[Back to Table of Contents][Part Two][Part Three]

Annual Report to Parliament 2000-2001

Part One-Report on the Privacy Act

Introduction

The Privacy Act protects individuals' privacy with respect to personal information held by federal government institutions.

The Act, which has been in force since 1983, governs how federal institutions collect, use, disclose and dispose of personal information, and gives people rights to access and request corrections to their personal information. It also sets out my duties, responsibilities and mandate.

As Privacy Commissioner, I receive and investigate complaints from individuals who believe their rights under the Act have been violated. I also can initiate a complaint and investigation myself, in any situation where there are reasonable grounds to believe the Act has been violated.

First and foremost, I am an ombudsman, and whenever possible, complaints are resolved through mediation and negotiation. But I also have broad powers of investigation under the Act. As Privacy Commissioner I can subpoena witnesses and compel testimony and enter premises to obtain documents and conduct interviews. Obstructing one of my investigations is an offence under the Act. Although the Act does not include the power to order compliance with the Privacy Act, I can, however, recommend changes to the way government institutions handle personal information, based on my investigation findings.

As well, as Privacy Commissioner, I have a mandate to conduct periodic audits of federal institutions to determine their compliance with the Privacy Act, and again, on the basis of my findings I can recommend changes.

The Act requires me to submit an Annual Report to Parliament on the activities of my Office in the previous fiscal year. This current report covers the period from April 1, 2000, to March 31, 2001.

Investigations

My Investigations and Inquiries Branch investigates individuals' complaints under section 29 of the Privacy Act (and under section 11 of the Personal Information Protection and Electronic Documents Act, which I'll talk about later in the report).

Through these investigations, I determine whether individuals' privacy rights have been violated or whether they've been properly accorded access to their personal information. Where people's privacy rights have been violated, I look for ways to provide redress for them, and prevent violations from happening again.

I have authority under the Act to administer oaths, receive evidence, and enter premises where appropriate. I can also examine or obtain copies of records found in any premises.

To date, all complaints under the Privacy Act have been resolved without our having to use these formal investigative powers, because voluntary co-operation with investigations has been forthcoming.

The Branch also responds to thousands of inquiries from the general public who contact my Office for advice and assistance on all sorts of privacy-related matters.

Complaints under the Privacy Act

Between April 1, 2000, and March 31, 2001, we received a total of 1,713 complaints under the Privacy Act. That's an increase of almost 10 per cent over the previous year. The type of complaints we received conformed to the established pattern: 60 per cent of them concerned either denial of access to personal information or issues of collection, use, disclosure, and disposal of personal information, and the remaining 40 per cent concerned failure to respect time limits, where federal organizations had not responded to a request for disclosure of personal information within the 30-day timeframe set out in the Act.

My staff closed 1,542 investigations, an increase of 10 per cent over the previous year. Of the cases closed, 339 dealt with issues of collection, use, disclosure, or disposal, while 630 dealt with access matters and 573 with time limits. These complaints were concluded as follows:

Complaints about departments taking longer than they should to respond to access requests are always troubling-justice delayed is justice denied, and the time limits are in the Act for a good reason.

Several federal government institutions stand out for particularly often failing to meet the prescribed time frames when responding to individuals' requests for access to their personal information. These are the Correctional Service of Canada, the Department of National Defence, the Canada Customs and Revenue Agency, and Human Resources Development Canada.

I consider it of great importance that all government departments and agencies faithfully meet the time limit requirements set out in the Privacy Act. Respecting the lawful rights of Canadians is mandatory, not optional. There simply is no excuse for an entity of the Government of Canada to be breaking a law of Canada, and I intend to keep emphasizing this point.

Correctional Service of Canada

In the fall of 2000, in view of the number of time-limit complaints filed against the Correctional Service of Canada, I instructed my staff to address the matter with senior CSC officials. In February 2001, the Commissioner of Corrections agreed to implement measures to eliminate the backlog of requests in her department.

Those measures resulted in an improvement in the Correctional Service's handling of access complaints. In March 2001 the department had 1,684 active access requests in process, of which only about 20 per cent had been responded to within the prescribed time frame. By August 31, 2001, after an infusion of additional staff and overtime, the department managed to reduce the number of open requests to 501. Nearly 60 per cent of those were responded to within the prescribed time, and 30 per cent were overdue by 30 days or less.

There is no question that this is an improvement, and in July I congratulated the Commissioner of Corrections for her department's achievement. The Correctional Service is continuing to work to reduce the number of outstanding requests and improve its response time. But while I am encouraged by these developments, they are not cause for euphoria. Nothing less would be acceptable.

Department of National Defence

Staff of my office began addressing the issue of timeliness with officials of the Department of National Defence in late 1999. At that time the department had approximately 2,100 outstanding access requests. The great majority of these were not processed within the prescribed time limit. Under pressure from my officials, the department agreed to implement measures such as hiring additional staff, making overtime available, and restructuring its internal procedures and organization.

These efforts have made some difference. As of November 2001, the department had reduced the number of outstanding access requests to 279. Of these, 136, not quite half, were not processed within the prescribed time limits.

Those numbers reflect an improvement, but the situation is still unacceptable. I recognize that, for the most part, the requests concern large files of information pertaining to things like police investigations, Boards of Inquiry, or harassment complaints. Such complaints are difficult to process. But that is a challenge, not an excuse.

Canada Customs and Revenue Agency

This agency has had significant problems responding to access requests in a timely fashion. Staff of my office met with representatives of the agency in early 2000, just as they had done with the Department of National Defence. The agency, just as National Defence had done, agreed to take measures, such as reorganization and hiring new staff, to improve the situation.

In the two fiscal years preceding this one, my office received 81 complaints of failure to respect time limits in one year and 127 in the next. Almost all (95 per cent in one year, 99 per cent in the next) were determined to be well-founded.

This fiscal year, the office received only 61 time limit complaints, and of those, 51 were well-founded.

Although they are better than the previous two years, these figures remain high. Again, the delays probably reflect the complexity of complaints about personal information in tax files, but further improvement is needed.

Human Resources Development Canada

We received 80 complaints against Human Resources Development Canada about failure to respect time limits. Of those, 47-nearly 60 per cent-concerned access to personal information in the Longitudinal Labour Force File, the "super file" on Canadians that was dismantled last year because of privacy concerns. That was an exceptional situation, given the amount of attention the file received in the media and in Parliament, and the great volume of access requests the department had to deal with. If those exceptional circumstances are subtracted, we are left with 33 complaints about delays in responding to access requests. That number is still too high. But given the number of requests that the department receives in any year, and given the size of this department, the number is small enough to suggest that a bit of reorganization and extra work should suffice to eliminate it. The department needs to do so.

My Office will continue to monitor time-related issues and keep the pressure on for continual improvement.

Definitions under the Privacy Act

Not Well-founded:
A finding that a complaint is not well-founded means that the investigation uncovered no evidence to lead me to conclude that the government institution violated the complainant's rights under the Privacy Act.

Well-founded:
A finding that a complaint is well-founded means that the government institution failed to respect the Privacy Act rights of an individual. This would also be my finding in a situation where the government institution refuses to grant access to personal information, despite my recommendation that it be released. In such a case, my next step would be to seek a review by the Federal Court of Canada.

Well-founded/Resolved:
I will find a complaint to be well-founded/resolved when the allegations are substantiated by the investigation and the government institution has agreed to take corrective measures to rectify the problem.

Resolved:
Resolved is a formal finding that reflects my role as an ombudsman. It's for those complaints where "well-founded" would be too harsh to fit what essentially is a miscommunication or misunderstanding. It means that my Office, after a full and thorough investigation, has helped negotiate a solution that satisfies all the parties.

Settled during the Course of the Investigation:
This is not a formal finding but an acceptable means to dispose of a complaint when the investigation is completed, and the complainant is satisfied with the efforts of my Office and doesn't wish to pursue the issue any further. The complainant retains the right to request a formal finding. When that happens, the investigator re-opens the file, and submits a formal report, and I report the findings in a letter to the complainant.

Discontinued:
This means that the investigation was terminated before all the allegations were fully investigated. A case may be discontinued for any number of reasons-for instance, the complainant may no longer be interested in pursuing the matter or cannot be located to provide additional information critical to reaching a conclusion. I don't issue any formal finding in discontinued complaints.

Summary of Select Cases under the Privacy Act

Personal information found in DND dumpster

This case involved files full of personal information found in a trash bin outside an armoury. The files contained the personal information of dozens of Department of National Defence (DND) employees, including their names, home addresses and telephone numbers, dates of birth, medical and dental information, security-screening forms, employment histories, next-of-kin notification forms, performance assessments, and much more.

This information, if disclosed, could have resulted in real harm, and certainly substantial personal and professional embarrassment.

The person who found the files, an army reservist, reported his discovery to senior officers, but no action was taken. He was able to retrieve what he described as a small percentage of the files before the garbage bin was emptied, as usual, at the local dump. He gave the files to my Office and filed a complaint alleging that his personal information had been disposed of in an improper fashion.

My investigation established that an office was being moved to another floor and, in preparation, an order had been given to dispose of anything not needed in the new location. The office held parallel or "shadow files" outside the room where official DND files were kept. Some of the information in these shadow files was a duplicate of official files, some was not. The files were in plain folders without the departmental logo. As they didn't look important from the outside, no one thought to look inside them, and they were simply thrown out as trash.

Mixed in with these plain folders were a number of official DND files that included Candidate Progress Reports detailed personal information.

Officials at DND reacted quickly, assuring my Office it would implement measures to eliminate the possibility of another occurrence of this nature. The department also agreed to reintegrate information found in the retrieved files into official departmental files.

While the use of "shadow files" does not contravene the Privacy Act, I'm very concerned about it. My Office repeatedly finds personal information held in such files throughout federal government departments. Often, the information is not disclosed to individuals seeking access under the Privacy Act because it is not maintained in the "official record."

An issue that came up during the course of the investigation was the Treasury Board of Canada guideline on the disposal of personal information.

This guideline describes three levels of personal information. The top level is personal information that, if compromised, "would cause extremely grave injury." Below that is a level that would cause "serious injury" if the information were compromised. The guideline recommends shredding as the method of destroying personal information at these levels.

Below that is what it calls personal information of "low" sensitivity. It defines this as personal information as that which, if compromised, would "cause injury."

According to the guideline, personal information of this type can be torn in half and disposed of in regular garbage containers.

I object strenuously to this guideline and its casual provisions for disposal of information that, by its own admission, could cause injury. I don't accept the distinction it makes between "injury" and "serious injury." Where privacy is concerned, any injury is serious. When personal information of any kind is to be destroyed, it should be shredded.

DND is not the only federal institution following this guideline. My discussions with DND security officials on this matter are continuing.

Personal information destroyed prematurely by HRDC

My investigation into this complaint found Human Resources Development Canada (HRDC) in violation of both the Privacy Act and its own Policy Manual.

An Employment Insurance claimant complained to me that his ability to obtain all the information he needed to file an appeal had been hampered by HRDC's destruction of the audiotape of the original hearing into his case by the Board of Referees.

HRDC's Policy Manual stated that such tapes were to be "kept for one year or until such time as the case has been heard by (the Office of) the Umpire, the Federal Court or the Supreme Court, as well, for any re-hearings of the Board of Referees, Umpires, etc." The complainant had been granted two Board of Referees hearings and had appeared before three Umpires (Federal Court judges), but had not exhausted all levels of appeal and was prepared to take the matter to Federal Court and the Supreme Court. Thus, in accordance with HRDC's own policy, the tape should not have been destroyed.

In addition, the Privacy Act and Privacy Regulations require government institutions to keep personal information used for an administrative purpose for a period of at least two years, to allow an individual an opportunity to access it.

As a result of my investigation, HRDC agreed to amend its Policy Manual to stipulate a two-year retention for audiotapes of its Board of Referees hearings. It also amended the manual to ensure that staff were aware of the requirements to keep the personal information for two years beyond hearings at every level up to and including the Supreme Court. An instruction was sent out to staff and the Appeals Division issued an amendment to the Policy Manual.

Concerns regarding release of information about groups by Statistics Canada

This complaint raised the interesting issue of "group privacy," which illustrates the need for caution when releasing information about identifiable groups. While disclosures of this kind may not identify any specific individual, they can still have an impact on personal privacy, because information about the group can diminish the privacy of every individual member of the group.

In this instance, a man who had received a series of telephone solicitations from brokerage firms filed a complaint against Statistics Canada, alleging that it had disclosed a sufficient amount of his personal information, obtained from the Canada Customs and Revenue Agency, to enable a research firm to determine his annual income.

The investigation revealed that the information sold by Statistics Canada to the research firm was in fact obtained from the 1991 Census, rather than from income tax records, as the complainant had alleged. And although the information did apply to a specific geographic area, it was not organized by postal code, as the complainant believed it to be. Nor was any of the information about identifiable individuals or personal information as defined in the Privacy Act.

In short, Statistics Canada did not contravene the Privacy Act. But the complaint did raise an important question about the privacy of members of identifiable groups.

Census products and services, even those based on information gathered from a 20 per cent random sample of the population, can provide a fairly accurate and detailed portrait of the characteristics of the population in a given geographic area. Research companies can and do combine information obtained from Statistics Canada with information obtained from other sources, such as telephone directories and consumer surveys, to compile profiles of specific areas.

When they can identify a relatively homogenous group in a specific geographic area, marketing companies can target individuals in that group, soliciting for everything from financial services to letters from charities.

The potential for damage goes well beyond simple annoyance. Consider the possible effect of a statistical study of a small neighborhood that has a high rate of mental health problems, for example, or a study of an identifiable group that has a high rate of HIV infection.

I have raised this with Statistics Canada. It says that while it makes every effort to ensure that individuals can't be identified in any of its statistical releases, it has established a working group to determine what measures it could take to address·issues related to group privacy. It has indicated its willingness to explore this further with my staff. I look forward to further discussions with Statistics Canada on this matter.

New electronic system at National Defence compromised privacy of thousands

Failure to consider the privacy implications of a new electronic information system led to a situation in which any employee of the Department of National Defence (DND) could access personal information on thousands of military personnel. The situation could have been avoided if a few simple safeguards had been put in place.

This case provides a classic example of how easily privacy can be compromised by a well-intentioned attempt at more efficient management.

DND wanted to give managers a tool that would allow them to manage their staff more effectively. However, the project officers neglected to consult the department's privacy co-ordinator to ensure the system respected the requirements of the Privacy Act.

As a result, virtually any DND employee could visit the human resources section of the department's internal computer network and read or download detailed personal information about members of the Canadian Forces. This included date and place of birth, home address, marital status, the names and dates of birth of dependents, and results of linguistic testing.

Following the intervention by my Office, DND agreed to take corrective action to end this unjustified disclosure. It transferred the information to a site accessible by password only, with passwords distributed on a strict "need-to-know" basis.

DND also posted an electronic message on the human resources site asking users to destroy any information taken from the old site. I was concerned that this message might not reach all those who may have extracted or downloaded personal information from the file. I asked DND to take an additional corrective measure to trace users. The Assistant Deputy Minister, Finance and Corporate Services, sent a memorandum to all senior managers in National Defence asking them to warn all employees to destroy any personal information originating from the original human resources site.

It's clear that in this case DND contravened the provisions on the use and disclosure of personal information set out in sections 7 and 8 of the Privacy Act, and violated the employees' fundamental right to have their personal information protected. Therefore, I concluded that this complaint was well-founded. Given that DND took satisfactory corrective measures to respect the requirements of the Privacy Act, I considered the complaint to be resolved.

Health Canada does not know if it disclosed personal information

An individual complained that a Health Canada doctor inappropriately disclosed his psychiatric assessment to his federal government employer, the Canada Customs and Revenue Agency (CCRA). CCRA had referred the man for a fitness-to-work assessment, which Health Canada does on behalf of federal government departments and agencies. To support his allegation, the complainant referred to a fax cover page indicating that Health Canada had sent an 11-page document to a human resources advisor at CCRA in October 1998.

A check of Health Canada's file confirmed that its doctor had indeed faxed 11 pages to CCRA at that time. However, the complainant's psychiatric evaluation was not found in CCRA's files. It was impossible to determine exactly what Health Canada did send to CCRA or even to confirm whether the fax had reached its intended destination.

If the investigation had confirmed that the evaluation had been sent to the employer, I would then have been required to examine the circumstances of the disclosure. My review would have focused on whether the disclosure met the requirements of the Privacy Act.

In this particular case, it is my view that there is a serious records management problem when a federal government department responsible for protecting sensitive medical information cannot determine what documents it sent by fax or whether they were sent to the appropriate individual.

To avoid a recurrence of this problem, Health Canada sent a note to directors of all regional offices reminding them that medical reports should not normally be delivered by fax. In those cases where fax transmission is necessary, it outlined a protocol to be followed in order to keep personal information secure. This protocol includes:

• Identifying the name and telephone number of the recipient;
• Listing contents of the fax on the cover page;
• Contacting the recipient by telephone prior to transmitting the fax to ensure the person is there to receive the document personally; and
• Asking the recipient to confirm receipt of the information in writing.

These principles should be followed by any institution that sends personal information over a non-secure fax line.

Information on vessel licences used to assess sales tax

A man on the West Coast bought a small boat and acquired a small vessel licence issued by Canada Customs officers. He complained that the Canada Customs and Revenue Agency shared the information on his licence application with the British Columbia Ministry of Finance, which proceeded to collect provincial sales tax on the purchase price of the boat. The complainant said he doubted many new boat owners realized their personal information would be disclosed in this way.

While small vessel licences are issued by customs officers, they do so on behalf of the Department of Fisheries and Oceans, which administers Small Vessels Regulations under the Canada Shipping Act.

The Department of Fisheries and Oceans' authority to disclose personal information without consent in this way is provided under an agreement between the Governments of Canada and British Columbia, which allows for access, use, and disclosure of personal information to administer or enforce any law. This is consistent with the provisions of the Privacy Act, and I concluded that this was a permitted disclosure of personal information without consent.

I did, however, have concerns about the transparency of the collection of the information. The Department of Fisheries and Oceans readily agreed to amend its licence application to advise boat purchasers that their information would be sent to provinces for assessment of sales taxes. The department has also agreed to review the agreement with a view to making it more specific.

No standard for disclosure of personal information to doctors

An individual complained that his employer, the Canada Customs and Revenue Agency, disclosed an excessive amount of his personal information to a psychiatrist.

The individual had presented a claim to the Québec Commission de la santé et sécurité au travail for stress-related leave allegedly resulting from the negative work environment created by the employer. The employer contested the employee's claim and requested the opinion of a psychiatrist through Health Canada.

The employer sent a letter to the psychiatrist explaining its concerns about the employee and attached a performance evaluation, which the employee had refused to sign, to support its contentions. The complainant alleged the negative appraisal should not}have been disclosed and characterized the disclosure as an attempt by the employer to influence the psychiatrist's opinion.

Health Canada's Protocol for Special Fitness to Work Evaluation states that the employer must give the doctor a description of the problems and the reasons it has requested an evaluation, but says nothing on the issue of sending documents.

The Treasury Board of Canada's Policy on Occupational Safety and Health does not address what type of documentation should be provided to doctors. Nor does Info Source, a directory of federal personal information holdings and the key reference tool in place to assist members of the public in exercising their rights under the Privacy Act. Info Source does not address the use of appraisals for the purpose of sick leave or medical opinions. That means federal managers have no directives when it comes to sending documents to doctors performing evaluations on employees. This is not an acceptable situation.

Pursuant to discussions between my Office and representatives of Treasury Board and Health Canada, Treasury Board agreed to revise its Occupational Health Evaluation Standard to include the following directives:

• The employer is required to send the doctor only an explanatory letter.
• The employer must consult the doctor before sending supporting documentation.
• The employer must avoid using and disclosing personal information concerning third parties when submitting its reasons for requesting an evaluation.
• Where circumstances allow, the employer must meet with the employee to explain the reason for the medical opinion, inform the employee what information will be provided to the doctor and why, in order to ensure the transparency of the process.
• The employer must not use or disclose undocumented information such as hearsay or evaluative comments.

Treasury Board has also indicated that it will include this information in bulletins it prepares for the access to information and privacy co-ordinators in federal organizations subject to the Privacy Act.

Personal information of refugee claimant disclosed to another claimant

An immigration lawyer complained that the Immigration and Refugee Board disclosed personal information about one refugee claimant to another applicant. What makes this case interesting is that the lawyer was independently representing both clients. The Board gave him the woman's Personal Information Form, which she completed at the port of entry to support her refugee claim, in his role as counsel to the former spouse during his refugee hearing process. The Board notified the lawyer that the woman's form could be used during the spouse's hearing.

The two individuals had arrived at the port of entry together and indicated at that time that they were common-law spouses. The Board argued that the details each claimed were relevant in assessing not only his or her own credibility, but also the credibility of the other. It maintained that the use of this personal information in both claims was consistent with the original purpose of collecting the information, which was to assess their claims for refugee status. I agreed and considered the complaint to be not well-founded.

Nonetheless, this case raises important issues. The lawyer expressed concerns for women, particularly abused women, whose refugee claims are joined with those of other family members. This could mean a woman having to disclose sensitive, intimate details of abuse before a room full of relatives or former relatives. This could be a difficult, traumatic experience, one that would invade the privacy of an individual.

The Board's process does in fact provide for such circumstances. Claimants can make application to have joined claims treated separately. I was pleased to learn that in this case, the Board withdrew the woman's Personal Information Form when the lawyer objected.

The Personal Information Form will also be improved by adding a paragraph that clearly alerts refugee claimants to the possible use of their personal information in another hearing.

Selection boards and hand-written notes

The Privacy Act is clear: personal information used by a federal government institution to make an administrative decision about an individual is accessible to that individual, and must be kept for a minimum of two years.

This provision applies to the handwritten notes that members of selection boards take during employment interviews. Members of a selection board ponder their notes in reaching a decision on a particular individual's suitability for a position. That means that the notes have been used for an administrative purpose, and therefore must be retained for at least two years. This issue was addressed in several reports tabled by my predecessor.

In this instance, an unsuccessful applicant for a job with Fisheries and Oceans Canada, in order to prepare an appeal of the competition, requested access to the original, handwritten notes taken by selection board members. The department responded to ¨he request by providing a copy of a typed summary report of its board members notes, and said it had destroyed the original notes upon completion of the competition.

After some deliberation, the department accepted my view that it had a responsibility to maintain its original notes on file. Department officials said there was no deliberate intent to deny access to personal information and assured me that policies have been amended to ensure that the original notes of selection board members are kept on staffing files.

Personal e-mail not necessarily private

A Department of National Defence (DND) employee questioned whether his employer was entitled to use and disclose his private e-mail messages in the investigation of a harassment complaint when those e-mail messages had been collected by improper means.

Someone had gained access to the complainant's computer and downloaded many of his e-mail messages. These messages contained personal information about the complainant, as well as derogatory comments about colleagues. The messages were printed and left on the desks of several employees. After reading the e-mails, these employees gave copies to their supervisor and lodged harassment complaints against the complainant.

The employer hired a consultant to investigate the harassment complaints and gave a copy of the e-mail messages to the consultant as evidence in his investigation. (A separate investigation failed to establish who had downloaded the messages.)

When the complainant learned that his e-mails had been provided to the consultant he complained to my Office, asserting that they had been improperly obtained in the first place, and that the employer had no right to use them in the investigation of the harassment complaints or to disclose them to the consultant.

This case raised important and timely issues. Although this was not a criminal investigation, it nonetheless raised a question about the use in an investigation of evidence that has been obtained unfairly, unethically, and possibly illegally.

That leads us to the whole question of workplace surveillance, and particularly the privacy of e-mail, a very hot topic in the last couple of years. As I mentioned earlier in this report, employers often claim that surveillance of e-mails is justified by the need to protect their employees against harassment.

I firmly believe that employers have to provide this protection. But I don't accept that protection necessarily translates into wholesale surveillance of e-mails or computer use. We accept that there are stringent limits on an employer's right to read employees' mail, eavesdrop on their telephone calls or rifle through their desk drawers. I think we have to look closely at e-mail communications to see what principles should apply there as well.

The Treasury Board of Canada's Policy on the Use of Electronic Networks incorporates the principle that the Charter of Rights and Freedoms protects employee privacy. It stipulates that institutions must put in place their own specific policy on the use of electronic networks. It further states that the policy should identify authorized and acceptable uses of the networks. The Treasury Board policy does not prevent monitoring if certain conditions apply.

DND's specific policy on the Management of Electronic Mail states that there should be no expectation of privacy on the part of employees when using e-mail systems. I find this deeply troubling. The law on privacy has developed around the notion of the "reasonable expectation"; one of the ways that the courts determine whether privacy has been violated has been to determine first whether a person could have reasonably expected privacy in a particular place and time. But I don't agree that it follows from this that an employee's, or anyone's, privacy can be simply eradicated by telling them not to expect any. While management has the right and the responsibility to manage, it has to operate within limits, including respect for fundamental rights. It is not for management alone to determine whether an expectation of privacy is reasonable.

In this specific case, I concluded that the employer had not contravened any provisions of the Privacy Act, and perhaps more importantly that it had not behaved unreasonably in the circumstances. I believe the complainant's expectation of privacy was lost once the e-mail messages had fallen into the hands of colleagues. The rights or wrongs of how that happened were not at issue, as I found no evidence that either the complainant's manager or his supervisor was responsible for monitoring or improperly gaining access to his e-mail.

The employer was authorized to hire a consultant to conduct the harassment investigation, and I concluded that it was authorized to provide the e-mails to the consultant. The e-mails were the basis of the complaints, so the employer could not reasonably have refused to provide them.

Lastly, I advised the complainant that employees who use the employer's electronic network in a manner that contravenes a departmental policy-in this case, to write derogatory messages about co-workers that could be construed as harassment-should not expect their managers to ignore the inappropriate behaviour when it is brought to their attention. Again, how it was brought to their attention was not the issue. Had there been evidence that managers or supervisors had been responsible for gaining access to the complainant's e-mail, I might well have viewed the matter differently.

Incidents under the Privacy Act

An incident is a matter that has been brought to my attention and warrants an inquiry but is not a formal complaint under the Privacy Act. During the period covered by this report, we looked into 21 incidents that came to my attention through various sources. The majority of these dealt with the inadvertent disclosures of personal information or perceived breaches of the Privacy Act. The following are some of the more striking examples.

Opening mail - right to privacy must be first consideration

In March 2001, it was revealed that Canada Customs officials were opening mail coming into Canada and passing the information on to Citizenship and Immigration Canada. The sanctity of personal correspondence is a cornerstone of privacy, and Canadians do not expect that their letters sent through the mail will be opened by anyone except the intended recipient. We don't live in one of those countries where mail is routinely opened by the authorities-or so we thought. I immediately looked into this matter.

Many people were surprised to learn that the opening of mail by Customs is lawful, if the mail weighs over 30 grams. If it is less than 30 grams, the Customs Act prohibits opening it without either a search warrant or the addressee's consent. But as long as the mail, whether a package or personal correspondence, weighs more than 30 grams, Customs inspectors may open it if they believe that it contains contraband or false documents. Any mail considered suspicious from an immigration standpoint is turned over to immigration officials for examination and further action.

It is of great concern to me that this arbitrary and artificial weight distinction allows the opening of, not just packages, but private correspondence. Correspondence should be treated with the greatest possible respect for privacy. The weight of the correspondence should not make a difference. Sending a letter by any form of "priority post" requires placing it in a large and comparatively heavy outer envelope that by itself can often put the item in the "over 30 grams" category. A letter should not be considered any less "mail," and less deserving of privacy protection, simply because the sender wanted to ensure its timely and safe arrival, or for that matter because it's lengthy and therefore heavier.

I made these concerns known to the Minister of Citizenship and Immigration, and made the following recommendations

• Where Customs officials detect, in an envelope weighing more than 30 grams, a solid object that appears to be something other than correspondence, opening it would fall within the normal activities of the Customs process.
• Where no solid object is detected and an envelope is detained only on suspicion that it may contain fraudulent documents, Customs should pass the mail to Immigration unopened. Immigration could then obtain a warrant to open it if it had reasonable grounds to do so.

The Minister of Citizenship and Immigration rejected the recommendations, citing the apparent difficulty of detecting some solid objects like laminated cards in envelopes, and the great volume of mail passing through a postal facility. Essentially, she argued that implementing the recommendations would demand greatly increased resources.

Since I could not reach a consensus with the Minister of Citizenship and Immigration, I turned my attention to the Minister responsible for the Canada Customs and Revenue Agency. My discussions with the Minister of National Revenue produced a resolution to this matter. Customs has modified its approach and now disregards the weight of courier-type envelopes in determining whether a mailing weighs more or less than 30 grams. Letters within such courier packages are treated as personal mail and not opened if the letters themselves are under 30 grams. I very much appreciate the National Revenue Minister's assistance in resolving this matter.

Health Canada and its list of would-be marijuana users

Health Canada contacted my Office after receiving a call from a newspaper reporter who said she had obtained the names of 128 individuals who had applied to the department for legal exemptions to obtain marijuana for medical purposes.

My investigation focused on two issues: determining the names on the list so that those people could be advised that their personal information had been compromised, and finding out how the list came into the reporter's possession.

The reporter refused to give the list to either my Office or Health Canada. As more than 160 people had applied for the marijuana exemption by the time this matter came to light, there was no way to determine the identities of the 128 people on the reporter's list. Health Canada had no choice but to notify all of the individuals that it had failed to safeguard their personal information.

In order to identify the source of the leak, Health Canada carried out an internal investigation. It found that internal security was not adequate. Virtually all employees in the Office of Controlled Substances had access to the names. Recommendations to improve security were implemented promptly. Now, access to the database is on a need-to-know basis and restricted through the use of passwords.

As for the list itself, following interventions by my Office, the reporter agreed to destroy it. The list has not been published and the reporter confirmed that no copies had been made.

I was satisfied with the security measures implemented by Health Canada and its efforts to sensitize employees to their obligations under the Privacy Act.

Completed firearms licence applications stolen from Justice Canada

As part of its efforts to promote firearms registration, Justice Canada's Canadian Firearms Centre runs Operation Outreach, a program to reach the owners of firearms in their own communities. Using storefront operations in malls and vans that travel to small towns and country fairs, staff help people fill out firearms licence applications and mail the completed forms to a licence-processing centre. In British Columbia, one of the vans was stolen. The van was recovered, but a box containing some 20 completed applications that had been in the van was missing.

Following news reports of the incident, I asked that the circumstances of the theft be examined along with the efforts undertaken by the centre to identify and notify applicants whose forms were taken. Not only had personal information gone missing, but that information could be used by unscrupulous individuals to obtain firearms licences they might not be entitled to have.

The centre appealed through the media for individuals to come forward if they had completed an application in the days before the theft. Only two did. The hope remains that other applicants will contact the centre once they realize they have not yet received their licence. As a long-term safeguard, the centre has updated its policy to ensure that completed applications are mailed to the Firearms Centre at the end of each day. Although this incident remains unresolved, I am satisfied with the centre's efforts at damage control.

Concerns about biometric identification technology

Biometric technology, which identifies people by their physical characteristics, is of special interest to my Office. When the media reported that the RCMP was using face recognition software to monitor travellers at Toronto's Pearson Airport and identify criminals, I launched an investigation immediately.

As it turned out, the report was wrong. The RCMP is not using surveillance cameras with biometric software, although the software is in use in the RCMP detention area at the airport to analyze photos of individuals who have been arrested. A photo of the individual under arrest is taken with a digital camera and stored on the hard drive of a stand-alone computer. The software takes point-to-point measurements of facial bone structure and compares this digital portrait of the individual under arrest against those already in the system. As bone structure cannot be altered as readily as hair or eye colour, the system may be able to spot individuals using various identities. This was a sophisticated version of the traditional mug shots used by law enforcement.

In this instance, I was satisfied that biometric software was not being used as the media reports suggested and no privacy concerns were identified.

Taxpayer received someone else's refund

A reporter for the Calgary Herald was handed a pretty good story when she received another person's income tax assessment and refund cheque in the same envelope as her own.

An investigation by my Office determined that a mechanical error at Public Works and Government Services Canada's Winnipeg Production Centre was to blame. The Winnipeg Production Centre prints and mails taxpayer assessments and cheques on behalf of the Canada Customs and Revenue Agency.

The plant is fully automated to print, cut, and fold assessments and cheques. The documents are put into envelopes, which are then sealed. The sealed envelopes pass under an optical detector that shines light through them and warns if an envelope is too thick.

This year however, due to changes in the grade of paper used and the number of pages of the form, the envelopes are thicker. The optical detector could not be adapted to accommodate these changes, and was inoperable.

Only one incident of this type has been reported. To help ensure the incident is not repeated, quality control at the plant has been tightened and there is increased random sampling of the final product.

I was satisfied by the steps Public Works took to prevent future errors of this type and by its offer of an apology to the individual involved.

Public Interest Disclosures

Under paragraph 8(2)(m) of the Privacy Act, the head of a government department may disclose personal information without the individual's consent where there is a compelling public interest that outweighs the invasion of the individual's privacy or where the disclosure would benefit the individual. A "compelling public interest" often pertains to public safety and security, or to accountability to the public for decisions taken by departments.

Heads of departments are required under subsection 8(5) of the Act to provide me with written notice of any use of this provision. Ideally, this is done prior to the disclosure of the information. If appropriate, I may notify the individual concerned about the release of the information. In all cases, I attempt to ensure that only the minimum amount of personal information needed to achieve the public interest objective is disclosed.

During the period covered by this annual report, I received notice of 53 of these disclosures.

This past year, most notifications came from the RCMP, National Defence, Correctional Service of Canada, and the National Parole Board.

The RCMP made a number of public interest disclosures in relation to the release of sexual offenders into the community at the end of their custodial sentences. In most cases, the individuals' offences had involved children, and they were assessed as being at a high-risk to re-offend. Some had been deemed to be dangerous sexual offenders. Based on concern for citizens in the communities in which the offenders were released, the RCMP deemed the public disclosure of personal information to outweigh the harm caused by the invasion of the offenders' privacy.

On a number of occasions, National Defence disclosed information related to deaths on duty of Canadian Forces members. The information was released to the member's next of kin on compassionate grounds in the hope that a better understanding of the circumstances surrounding the death of their relative would help them achieve some level of closure.

Correctional Service of Canada and the National Parole Board publicly disclosed a number of Board of Inquiry reports dealing with issues such as escapes from federal institutions, breaches of statutory release requirements, and inmates' commission of further offences, including murder, while on release. These reports included personal information. Most of the cases had received significant media coverage. The individuals had been re-incarcerated, but because of the media coverage and the public scrutiny, Correctional Service of Canada and the National Parole Board considered it to be in the public interest to disclose the reports. The public disclosures were seen as necessary for the public to understand the events surrounding the incidents and the actions taken to prevent recurrence.

Top Ten Departments by Complaints Received
April 1, 2000 to March 31, 2001

Completed Investigations and Results by Department
April 1, 2000 to March 31, 2001

Completed Investigations by Grounds and Results
April 1, 2000 to March 31, 2001

Origin of Completed Investigations
April 1, 2000 to March 31, 2001

Inquiries by type under Privacy Act
April 1, 2000 to March 31, 2001

Privacy Practices and Reviews

Introduction

Section 37 of the Privacy Act permits me to initiate compliance reviews, at random, of the personal information-handling practices of federal institutions. What this means is that I audit them, to verify whether they are complying with the principles for the collection, use, disclosure, protection, retention, and disposal of personal information set out in sections 4 to 8 of the Act.

The Office has been conducting compliance reviews under section 37 since 1984. I have expanded this function during the past year, setting up a Privacy Practices and Reviews Branch, to allow me to assess how well organizations are complying with the requirements set out in the Privacy Act and the Personal Information Protection and Electronic Documents Act. (The private sector legislation gives me similar powers of audit; my discussion of private sector audit activity is in Part Two of this report.)

As an ombudsman, I like privacy audits to be non-confrontational whenever possible. An audit, ideally, is a co-operative, constructive approach to dealing with issues before they become complaints. It's useful for organizations that want to improve their personal information-handling practices. Although I have the same powers with respect to audits that I do in investigations-to summon witnesses, administer oaths, and compel organizations to produce evidence-I would only resort to them if I didn't get voluntary co-operation.

My staff in the Privacy Practices and Reviews Branch, in addition to auditing and reviewing, works with federal organizations that are looking for a better understanding of compliance issues and the privacy implications of programs and practices. It's critical for government departments to fully explore how privacy can be protected before they go ahead with plans, however well intentioned, to cut costs or protect citizens. On request, my branch staff reviews new proposals for information management, such as data-matching initiatives, the creation of databases, and information-sharing arrangements with other organizations. This is another way to help ensure that the Canadians' privacy rights are respected.

In the next few pages I describe three key cases concerning the personal information-handling practices of federal institutions.

Personal documents not shredded-Golden West Document Shredding Inc.

I have spoken many times about the need to develop a "culture of privacy" within organizations, both public and private. Whenever I read a magazine article about privacy, look at a conference agenda, or review the latest survey on people's privacy concerns, the focus is almost always on the private sector. That focus is appropriate, but we should not lose sight of the enormous diversity of personal information that governments collect, use, and share. In fact, many of the most serious threats to privacy continue to come from governments.

Unlike businesses, governments have the power to demand personal information from their citizens. They collect information using the force of law. When a government agency or program needs personal information to carry out its mission, that information will be collected. Individuals have no choice in the matter.

As citizens, we must interact with government in order to participate in social programs, receive public assistance, and contribute to the public good through taxation regimes. In doing so, we entrust government with some of our most sensitive personal information. Whether applying for employment insurance, filing income taxes, registering firearms, or filling in census forms, individuals are not in a strong position to oppose the collection or use of their information.

So government must be particularly vigilant in maintaining the trust that citizens place in its ability to preserve the security and confidentiality of records that document individuals' lives and their identities as Canadian citizens.

The following finding represents a significant betrayal of that public trust, and provides a glaring demonstration of what can happen when cost and expediency are given precedence over privacy.

More than 30 federal departments and agencies had stored records at the Pacific Region Federal Records Centre of the National Archives of Canada. The centre was holding, literally, tonnes of highly sensitive personal information. The normal procedure is to destroy these records following a required retention period. A Vancouver Sun journalist informed us that a private sector company, hired to shred and recycle the records, was instead offering the material for sale to the highest bidder-intact, because whole paper brings a higher price than shredded paper on the recycling market.

Investigation revealed that between January and mid-July 1998, the National Archives had sent several hundred tonnes of material to Golden West Document Shredding, Inc. in Burnaby, B.C., for destruction. This was in addition to material Golden West had obtained directly from other federal government institutions. The following partial list catalogues some of the types of records involved and demonstrates the extent to which the privacy of Canadians may have been compromised:

• From Canada Customs and Revenue Agency, more than 22,000 boxes of material including tax returns, T4 slips, statements of investment income;
• From Human Resources Development Canada, claims for employment insurance benefits, employment counselling client files, applications for old age security and guaranteed income supplement;
• From Statistics Canada, census employment records, census interview records, surveys of employment and other surveys;
• From Public Works and Government Services Canada, employee pay records, cheque registers, payroll registers;
• From Citizenship and Immigration Canada, immigration case files.

If this information had fallen into the wrong hands, the consequences could have been disastrous for thousands of Canadian citizens. Detailed personal information, such as social insurance numbers, dates of birth, bank account numbers and home addresses, is a valuable commodity. In the proliferating crime known as identity theft, it is used by criminals to obtain credit cards, open bank accounts, redirect mail, rent vehicles, and even secure employment. Victims of identity theft often incur substantial financial losses, and must expend great efforts to restore their credit and reputation.

My staff found clear evidence that managers at both Public Works and the National Archives knew about the shredding company's serious financial, security, and technical problems before granting it security clearance to transport and shred classified federal paper waste. Moreover, the company that received the shredding contract was not even the same company that had made the original bid. The bid was submitted by "Golden West Document Shredding Inc.", a bankrupt company, and not "Golden West Document Shredding (1995) Inc.", which was awarded the contract. This inconsistency either went unnoticed or was ignored.

The Public Works security officer responsible for inspecting Golden West's facilities concluded that the company was barely meeting minimum requirements to obtain a facility security clearance. But he granted clearance after the manager of the National Archives Federal Records Centre assured him that National Archives would inspect the facility regularly and report any problems to Public Works.

Inspections, as it turned out, were insufficient to prevent the company from selling unshredded classified documents. In July 1998, during a surprise visit to the Golden West shredding facility, employees of Public Works and the National Archives found that approximately 95 tonnes of unshredded classified material had been sold to a paper-buying company, and was baled and prepared for shipment overseas and to the US for recycling.

The RCMP investigated and reported to Public Works, but the report was not made public, and my office was not informed of this alarming situation. Information we received from the RCMP during our investigation indicated that, before the material was seized at Golden West in July 1998, a recycling company had purchased four truckloads of government information. Two loads had been shipped via truck to the US and another two loads had been shipped overseas, one to South Korea and another to the People's Republic of China. The RCMP was not able to determine whether the material was shredded.

In my findings after investigation, I agreed with the conclusions of the RCMP: responsibility for this incident rested squarely on the shoulders of National Archives and Public Works. Both had failed to exercise proper care in selecting Golden West. Both had failed to carry out their responsibilities to protect the highly sensitive personal information of thousands of Canadians.

The contract with Golden West came about because National Archives had decided to discontinue its in-house disposal service for classified paper waste for government departments. That decision was made in an effort to cut costs. But it was made without paying serious attention to protecting privacy. Monetary savings cannot override the legal obligation to protect individuals' personal information. The National Archives, acting on behalf of other departments and agencies, was fully responsible for the security and confidentiality of all the information until the paper was rendered unreadable. Both the National Archives and Public Works (as the contracting authority) were obligated to ensure the contractor was disposing of the records properly.

The National Archives has a vital role to play in ensuring that classified government records are properly destroyed at the end of their life cycle. It must provide leadership in the setting of standards and practices for records and information management for the Government of Canada. Requiring departments to make their own arrangements for classified waste disposal substantially increases the risks. This incident never would have occurred had the National Archives continued to shred waste at the regional records centre or had federal employees monitored the destruction at all times.

From a risk management perspective, the best solution would be to re-establish on-site shredding of sensitive records by the National Archives. An alternative could be the use of private off-site shredding services, but only if they can guarantee adequate security measures, and only if the shredding is under constant supervision of Archives staff. I understand the substantial resource implications of these options for the National Archives, and I would be prepared to discuss any other equally effective proposals.

Based on the findings of this investigation, I have made a series of recommendations to the National Archives and Public Works, and have requested that they provide my office with a report on how these recommendations will be implemented. I have also asked that in the future they notify my office, without delay, of any accidental or improper disclosure of personal information.

In addition, I have brought my concerns about the security and confidentiality of personal information that is to be destroyed to the attention of the Treasury Board, which is responsible for setting the Government of Canada's Security Policy and ensuring that it is followed by departments. As a result, the Board agreed to carefully examine the recommendations in my report that relate to either the security policy or the particular standard on contract security in the context of the current review of the Security Policy of the Government of Canada with a view to reducing the likelihood of such an incident reoccurring.

Privacy concerns at Canadian Firearms Program

My Office has taken a keen interest in the Canadian Firearms Program since the mid-1990s-naturally, since the program involves the collection and use of large amounts of highly sensitive personal information. The Office identified a number of potential privacy concerns when the concept was first proposed, suggested several changes to protect privacy when the legislation was before Parliament, and provided further comment when the subsequent regulations were attached to the legislation. Not one of our suggestions was accepted.

My Office continues to receive numerous inquiries and complaints about this program, including some from Members of Parliament. My predecessor initiated a review in January 2000 of the personal information-handling practices of the program. That review has now been completed. Based on it, my chief privacy concerns about the program relate to two areas: access and correction rights, and the collection and use of personal information.

The right of access and correction is especially critical because inaccurate or unsubstantiated information in the Firearms Interest Police database, for example, can lead to delays, licence refusals, or unnecessary questioning of neighbours and acquaintances. (The Firearms Interest Police database was created in 1998 to meet the objective of section 5 of the Firearms Act with respect to ineligibility to hold a licence. More than 900 law enforcement agencies across Canada feed incident-reporting codes into the National Police Services Network, which then serve as flags in the database during the application-screening process.)

For individuals exercising their right of access to and correction of their personal information held by the Firearms Program, it's proving to be difficult and time consuming. The multi-jurisdictional nature of the program sometimes results in them having to go from one department or agency, or one level of government to another, to access their personal information.

An individual in a province such as Ontario, for example, where there is provincial and municipal privacy legislation, could be required to submit as many as three separate access requests in order to obtain the personal information related to one firearms licence application submitted at the federal level. The situation is worse for residents of Prince Edward Island, who do not yet have a legislated right of access to their personal information held at the provincial level.

With respect to the collection and use of personal information, my review revealed that the controls limiting access to the Police Information Retrieval System, for example, are inadequate. Firearms officers have access to more information than they need to make decisions about the eligibility of applicants. They also have access to personal information about other individuals, such as witnesses, acquaintances, and victims. These individuals are not applying for licences. The information about them would not normally be relevant to program requirements.

Another problem is that firearms officers rely on information collected from the Police Information Retrieval System database without verifying the accuracy of the information with the originating police agency. This is contrary both to established RCMP policies and to section 6(2) of the Privacy Act, which requires that personal information be accurate, up-to-date and complete. The review also revealed that some of the information being collected from police databases for the Firearms Interest Police system relates to incidents that do not qualify under section 5 of the Firearms Act or that are based on unsubstantiated information.

I also assessed the personal history questions on the firearms licence application form to determine if they are consistent with the Privacy Act's restrictions on the collection of personal information.

In my view, the Firearms Program has not provided a demonstrable need for all of the questions. I have concerns about the highly intrusive nature of these three questions:

• "19(d) During the past five years, have you threatened or attempted suicide, or have you been diagnosed or treated by a medical practitioner for: depression; alcohol, drug or substance abuse; behavioural problems; or emotional problems?
• 19(e) During the past five years, do you know if you have been reported to the police or social services for violence, threatened or attempted violence, or other conflict in your home or elsewhere?
• 19(f) During the past two years, have you experienced a divorce, a separation, a breakdown of a significant relationship, job loss or bankruptcy?"

I have recommended that questions 19(d) and 19(f) should be eliminated and that question 19(e) should be revised to eliminate the references to "other conflict" and "elsewhere" and to eliminate the ambiguity.

While my review also raised some issues relating to the disclosure of personal information and security measures, I found that the physical, personnel, and information technology security measures are appropriate to the information being protected. But the review revealed that the Firearms Program had not yet implemented policies, procedures and practices with respect to the retention and disposal of program records.

Based on this review, on August 29, 2001, I made 34 recommendations for corrective measures relating to the program's overall personal information management practices. While I have received positive comments from the Royal Canadian Mounted Police, I have yet to receive any response from the Department of Justice.

The review did not address issues that have arisen subsequent to the research and fieldwork that formed the basis of this review, including outsourcing issues and any international information-sharing agreements. In addition, this review did not cover the handling of personal information by the Canada Customs and Revenue Agency. Since January 1, 2001, the Canada Customs and Revenue Agency has been responsible for administering part of the Firearms Act, involved in customs declarations and the movement of firearms. At the time of my review, this part of the Act was not yet in force. We're currently looking into these aspects of the program.

New databank protocol in place following Longitudinal Labour Force File

Human Resources Development Canada (HRDC) dismantled its Longitudinal Labour Force File in May 2000, after an outpouring of public anger about it. Since then, HRDC has implemented a strict protocol for all future research projects by any of its offices.

The protocol applies to all policy analysis, research, and evaluation activities that require the linkage of separate databanks. It also applies to linking with external data, including activities with an external contractor. It also covers the use of unmasked personal identifiers for survey purposes, whether the survey is conducted by HRDC, a contractor, or Statistics Canada, and whether the source of the data is an internal (i.e., HRDC) or external databank.

Beyond the fact that HRDC will not carry out linkages except for policy analysis and research that are consistent with its legislated mandate, the main feature of the protocol is to seek a balance. It is guided by principles relating to the public interest, including confidentiality, transparency, an assessment of the public good and avoidance of potential harm to individuals and identifiable groups.

I am pleased to see that HRDC recognizes that linking data from separate databases is intrinsically intrusive of privacy. HRDC will only consider such undertakings where the benefits are clearly in the national public interest. Another requirement is that the objective of the project should not be detrimental to the individuals involved or to identifiable groups, in that it cannot be used to make administrative decisions about them.

The protocol also stipulates that the dissemination of information relating to database linkage will be done in accordance with the confidentiality provisions of the Human Resources Development Act, the Privacy Act, the Employment Insurance Act, the Income Tax Act, the Canada Pension Plan and the Old Age Security Act, and with disclosure criteria contained in agreements with the provinces, territories, and other government departments and agencies.

I'm also pleased to see that, among other safeguards, all links among databases will have to satisfy a prescribed review and approval process. This involves the submission of documented proposals to an internal expert committee, the Databank Review Committee, composed mainly of senior HRDC officials. This review process includes consultation with my Office on all such projects, as well as with external partners when the project requires the linkage of HRDC databases with external data. Finally, the recommendation of the Databank Review Committee is forwarded to the Deputy Minister of Human Resources Development, who is responsible for the approval of each project.

HRDC is currently working on a legal protection framework that will govern the future collection and use of data and information obtained from Canadians, to be used by HRDC for its specific research requirements. It will include penalties for misuse and will be done in a manner consistent with federal laws, policies, and procedures, and with the outcomes of any government review of the Privacy Act.

Since September 2000, we have provided comments to HRDC on more than a dozen submissions, including the Canada Out-of-Employment Panel Survey, Canada Student Loans Programs-Key Performance Measure, and the Employment Benefits Support Measures Program.

Overall, I am satisfied that, under its protocol for databank linkages and its proposed legal protection framework, HRDC has addressed the concerns that my Office expressed about the Longitudinal Labour Force File.

Reviews

Immigration and Refugee Board, and Canadian Nuclear Safety Commission

Reviews of personal information-handling practices under section 37 of the Privacy Act were initiated near the end of this fiscal year at the Immigration and Refugee Board and the Canadian Nuclear Safety Commission. These reviews include on-site visits in the National Capital Region and in selected regional offices across Canada. The reviews should be completed during the fiscal year of 2001-2002.

In the Courts

Introduction

My Legal Services Branch, headed by the General Counsel, provides me with specialized legal and strategic advice and litigation support with respect to the Privacy Act and the Personal Information Protection and Electronic Documents Act.

Section 41 of the Privacy Act allows an individual, following my investigation, to apply to the Federal Court for review of the decision of a government institution to refuse access to personal information. From the time the Privacy Act came into force in 1983 to March 31, 2001, 106 applications for review have been filed in the Federal Court. Six of these were filed in the past fiscal year.

Section 42 of the Privacy Act allows me, following completion of my investigation, to apply to the Federal Court for review of the decision of a government institution to refuse access to personal information, if I have the consent of the individual who requested the information. Three applications have been brought by previous Privacy Commissioners from 1984 to fiscal year end 2001.

Previous Commissioners and I have also intervened before the courts on a total of six occasions from 1984 to the present in applications brought by others, under either the Access to Information Act or the Privacy Act.

Recent Decisions

Privacy Commissioner v. Canada Labour Relations Board

This was an appeal by my predecessor from the decision of the Federal Court Trial Division. The case centred on notes taken by members of the Canada Labour Relations Board during the hearing of a complaint of a breach of a duty of fair representation. My predecessor argued that the notes, which contained personal information of the requestor, were under the control of the board and therefore subject to a right of access under the Privacy Act.

The appeal was heard on May 9, 2000, and the decision was delivered from the bench.

The Federal Court of Appeal held that the board members' notes were not "under the control" of the board for purposes of paragraph 12(1)(b) of the Privacy Act. The court stated: "These notes are being taken during the course of quasi-judicial proceedings, not by employees of the board, but by Governor in Council's appointees endowed with adjudicative functions which they must perform not as agent of the board, but independently of other members of the board including the chairperson of the board or a government institution. The principle of judicial independence and its corollary, the principle of adjudicative privilege, as applied to administrative tribunals, lie at the heart of the board's lack of control over the notes as a government institution."

My predecessor did not appeal this decision.

Information Commissioner of Canada (Appellant) v. Commissioner of the RCMP (Respondent) and Privacy Commissioner (Intervenor)

This case involved the balance between the Access to Information Act and the Privacy Act. A list of postings of four named RCMP officers had been requested under the Access to Information Act. The Commissioner of the RCMP refused to release the information, on the ground that it related to the employment history of these individuals and was therefore personal information as described in paragraph (b) of the definition of personal information in section 3 the Privacy Act. The Information Commissioner applied in court for a review of the refusal.

At issue was whether the information could be disclosed pursuant to paragraph (j) of the definition of "personal information" in section 3 of the Privacy Act, which says that information relating to the position or functions of government officers or employees is not personal information.

The Federal Court of Appeal held that the information in dispute was personal information to each officer and was not within the paragraph (j) exception to the definition of "personal information."

The court rejected the RCMP's argument that the exception in paragraph (j) only applies to the current position of a government employee (or to the last position held in the case of a former government employee). The court agreed with the Information Commissioner and myself that paragraph (j) can apply to past positions.

The court rejected the argument of the Information Commissioner that one should take an expansive view of the exception found in paragraph (j) to justify the release of the requested information. The court adopted my position, stating that the exception should be construed in a way that does not allow for the disclosure of an individual's "employment history."

The Information Commissioner has obtained leave to appeal this decision to the Supreme Court of Canada. I will seek to intervene in the appeal.

Ongoing cases

Traveller Declaration Forms (form E-311)

The following two cases concern the disclosure of personal information by the Canada Customs and Revenue Agency (CCRA) to the Canada Employment Insurance Commission for use in an investigative data match program. The personal information in question was taken from Traveller Declaration Forms (E-311 forms) presented to Customs by Canadian residents between 1994 and 1996. The purpose of the data match was to detect employment insurance beneficiaries receiving benefits while out of Canada. The Employment Insurance Act requires claimants to be available for work, and disentitles them from receiving benefits if they are absent from Canada.

Privacy Commissioner v. Attorney General of Canada

This is an appeal to the Supreme Court of Canada of a decision of the Federal Court of Appeal. The issues are whether the Federal Court of Appeal erred in finding that the disclosure of "personal information" by Customs to the Canada Employment Insurance Commission was authorized by section 8 of the Privacy Act and section 108 of the Customs Act, whether paragraph 108(1)(b) of the Customs Act provides the Minister with authority to disclose personal information to the Commission for use in an investigative data match program, and whether the Minister properly authorized the disclosure of personal information in the Traveller Declaration Forms to the Commission for use in an investigative data match program.

This was a special case stated for opinion of the Federal Court jointly brought by my predecessor and the Attorney General of Canada. My predecessor was successful before the Federal Court Trial Division but unsuccessful before the Federal Court of Appeal.

The decision of the Federal Court of Appeal was delivered on February 9, 2000, from the bench. The main conclusions are as follows:

• The data match is authorized by the Ancillary Memorandum of Understanding for data capture and release of customs information on travellers entered into on April 26, 1997 by Customs and the Canada Employment Insurance Commission. Paragraph 108(1)(b) of the Customs Act gives the Minister of Revenue the discretionary power to authorize the arrangement set out in the 1997 Ancillary Memorandum. An earlier authorization issued in 1991 by the Minister of Revenue under paragraph 108(1)(b) of the Customs Act was determined not to be relevant to the matter before the court.
• Paragraph 8(2)(b) of the Privacy Act is to be interpreted broadly. The court stated: "In this context, paragraph 8(2)(b) cannot but be interpreted as being a provision that enables Parliament to confer on any Minister (for example) through a given statute a wide discretion, both as to form and substance, with respect to the disclosure of information his department h`s collected, such discretion, of course, to be exercised in conformity with the purpose of the Privacy Act."
• These objectives were met because "the Minister satisfied herself that the disclosure sought by the Commission was for a permissible use and that no more information than that needed by the Commission would be disclosed." In addition, the 1997 Ancillary Memorandum included restrictions on the use of the information and its disclosure to third parties and other measures such as the establishment of an audit trail and provision for destruction of information.

The Charter Challenge

This is an appeal to the Supreme Court of Canada of a decision of the Federal Court of Appeal. The issues are:

• Whether CCRA's disclosure to the Canada Employment and Insurance Commission of personal information from an individual's Traveller Declaration Form, the use of this information in a data match program, and its subsequent use as evidence against the individual, contravenes the individual's right to be secure from unreasonable search or seizure under section 8 of the Charter;
• If so, whether the evidence should have been excluded under subsection 24(2) of the Charter; and
• Whether the provision in the Employment Insurance Act which disentitles the individual from receiving benefits while outside of Canada infringes the applicant's mobility rights under subsection 6(1) of the Charter.

The application for judicial review of the decision of the Office of the Umpire appointed under the Employment Insurance Act was dismissed by the Federal Court of Appeal. The Federal Court of Appeal, in a decision delivered February 9, 2000, found that there is no reasonable expectation of privacy for Canadians in information contained in E-311 forms such as to engage section 8 of the Charter (right to be secure against unreasonable search and seizure). The court also decided that paragraph 32(b) of the Unemployment Insurance Act (now 37(b) of the Employment Insurance Act: no entitlement to Employment Insurance benefits while outside Canada) did not go against the freedom of movement guarantee under subsection 6(1) of the Charter.

Status

The applications for leave to appeal to the Supreme Court of Canada in both these cases were granted on August 17, 2000. Both Notices of Appeal were filed and served on August 22, 2000.

Notice of the Constitutional Questions in the Charter Challenge case was served on the Attorneys General of all the provinces and territories as required by the Supreme Court of Canada Rules. The Attorneys General of Ontario, Manitoba and Québec intervened.

These cases were heard on November 7, 2001.

Clayton Charles Ruby v. Solicitor General

This is an appeal to the Supreme Court of Canada of a decision of the Federal Court of Appeal. The applicant was denied access to his personal information in banks maintained by the Canadian Security Intelligence Service. The Solicitor General refused to release the information the applicant had requested. An application for review of the refusals was dismissed by the Federal Court Trial Division. The matter was appealed to the Federal Court of Appeal, where the appeal was allowed in part and two matters were remitted back to the Trial Division for new determination.

Both the Federal Court Trial Division and Federal Court of Appeal considered the constitutionality of section 51 of the Privacy Act, which provides for the filing of information ex parte with the court and that hearings be in camera. Both courts found that the section 2(b) Charter infringement caused by section 51 of the Privacy Act is justified under section 1 of the Charter. The issues in the Supreme Court are:

Issues in Appeal

• Whether section 51 of the Privacy Act violates section 7 of the Charter; and if so, whether the violation is justified under section 1; and
• Whether the section 2(b) Charter infringement caused by section 51 of the Privacy Act is justified under section 1.

Issues in Cross-Appeal

• Whether the Federal Court of Appeal interpreted paragraph 22(1)(b) of the Privacy Act so narrowly that government institutions will not be able to adequately protect the names of sources of information including police informers; and
• Whether the Federal Court of Appeal failed to give adequate consideration to the implications of the "mosaic effect" and the necessity of interpreting the exempting provisions of the Privacy Act in such a manner as to preserve the government's ability to protect sources, investigative methods and techniques and the ability to effectively enforce the laws of Canada.

By decision dated June 8, 2000, the Federal Court of Appeal held that section 7 of the Charter was not engaged since the procedural safeguards in section 51 of the Privacy Act did not deprive individuals of their liberty interest. On section 2(b) of the Charter, the Federal Court of Appeal held that section 51 of the Privacy Act infringed the right to freedom of speech, but could be saved as a justifiable reasonable limit under section 1 of the Charter.

Another issue considered by the court was the proper interpretation of paragraph 22(1)(b) of the Privacy Act which permits a government institution to refuse access to personal information where the disclosure could reasonably be expected to be injurious to the enforcement of a law of Canada or a province or the conduct of lawful investigations. The Federal Court of Appeal rejected the argument of the Solicitor General and held that paragraph 22(1)(b) does not authorize a refusal to disclose simply because disclosure could have a chilling effect on the investigative process in general. The notion of injury in paragraph 22(1)(b) does not extend beyond injury to a specified investigation, either actual or to be undertaken.

Status

Mr. Ruby sought leave to appeal to the Supreme Court of Canada from the decision of the Federal Court of Appeal concerning the constitutionality of section 51 of the Privacy Act. The Solicitor General sought leave to cross-appeal from the decision of the Federal Court of Appeal regarding the interpretation of paragraph 22(1)(b) of the Privacy Act. Both applications for leave were granted by the Supreme Court of Canada on January 18, 2001. I applied for leave to intervene in the issue concerning paragraph 22(1)(b). I was granted leave to intervene on May 25, 2001. I will present arguments before the Supreme Court of Canada that differ from those of both parties.

Office of the Commissioner of Official Languages (Appellant) v. Robert Lavigne (Respondent)

This case is currently under appeal to the Supreme Court. Mr. Lavigne was refused access to his personal information contained in witness statements made in the course of an investigation conducted by the Office of the Commissioner of Official Languages. The Office based its refusal of access on the exemption in paragraph 22(1)(b) of the Privacy Act.

Mr. Lavigne applied to the Federal Court Trial Division under section 41 of the Privacy Act for review of the Office's refusal. The previous Privacy Commissioner and I intervened in support of Mr. Lavigne throughout this litigation. Our interventions have been successful before both the Federal Court Trial Division and the Federal Court of Appeal.

By decision delivered September 6, 2000, from the bench, the Federal Court of Appeal ordered the Office of the Commissioner of Official Languages to provide Mr. Lavigne with his personal information. The Federal Court of Appeal relied on two of its previous decisions, Rubin v. Canada (Minister of Transport) and Ruby v. Canada (Solicitor General), confirming that the paragraph 22(1)(b) exemption can only be invoked where there is evidence of injury to a specific investigation, the exemption cannot be invoked once an investigation has been completed, and one cannot refuse to disclose the requested information on the basis that to disclose would have a "chilling" effect on possible future investigations. The Federal Court of Appeal rejected the argument of the Office of the Commissioner of Official Languages that a different interpretation was justified in this case by the statutory mandate of the Commissioner of Official Languages.

The issues in the Supreme Court are whether the Court of Appeal erred in finding that the access provisions of the Privacy Act override the confidentiality provisions of the Official Languages Act and whether the decision of the Court of Appeal seriously compromises the Commissioner of Official Languages' ability to enforce the Official Languages Act.

Status

The Office of the Commissioner of Official Languages filed an application for leave to appeal to the Supreme Court of Canada. Leave to appeal was granted on April 19, 2001. The Supreme Court of Canada granted me leave to intervene in support of Mr. Lavigne on August 21, 2001. My submissions as an intervener will be filed in early December.

[Back to Table of Contents][Part Two][Part Three]