Jump to Left NavigationJump to Content Office of the Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada Government of Canada
FrançaisContact UsHelpSearchCanada Site
HomeWhat's NewAbout UsFAQsSite Map
Mandate and Mission
Privacy Legislation
Information for Individuals
Information for Businesses
Parliamentary Activities
Media Centre
Speeches
Upcoming Events
Blog
Commissioner's Findings
Privacy Impact Assessments
Reports and Publications
Resource Centre
Key Issues
Fact Sheets
Privacy Quiz
Proactive Disclosure

Media Centre

Reconstructing the Privacy Act

Assessing Current Privacy Issues
A one day seminar organized by Riley Information Services

February 21, 2007
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

Introduction

I would like first to thank Tom Riley for bringing together the cast of privacy experts he has assembled today, and I also thank the members of the audience for spending this day reflecting on privacy and sharing ideas with colleagues. We need such opportunities to engage in a serious dialogue about this important right.

I am somewhat daunted by the title of my session – The Future of Privacy. The title seems to fall into the same category as a speech on “The Future of the Environment” – eminently important, but impossible to cover in 30 minutes. I am hoping that a speech about privacy can be a little bit more upbeat than one about the environment, but some days I am not so sure.

In fact, I am going to pursue a more modest goal today than looking at the future of privacy. Instead, I would like to examine one microcosm of privacy – where we in Canada should be heading with our federal Privacy Act.

Irritated spouses sometimes use an expression that strikes dread in the hearts of their errant partners – “We need to talk.” Well, when it comes to the Privacy Act, I am an irritated Privacy Commissioner, and I am saying to government, “We need to talk.” My irritation, I should make it clear, is not with this audience, but rather with a series of unmotivated governments that have not upheld their part of the bargain. My job as Privacy Commissioner is to oversee the Privacy Act. The job of government is to make sure that the Act is worth overseeing, by keeping it up to date and responsive to the needs of a changing society. But, successive governments have been all talk, and very little action.

Over the last quarter century, we have witnessed an enormous array of technological, political and social changes. Twenty-five years ago, for example, most of us didn’t even know what software was, and we had no idea of the misery that these bug-ridden products would eventually cause. I don’t recall many of the futuristic scenarios painted by science fiction writers even mentioning software problems, although the errant computer HAL in Stanley Kubrick’s 1968 film, “2001: A Space Odyssey” may be the exception.

Perhaps, in light of this array of changes, we should take comfort that some things remain constant. Unfortunately, I can take no comfort from the fact that the Privacy Act that is with us today is very much the same as the Act that came into force in 1983. Sometimes I think of the Act as being like one of those prehistoric sea creatures that fishermen occasionally drag up from the depths of the ocean – a relic of an earlier era that has somehow managed to survive, but that has faded into near-irrelevance.

The Privacy Act needs to change because the world is passing it by. Its noble beginnings and noble purpose have not saved it from decay. I would perhaps be less worried about the inadequacies of the Act if privacy had been included as a named right in the Charter of Rights, as it was in Quebec’s Charter of Human Rights and Freedoms. However, the Privacy Act alone is the de facto privacy standard for Canadians in their normal lives. The privacy rights that have been read into sections 7 and 8 of the Charter of Rights are of little use to them, since those rights have evolved primarily in the field of criminal law – and most Canadians, happily, are not criminals.

Even at its inception, the Privacy Act was hardly a powerful statement of privacy rights. It did incorporate the fair information principles set out in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and, unlike its counterpart American legislation, it also had the virtue of introducing an ombudsman, the Privacy Commissioner, to oversee the Act. But Canada’s Privacy Act can better be described as a law that brings order to how federal government institutions manage personal information rather than as a law that offers robust protection of privacy.

The limitations of the Act have become increasingly evident with the surge in technological innovation – cheap, affordable computing power and the development of digital databases. The Act’s weaknesses also became apparent as Parliament embraced more and more technological “solutions” to the issues confronting it – from data matching to increased surveillance of Canadians.

And then came the fallout from the events of September 11, 2001, and subsequent attacks in Madrid and London. Privacy very quickly became a second-order concern with many politicians and government agencies, driven by fear more than logic, and by the ready availability and aggressive marketing of surveillance technologies. I am not downplaying the threat that violence of this sort poses, but that threat does not need to, nor should it, compel us to abandon some of the most important rights of a democratic society.

Successive governments could perhaps be excused for not addressing the deficiencies of the Act if those deficiencies had just appeared very recently. But they are not recent. Just four years after the Act came into force, what was then the Commons Standing Committee on Justice and the Solicitor General issued a report entitled Open and Shut: Enhancing the Right to Know and the Right to Privacy. The report contained 100 recommendations, the majority of which related to improving the Privacy Act. That was in 1987. The report was unanimously supported by committee members. The government of the day committed to move on amendments by the fall of 1988. Twenty years after the report was released, it is notable for the almost complete failure of government to carry out its recommendations for legislative change. One of the few legislative recommendations that the government did respect was the extension of the Commissioner’s oversight powers to the private sector. This, as you know, came in the form of the Personal Information Protection and Electronic Documents Act.

Governments showed a consistent pattern of ignoring calls for reform of the Privacy Act after the Open and Shut report as well. Bruce Phillips, my predecessor during the 1990s, noted in his final annual report as Privacy Commissioner that Parliament had ignored numerous recommendations for Privacy Act reform that he had made during his term. He observed that Parliament had somehow managed to develop and enact PIPEDA, and that PIPEDA contained many features that were superior to the Privacy Act. This made it all the more incongruous that the Privacy Act was being so studiously ignored by successive governments.

Canadians have stronger privacy protections for personal information in the hands of the private sector than they do for that held by government. I suspect that most Canadians would be very surprised to learn this. Yet it is government that remains the greatest potential threat to our privacy.

The Open and Shut report was issued in 1987. Some of you may remember the work a decade later of the House of Commons Standing Committee on Human Rights and the Status of Persons with Disabilities. In 1997, after a lengthy study, the Committee issued its report, Privacy: Where Do We Draw the Line?. “One of the most common refrains we heard across the country,” the report stated, was, “We need a strong legislative framework – basic rules of the road and effective compliance measures – and we need it now.”1

If the federal government wants to lead the private sector by example, it has failed to do so with the Privacy Act. The weaker protections offered by the Privacy Act when compared to those in PIPEDA are all the more troubling because individuals have little choice about sharing information with government. The government, unlike the private sector, has the power to compel individuals to provide information to it (although, admittedly, individuals often are compelled as a practical matter to give personal information to the private sector in their daily lives). The government’s authority to compel citizens to provide their personal information has not been matched with accountability and oversight. Issues of proportionality and accountability in the collection, use and disclosure of personal information by government therefore deserve greater attention. But they have not received it. Simply put, government’s authority is disproportionate to its accountability for personal information under the Privacy Act.

PIPEDA and the Privacy Act

One of the many glaring deficiencies in the Privacy Act, when compared with PIPEDA, lies in the authority to collect personal information. There is no requirement under the Privacy Act to show that the collection of personal information by a government institution is in any way necessary or reasonable. Government institutions should only collect personal information that is reasonable and necessary for the particular purpose. They should specify the authority under which information is being collected, the uses to which it will be put, whether and with whom it may be shared, the consequences of not providing the information, and the right to make a complaint. Amending the Act in this way would bring it into line with the collection provisions of PIPEDA.

Under the present Privacy Act, information collected may be used for a use consistent with the purpose for which it was obtained. That is too broad a permission. Instead, a “reasonable and direct connection” test should be applied in the case of consistent use.

The Privacy Act is also inadequate in its treatment of a government institution’s duties when it discloses personal information without the consent of the individual to whom it relates. Wherever possible, there should be a corresponding duty on the institution to inform the individual about the disclosure.

Finally, a detailed review should be undertaken of the provisions in the Privacy Act allowing disclosure without consent. Although the provision in the Act dealing with disclosure requires consent as the default position, the subsequent exceptions are so broad as to make the original consent requirement almost meaningless.

I sometimes wonder if the focus that has been placed on PIPEDA over the past six years has served as a diversion from the need for Privacy Act reform.

Data Matching

Let’s look more closely at one issue – data matching. Data matching is a profoundly important concern, particularly since it is being touted as part of the solution for those promising greater security for Canadians. One’s head would need to be buried very deeply in the sand not to understand the dangers of uncontrolled data matches. We have seen the proposal in the United States for a program known as Terrorism Information Awareness that would first vacuum up the personal information held in private and public sector databases and then use this information to try to pick out suspicious patterns of behaviour. Ultimately, the US Congress did not fund the program, but it is almost certain to reappear in other guises.

In mid-January, The Economist magazine reported that the UK government was thinking of reforming “overzealous” data-protection rules to allow ministries to share information about citizens more freely. It is hard to conceive that at least some government officials in Canada would not be excited at the prospects for similar surveillance through databases in Canada.

If we turn to the Privacy Act for a little comfort that data matching – one of the central tools of a surveillance society – will not be allowed to run away on us, we will be profoundly disappointed. There is no provision in the Privacy Act dealing with this highly intrusive manipulation of personal information.

In 1987 – yes, 20 ago – the Standing Committee on Justice and the Solicitor General unanimously recommended that the Privacy Act prohibit all but the most carefully circumscribed data matching, especially with respect to those matches involving the use of personal data from another government institution.

Ten years ago, the Commons Standing Committee on Human Rights and the Status of Persons with Disabilities described the Privacy Act’s treatment of data matching as appearing to contain “holes... big enough to drive a truck through.” The Committee observed that there seemed to be little more than bureaucratic assurances and goodwill preventing databases from residing in a single institution. The Committee cited well-known privacy advocate Simon Davies’ description of the situation as the equivalent to a general warrant on all personal information in the hands of the federal government. Said the Committee, “This practice must be stopped.”2 Ten years after the Committee report, and 20 years after the 1987 Justice Committee report, the Act contains no provisions on data matching.

And all this concern about data matching arose even before the Public Safety Act, 2002, amended to section 7 of PIPEDA to facilitate private sector cooperation in the process of government surveillance. That amendment enabled organizations to feed the government’s data matching machinery by collecting, using and disclosing personal information without consent if they suspect that the information relates to national security, the defence of Canada or the conduct of international affairs.

Last November, when I attended the International Data Commissioners Conference in London, one of the speakers presented the results of a study done for the UK Information Commissioner, entitled A Report on the Surveillance Society. “Your digital body,” he said, “is as central to your person as your human body.” Unfortunately, back in Canada, successive governments have failed to appreciate this as they continue to manhandle our digital personas.

The Treasury Board of Canada did adopt a policy on data matching in 1989. However, this is a policy directive and does not have the force of law. It requires federal institutions subject to the Privacy Act to conduct a detailed assessment of any proposed data matches and also requires that my office be notified 60 days before the matches begin. The handful of notifications we receive each year must surely be little more than the tip of the iceberg. This data matching policy seems to be honoured overwhelmingly in the breach. We have long suspected that most data matching is simply going unreported. That is not the type of accountability that Canadians should tolerate of their federal government.

Other Privacy Act Reforms

There are other deficiencies in the Privacy Act as well. The Act is urgently in need of modernization to address transborder data flows. The Act should contain specific wording to define the responsibilities of those who transfer personal information outside the federal public sector into other jurisdictions and to address the issue of adequacy of protection in those jurisdictions.

The standard for disclosure to a foreign state set by the Privacy Act is very low. Most data protection statutes prohibit the disclosure of government-held information to a foreign state, except in very specific circumstances. This should be the standard for Canada, and the Privacy Act should spell out the requirements to be included in any agreement, as well as accountability and reporting requirements concerning those agreements.

The Privacy Act should, at a minimum, also make it clear that, when government work is outsourced, the government institution remains accountable for personal information and that the information is considered to be under the control of the institution.

Even if I agree that a complaint about inappropriate collection, use or disclosure has merit, I have no power to provide a remedy. Nor does the Federal Court. Inappropriate use or disclosure of personal information in particular has the potential to cause embarrassment or other harms to the person. However, the Privacy Act, unlike PIPEDA, does not allow for remedies for any damages caused by government actions.

Individuals, or the Commissioner acting on their behalf, should be able to ask the Court to review government collection, use and disclosure of personal information following completion of an investigation. In addition, the Court should be empowered to assess damages against offending institutions.

There is one ray of hope amidst this legislative inaction. The recently enacted Federal Accountability Act has expanded the jurisdiction of the Privacy Act to cover the Offices of the Information and Privacy Commissioners, all Crown corporations and their wholly-owned subsidiaries, and five foundations. But having an expanded jurisdiction is of little use if the Act itself remains seriously inadequate.

A Well-intentioned Public Service

Fortunately, most of those in the public service whom my office has encountered are interested in privacy, even if significant Privacy Act reform is not on the legislative agenda in any significant way. We have encountered many highly dedicated people, especially on the security front. And departments apparently do implement many of our recommendations flowing from our investigations and audits, although we don’t always hear about this. We have not seen a significant accidental leak of personal information in some time. Still, we need to continue to challenge departments to keep thinking about privacy.

Treasury Board Secretariat also deserves much credit. In the absence of legislative action on crucial issues, it has tried to fill the gap by developing policies on outsourcing, privacy impact assessments and data matching. We also understand that a policy on breach notification will be released shortly.

Conclusion

I haven’t outlined all of the Privacy Act reforms that we consider necessary – and that Canadians deserve. A more extensive discussion of the reforms we want is available on our web site. But even from the issues I have raised here, you can see that the present Privacy Act leaves us seriously hobbled in our ability to protect this important right when dealing with government.

As some of you already know, my office is hosting the 29th International Conference of Data Protection and Privacy Commissioners in Montreal in late September. You are all most welcome to attend and participate, and, of course, there is the bonus of spending time immersed in the culture, energy and culinary delights of Montreal. The last time Canada hosted this conference, in 1996, the then Minister of Justice Allan Rock announced his intention to proceed with the private sector legislation that ultimately came into force five years later as PIPEDA. Wouldn’t it be memorable if, at our 2007 conference, the government made a similar commitment to reform the Privacy Act – and then followed through?

1 Page 41.

2 Page 58.

 

Date published: 2007-04-03
Date modified: 2007-04-03

 Top of Page Important Notices