act which allows government institutions to disclose personal information if authorized by another law or regulation.

In this case, Revenue Canada's disclosure to Income Security Programs is authorized by section 241 of the Income Tax Act, and Income Security Programs' disclosure to Veterans Affairs by section 33 of the Old Age Security Act.

The Commissioner considered the complaint not well-founded.

A Nova Scotia man discovered why he was being stopped and sent for further questioning each time he crossed the Canada-U.S. border— his name was on the new Customs' Primary Automated Lookout System.

The lookout system includes names of individuals who have violated (or are suspected of violating) one of several statutes that Customs enforces at Canadian borders; for example, immigration, firearms and agriculture laws and regulations. Claiming that Revenue Canada improperly collected the information, he complained to the Commissioner.

Custom's lookout system shares selected information with the Police Information Retrieval System (PIRS), an RCMP data base containing information about events, subjects, vehicles and property. The RCMP system is available to other federal departments. Apparently the complainant had been implicated in an internal griculture Canada inquiry into allegations that staff were making personal use of departmental vehicles. Agriculture Canada put this information onto PIRS; whenever Customs officers queried his name at border-crossing points, the system showed a "hit". Believing there was an enforcement lookout for the man, they sent him for "secondary examination".

Since Customs officers were merely responding to information Agriculture Canada put on PIRS, the focus of the investigation shifted to Agriculture. The investigator found that the new Customs lookout system had simply outpaced the programming of PIRS which could no longer distinguish between enforcement information (which Customs needed) and non-enforcement information, which it did not.

To prevent future "hits" on the complainant, Agriculture Canada removed his information from PIRS. It will also stop entering non-enforcement information on the system and remove any that now exists. This should prevent other individuals being confronted with the same problem.

Inquiries

The Office handled 9217 inquiries during the year, an increase of 529 from the previous year.

Although two officers are assigned full-time to answering inquiries, the workload means that virtually all staff answer the public's questions. Staff provide details on the Privacy Act, the complaints process, basic information on privacy issues not in the Office's jurisdiction, and— where necessary— referrals to other government agencies and the private sector. Inquiries staff also do a preliminary assessment to determine whether the problem is within the Commissioner's jurisdiction and can be investigated. If so, they act as first level of intake for a complaint.

The Visa Gold Card application

More than 100 calls were prompted by a new Royal Bank Visa Gold application asking clients to allow the bank to use their Social Insurance Numbers (SINs) for a wide range of other services. The Income Tax Act requires customers to provide their SINs to financial institutions for interest statements. However, it also forbids financial institutions from using SINs for other purposes without the customer's consent. Unfortunately Royal Bank's request for consent is so broad that it constitutes a virtual waiver of the protection set out in the Income Tax Act. It reads:

If I have ever given you my social insurance number, you may treat it as Information and use it as an aid to identify me with credit bureaux and other parties.

Even if I am no longer your client or this Agreement terminates, you may keep Information in your records and use it for the purpose noted above.

The Commissioner discussed these blanket waivers in a recent appearance before the Senate Banking Committee which reviews the financial industry. Privacy of customers' records is one of the issues the committee is examining, following changes to legislation governing banks, trust and insurance companies.

Putting personal data on the highway

The hype (and confusion) surrounding the information highway led to many callers wanting the Office's advice on how better to protect themselves in view of the lack of legal protection in the private sector. Staff can only offer general advice on transmitting any personal data by interactive networks:

• assume the system is not secure unless the carrier can prove to the contrary— don't transmit any personal information you're not prepared to have anyone know;
• don't give out bank card numbers and financial information unless the system encrypts the information;
• ask the operators of user groups how they store and use the personal details you supply to identify yourself as a legitimate user; are they secure?

There were almost a 1000 calls about private companies posting employees' overtime payments, SINs, home addresses and other personal information on bulletin boards. This may be insensitive but it is not against any law (with the possible exception of Quebec which has private sector privacy protection). Employees are advised to try to resolve the matter with human resources staff or with their union.

Several callers complained that they were unable to access their medical or psychological files; these were referred to the Royal College of Physicians and Surgeons.

The table illustrates the growth in inquiries handled.

Top Ten Departments by Complaints Received

Completed Complaints by Grounds and Results

Complaints Completed by Grounds

Origin of Completed Investigations

Completed Complaints by Department and Result

Monitoring Compliance

The impact of federal government restructuring took affect with a vengeance this year. Following on the heels of the June 1993 re-organization (reported last year) came Program Review— a fundamental re-examination of every federal program and activity (including more than 400 agencies, boards and commissions), then the February 1995 budget. The result was closure of 73 agencies, streamlining 47 others and announced staff cuts of 45,000 employees--20,000 by the summer of 1996.

Departmental staff who process personal information applications did not escape the cuts. But the workload had not diminished; it is simply spread among those who are left. The effect was predictable. Unable to meet the statutory deadline of 30 days to reply, departmental staff saw their application backlog mounting and a steady increase in delay complaints to the Privacy Commissioner. These delays are a factor in the Office's mounting complaint load.

The scale of the changes left departments scrambling to redesign or integrate many informatics systems, move client and employee files to new homes, and decide how to store or dispose of personal records that no longer had a home.

Reorganization also made following up earlier audits much more complex; recommendations that applied to old work units now had to be explained to managers who had inherited the programs (or lost them in the shuffle). For example, the Office of the Comptroller General, audited in 1992, merged with the Treasury Board Secretariat. TB and privacy staff had difficulty tracing files, and decisions concerning personal information that had been transferred.

Moving to a portfolio system

The Office has had to reduce its dependence on routine audits to assess government compliance— the workload is simply beyond the four staff available for the task. Staff are now assigned as portfolio leaders to develop an understanding of the agencies' business and programs and to operate as a first line contact for government staff seeking advice. This more active stance should help prevent privacy problems in a department and even develop solutions government-wide.

With the new portfolio system in place, the Commissioner wrote to all deputy heads outlining the Office's new approach and offering its services. The offer was taken up with a vengeance. Portfolio leaders met and briefed privacy coordinators representing more than 80 federal agencies, as well as holding information sessions for more than 400 employees, senior executives, technical experts, correctional staff and representatives of a private company working on a major re-engineering project.

Responding to the requests proved a tall order for staff who received a constant stream of calls to explain the Act and clarify policy and its application in various situations.

Managers sometimes show little interest in privacy until they discover its impact on staff relations, informatics systems design and holdings, client and employee personal information, and information sharing projects with other departments, governments or the private sector. Once they understand the implications, they are only too glad to seek advice and forestall problems.

Two examples dealt with during the year illustrate the advantage of examining issues government-wide; disposing of surplus (particularly computer) assets, and sharing personal information with other agencies and governments.

Disposing of surplus assets

The saga of sloppy disposal of surplus assets continues. The 1992-93 report told of a former office employee buying a surplus file cabinet and finding hundreds of file cards documenting individuals' lab tests. Lightning struck again this year. The office bought a safe from a Crown Assets Distribution Centre and discovered several RCMP documents, including secret contingency plans and performance appraisals of senior RCMP members.

In October, a man found used computer diskettes containing confidential information about a GST registrants in a file cabinet bought at a government surplus sale. These are just the federal government incidents in a litany of disclosures involving discarded cabinets, old computers and second-hand diskettes reported in the media.

Pinning down responsibility for ensuring surplus cabinets, computers and diskettes are empty has not been easy. There has been a good deal of buck-passing. Getting concrete action to solve the problem has demanded the cooperation of Treasury Board, Crown Assets, the RCMP and departments themselves. The Office has pressed the major players steadily and now has an agreement.

Who does what

But first, here is how the responsibilities break down. Crown Assets is usually (but not always) the final gate before surplus material goes to market. However, it does not have enough staff to verify that all surplus goods have been emptied of sensitive information. That responsibility remains with the original owners. Frequently Crown Assets does not even see surplus desks or filing cabinets, serving simply as a clearing house to direct interested buyers to departments with available material.

The RCMP Security Engineering Section opens surplus safes, restores the combination to the factory setting and returns them to Crown Assets, which assumes they are clean and makes no further check.

In addition, six departments are participating in a pilot project to dispose of their own surplus through trade-ins and interdepartmental transfers, without notifying Crown Assets.

Finally, obsolete computers are sent to the Computers for Schools Program run by Industry Canada. Last year the program reported that about 95 per cent of all donated computers contained data and programs, despite government directives to clean computer disks. This year the news is better; 35 to 45 per cent of all donated federal computers were clean. Progress indeed but plenty of room for improvement— the remaining 55 to 65 per cent still represents a lot of government data.

Now the agreement:

• Crown Assets will amend the form on which federal institutions list sale items to require they certify the assets have been cleared of any sensitive or classified material. This is to be done for the July 1995 printing.
• Crown Assets will inform client departments about the change in flyers or newsletters, flag the changes to all distribution centres across Canada and amend its Customer Manual.
• Once the pilot electronic bulletin board system for government materiel managers is operational, it will include a permanent message reminding anyone trading or exchanging surplus assets to ensure they have been emptied of any sensitive information.
• The RCMP has sent bulletins to all departments describing an RCMP-approved utility which wipes all data from computers' hard drives. The RCMP can only keep reminding staff that the hard drives of old computers should be completely erased.
• Treasury Board Secretariat will write to all assistant deputy ministers asking them to ensure their departments have procedures in place to prevent any unauthorized disclosures of classified or designated information, including improper disclosures through the disposal of surplus assets.
• Both the Board and Crown Assets agreed to publicize the issue through publications distributed to federal government material managers.

The agreement will not necessarily spell the end of these careless disclosures. However, it should at least ensure that government agencies put the necessary safeguards in place and alert their employees to the dangers of improperly disposing of surplus assets.

The federal government now needs to make similar efforts to ensure data cannot be retrieved from computer hard drives, tapes and diskettes which are damaged beyond repair. Sending hard disks to the local dump is not the answer; anyone with computer knowledge can extract some of the information. These media must also be purged of data or destroyed in such a way that they information cannot be retrieved.

Sharing personal information--agreements and "arrangements"

This year marked the Office's first attempt to maximize its use of its minimal audit resources by taking a "systemic" approach? reviewing one aspect of government handling of personal information across all agencies. The issue is sharing client information with other programs or organizations.

Knowing what personal information government shares, how, and with whom are fundamental to both individual citizens' privacy rights and to the Commissioner's effective oversight. Although the Privacy Act prevents government from using personal information for purposes other than for which it was collected (section 7), it does set out a number of lawful disclosures (section 8).

One of these allows a federal government agency to enter "an agreement or arrangement" to share information with the another government (or an organization of governments) to administer a law or carry out a lawful investigation.

Treasury Board has published guidelines on information sharing agreements but not on what constitutes "an arrangement". And government departments are not required to notify the Privacy Commissioner when entering an agreement— as they are when conducting a data match.

Early in 1995, the Office surveyed all 110 institutions subject to the Privacy Act to determine how much formal and informal sharing and data matching of personal information was taking place. The four-part questionnaire asked respondents to list all data matches and sharing agreements or arrangements both inside and outside the organization— 93 responded.

The study revealed that 47 do not share personal data inside or outside the organization, two share internally, 17 share with outside organizations but not internally, 27 share both inside and outside, and 18 reported data matches.

The second phase of the study will verify the data and examine selected agreements and arrangements. The Office will also develop guidelines and be better prepared to advise federal institutions on sharing information next year.

Data matching

Data matching is the technical process governments often use to share information. Essentially data matching compares information about individuals from different sources to make decisions about their benefits or services. Once conducted by sharing computer tapes, increasingly the trend is to allow other users— either other parts of the organization or other governments— direct access to on line data bases.

A 1989 government policy requires government agencies to conduct detailed assessments of proposed data matches, and to notify the Privacy Commissioner. However, existing matches continue unreported; there is no mechanism to allow the Commissioner to gauge the scope of federal government data matching.

The Office reviews data match proposals against the following criteria:

• the information cannot be obtained by other methods;
• the collection relates directly to an operating program of the federal department;
• direct collection would be counterproductive;
• the information will be accurate, up-to-date and complete, and
• the benefits of the match clearly outweighs any subsequent invasion of privacy.

Three Human Resources programs

Three recent cases at Human Resources Development Canada (HRD) illustrate how personal information is shared among federal, provincial and municipal governments to control abuse of federal unemployment insurance and provincial and municipal social benefit programs.

Unemployment Insurance with Canada Pension Plan: HRD conducted a feasibility study to try to estimate losses from payments to individuals claiming both unemployment insurance and Canada Pension Plan disability benefits. (Anyone receiving CPP disability benefits is unable to work and therefore not entitled to unemployment insurance.) The study matched lists of those receiving benefits from both programs and estimated losses of more than $20 million a year.

Following the study, HRD determined it was both feasible and cost effective to match the two data bases regularly, and submitted its data match assessment to the Privacy Commissioner. It was clear from the assessment and discussions with HRD staff that the benefits from the data match clearly outweighed any invasion of privacy. Clients sign a consent to verify the information on the application forms.

Workers' Compensation with Unemployment Insurance: A second HRD study targeted individuals who were receiving benefits from both the Ontario Workers' Compensation Board and the Unemployment Insurance Program. This study also identified potential losses of over $20 million a year from overpayments. Following its assessment, Office staff concluded that the benefits clearly outweighed the invasion of privacy.

The third case was not a data match but changes an existing information sharing procedure. Although not required to, HRD chose to consult the Office to forestall any problems.

Ontario social service with Unemployment Insurance: The change allows municipal social services staff direct access by dedicated computer terminals to limited personal data on HRD's unemployment insurance data base. This allows them to confirm that an applicant for social service benefits has applied for unemployment insurance. Provincial social assistance programs provide benefits to the needy to bridge the mandatory three-week waiting period for UI (and possibly two to three weeks to process the application). Applicants must sign an undertaking to repay any overlapping UI payments to social services.

Allowing social services staff direct access frees HRD staff from responding to numerous calls from social service staff, saves social services staff time and spares the applicant from travelling between two offices.

Notifying the Commissioner

Reviewing public interest disclosures

Overall, the number of disclosure notices rose slightly; 56 compared to 48 last year. Some departments are beginning to use the disclosure provisions systematically. One of these is Correctional Service Canada which was responsible for 22 of the 56 disclosures reviewed this year.

The vast majority of CSC's disclosures resulted from media requests under the Access to Information Act for internal reports on inmate escapes or violent incidents in penitentiaries. These reports usually contain personal information about inmates, victims and staff, and often discuss the factors determining the penitentiary in which the inmate is confined and the conditions of parole.

Mounting public concern about sentencing and parole, particularly of dangerous offenders, is pressuring CSC to disclose all the factors it and the National Parole Board weigh in making these decisions. And whenever an incident occurs (for example, an inmate committing murder while on day parole), CSC considers that the public has a right to information which might have been a factor in the incident. Often this leads to disclosing a lot of sensitive personal information. Occasionally, in an effort to be open and accountable, the institution reaches too far.

However, one lesson learned long ago is that privacy exemptions cannot be self-serving. CSC and NPB must not--and do not--exempt information that is critical of its or its employees' decisions or actions under the guise of protecting their privacy.

The disclosure provisions require a delicate balancing act. "Public interest" is more than public curiosity. The institution must demonstrate how this interest outweighs an individuals' privacy rights. Even justified disclosures demand careful examination.

Investigating incidents

Portfolio managers also investigated ten incidents leading to possible loss, theft or improper disclosure of personal information.

Regular readers may note that most of past years' incidents appear to originate with a handful of institutions: Correctional Services Canada, the National Parole Board, Veterans Affairs Canada and Revenue Canada. This year is no exception.

This does not mean other departments' information management practices are so superior that they never lose, compromise or have personal information stolen. In fact, these organizations are among the few which take seriously their responsibility to advise the Commissioner that personal information may have been compromised. There is a positive side to notifying the Commissioner; it gives program staff an opportunity to enlist the Office's help in correcting— and ultimately preventing— a recurrence.

CSC accounted for six of the 10 incident investigations opened by this Office in the year under review. All were caused by improperly handled personal information.

Woman's name & address to inmate

In one case, CSC wrote to a woman who was seeking information about a family member. Staff mistakenly put the letter in an envelope addressed to an inmate who is serving sentence for violent crimes against women in a penitentiary near the woman's home.

Although the inmate will not be released for several years, privacy staff were concerned that the disclosure could seriously jeopardize the woman's safety.

CSC readily admitted its mistake. At the Office's urging, a CSC employee visited the woman to explain what had happened and to advise her about the situation. Apparently she was not unduly concerned and did not want CSC to take any further action. CSC will change its mailing procedures to prevent this happening again.

SINs on envelopes

One incident led to a number of complaints; Revenue Canada mailed a special tax guide to more than 700,000 taxpayers with their social insurance numbers (SIN) printed on the mailing label.

The Office learned of the problem first from a journalist, then from several callers who received the package. The faulty labels had been fixed to special guides sent to taxpayers who reported rental income on last year's income tax returns, and to northern residents. The SIN (which is personal information) would have been visible to anyone handling the guide prior to delivery. Revenue Canada does not require the SIN to be displayed; the guides would reach the intended recipients without the SIN on the wrapper label.

The investigators determined that three separate processing failures caused the disclosure. First, staff should have removed the SIN from computer tapes used to prepare the mailing list before sending it to the printer. Second, Revenue Canada did not specify precisely what information was to appear on the labels. Third, staff should have checked label samples before allowing the mailing.

Revenue Canada recognizes its obligation to keep the SIN confidential. The deputy minister took a personal interest and the department quickly took steps to prevent a recurrence.

Audits and Follow-ups

This year staff completed two major audits at Immigration and Consumer and Corporate Affairs (both of which have since been incorporated into new departments), as well as smaller audits of the Canada Council and both the Pacific and Atlantic Pilotage Authorities. This finishes work at the four pilotage authorities.

Consumer and Corporate Affairs

The Office has wrapped up the one remaining issue from its 1993-94 audit of Consumer and Corporate Affairs Canada (CCA— now Industry Canada). In dispute were some of the contents of public records kept by the Superintendent of Bankruptcy.

The Bankruptcy and Insolvency Act (BAA) requires the Superintendent to maintain a public registry of all insolvency proceedings— bankruptcy, proposal and receivership. In addition, some branch employees now act as Official Receivers; in effect the branch becomes the equivalent of a court of record. This means that certain documents dealing with these cases are considered public in the same manner as those filed in a court.

Auditors reviewed a sampling of bankruptcy files and found that some contained a wide range of personal information, not only about the person declaring bankruptcy but also about family members and creditors. For example, some files included details about the person's use of alcohol or addiction to gambling; others, if the creditor was an individual, his or her home address, telephone number and Social Insurance Number. CCA staff could not define which elements of personal information were needed for the public register or records that are open for public inspection.

Establishing what constitutes a public record is critical since provisions of the Privacy Act dealing with an institution's use and disclosure of personal information (sections 7 and 8), do not apply to any "publicly available" information.

The Superintendent examined the files and established a precise definition of which elements of personal information constitute the public register, and which documents are open for public inspection. The remaining personal details would have the full protection of the Privacy Act.

The Commissioner accepted the new definition and recommended the Superintendent communicate them to all Bankruptcy staff and amend procedures to ensure that the remaining personal information in the files is protected.

Immigration

Privacy staff also completed auditing the Immigration Group of Employment and Immigration Canada during 1993-1994. However, they could not report the results and many outstanding issues owing to the upheaval surrounding its reorganization and integration into the new department of Citizenship and Immigration.

The mandate of the audit was to examine the department's handling of employees' and clients' personal information, including at a number of the department's approximately 900 regional offices. Immigration maintains personal information in 26 information banks on the 6.7 million individuals who have come to Canada since 1946.

To process and store this information, the department has two major informatics systems, the Field Operations Support System (FOSS) and the Computerized Immigration Processing System (CIPS), as well as many sub-systems. The CIPS data is accessible in Canadian Visa Offices around the world. The department's current reorganization should have a significant impact on management of its electronic records and files and Office staff are approached regularly for advice on the privacy implications.

Our auditors noted short-comings in some key areas, but given the "re-engineering" process, confined recommendations to the informatics systems. These recommendations include:

• incorporating a privacy alert in the software used to manage and transmit personal information between buildings;
• incorporating commands in the software used to extract and print personal information from databases which will add a privacy statement to each printed document informing users about the requirements of the Privacy Act;
• conducting a threat and risk assessment for all informatics systems and communications networks;
• arranging for SEIT (RCMP) inspection of informatics systems to assess the security status of these installations;
• establishing written criteria for granting access rights to the personal information contained in the informatics systems;
• incorporating an audit trail into informatics installations to allow managers to determine who has access to what personal information and for what purpose;
• adding an encryption feature to all portable computers to protect the personal information they contain in case of lost or theft.

The department invited the portfolio leader to provide advice on privacy issues to senior managers and staff during meetings on the re-engineering project. Next year's report will document the progress.

Pacific and Atlantic Pilotage Authorities

These two pilotage authorities provide pilots to guide ocean-going vessels in Canadian waters. (The Laurentian and Great Lakes authorities were audited in 1991.) Most pilots are hired on contract and the authorities collect and manage very little personal information. Their files include information about pilots' certificates, medical information, and reports about any accidents in which pilots may have been involved. Files may also contain information on ship crew misconduct.

Auditors recommended adding and amending bank descriptions in Info Source, improving notification to individuals about how the authorities' use the personal information, and revising contracting-out procedures to address privacy concerns. Both Authorities have agreed to institute corrective measures.

Canada Council

The Canada Council provides funds and grants to artists, art professionals and artistic organizations to foster and promote the arts in Canada. It also acts as Secretariat for the Canadian Commission for UNESCO. The council creates an average of 15-20,000 files each year, almost all of which contain personal information. The holdings include basic data on artists, assessors and juries, and records from competitions and grant applications, including comments by assessors and juries on individual candidates. There is also a complete range of employee data.

The audit was re-scheduled from the previous year at the council's request. Nevertheless, the council has undergone an extensive re-organization and down-sizing since the audit was conducted.

The most significant recommendations concern the need for written policies and procedures on managing personal information and for staff training about the requirements of the Privacy Act.

Despite recent council efforts, staff are still not conversant with the concept of "personal information"; this deficiency is reflected in the protection council staff give personal information.

The Commissioner made several recommendations concerning the council's collection, use, disclosure and protection of personal information. The council should

• develop a written policy and procedures on managing personal information and distribute them to staff and to external assessors who evaluate grant applications;
• review its collection procedures and forms and add a privacy rights statement to all those that do not yet have one;
• obtain explicit consent from individuals for using their names and other personal details for mailing lists;
• develop a written security policy and review practices which could compromise the confidentiality of its personal information holdings;
• have the RCMP Systems Audit and Evaluation Investigation Team assess the security of the computer facilities;
• include privacy clauses in future contracts with outside organizations, stipulating that any personal information collected or generated is the exclusive property of the council;
• issue specific instructions on secure disposal of computer equipment and storage media before discarding or selling;
• prevent staff of other organizations with whom it shares facilities from accessing personal information in data bases or storage media;
• instruct staff on the use of laptop computers outside council premises when the hard disk contains personal information, and equip each laptop with a security device, and
• complete an index of all personal information holdings and mailing lists and review the Info Source listing to ensure their accuracy.

Follow-ups

This year staff continued following up earlier audits to determine whether the organizations had implemented the Commissioner's recommendations. Portfolio leaders reviewed audits of 9 institutions and found 37 of 39 recommendations (95 per cent) had been completely implemented, a significantly higher proportion than last year's 77 per cent. One recommendation had been partially implemented. One other finding is no longer applicable.

Staff reviewed Telefilm Canada, Transportation Safety Board of Canada, Canadian International Trade Tribunal, Office of the Chief Electoral Officer, Canada Deposit Insurance Corporation, Veterans Affairs Canada, Veterans Appeal Board, Bureau of Pensions Advocates and the Office of the Comptroller General.

The organizations have responded to all recommendations about increasing staff awareness. One had also developed a policy concerning the secure transmission of personal information by fax. Another dedicated a new printer to its human resources unit, placing it in a secure area to prevent other staff from seeing personnel information.

Approximately half of the organizations reviewed need to change their retention and disposal practices to comply with the Privacy Act. All but one of these have submitted retention and disposal schedules for National Archives approval. One department conducts random spot checks to ensure that no sensitive material is sent for recycling.

Auditors often find that the information bank listings in Info Source are inadequate or non-existent. This year was no exception. Recommendations were made to all organizations except the Transportation Safety Board to edit, add or amend their listings. The organizations have complied.

Keeping Info Source listings accurate and up-to-date is key to individuals exercising their access and correction rights. Incomplete or inaccurate listings mean the government is not meeting a fundamental obligation under the Privacy Act--to spell out what information it collects and how the data is used and disclosed.

Office of the Chief Electoral Officer

In November 1994, the Office completed follow-up of its 1992 audit of the Office of the Chief Electoral Officer (Elections Canada). Elections Canada organizes federal elections and referenda and compiles the federal electors list. Elections Canada has acted on 10 of the 11 recommendations contained in the report, including both administrative changes and amendments to the Canada Elections Act.

The one outstanding recommendation concerns RCMP review of Elections Canada's EDP system security. Although it has put additional EDP controls in place, its systems have yet to be reviewed by the Security Evaluation and Inspection Team to ensure they conform to accepted security practices. Elections Canada assured the Commissioner that the review would occur in the near future. System security is critical given Elections Canada's project to develop a permanent voters' list.

The permanent voters' register

The idea of a permanent voters register was first discussed in 1988. It would replace the costly and time-consuming door-to-door enumeration, problems exacerbated by urban Canadians' growing concern with providing information to strangers at the door.

Given the obvious privacy concerns with a permanent electronic register, the Commissioner accepted Elections Canada's invitation to participate in a working group studying the feasibility of a register to be used in all federal, provincial and municipal elections. Privacy staff would provide advice on such privacy pitfalls as whether the information would be collected from other electronic databases— and how, who would have access to the register, its security and the accuracy and completeness of the data.

Corporate Management

The Information and Privacy Commissioners share premises and administrative services for economy and efficiency but operate independently under their separate statutory authorities. Corporate Management provides centralized administrative services to avoid duplicating effort and to realize cost savings to the government. The services include finance, personnel, information technology advice and support, and general administration (including records management, security, procurement, library, reception and management services).

The Branch is a frugal operation with 14 staff (who perform a variety of tasks) and a budget accounting for just 15 per cent of the overall OIPC budget. While the Branch will continue to improve productivity, it is at that precarious line between being lean and what the Privacy Commissioner has described as "fiscal anorexia".

Resource information

The Offices' combined budget for the 1994-95 fiscal year was $6,696,000, a decrease of $123,000 over 1993-94. Actual expenditures for the 1994-95 period were $6,522,356 of which, personnel costs of $5,300,465 and professional and special services expenditures of $584,559 accounted for more that 90 per cent of all expenditures. The remaining $637,332 covered all other expenditures including postage, telecommunications service, office equipment and supplies.

Expenditure details are reflected in figure 1 (resources by organization/activity) and figure 2, (details by object of expenditure).

Figure 1: 1994-95 Resources by Organization/activity

HUMAN RESOURCES (FULL-TIME EQUIVALENTS)

Information 31(37%)
Administration 15(18%)
Privacy 38(45%)

FINANCIAL RESOURCES ($000)

Information 2674(41%)
Administration 949(15%)
Privacy 2899(44%)

Figure 2: Details by Object of Expenditure

Organization Chart