Appearance before the Standing Committee on Access to Information, Privacy and Ethics on Privacy Act Reform

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

April 17, 2008
Ottawa, Ontario

Opening Statement by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

---

Thank you, Mr. Chairman and members of the committee, for inviting me to speak to you today on this important issue.

Accompanying me are Raymond D’Aoust, Assistant Privacy Commissioner for the Privacy Act, and Patricia Kosseim, General Counsel.

As many of you know, I have been calling for reform of the Privacy Act for quite some time now.  In June 2006, my Office issued a comprehensive report for reform of the Privacy Act.  The report also put forward recommendations for the necessary changes to the Act.

Much has happened in the privacy landscape since the publication of our 2006 comprehensive report on Privacy Act reform.  The privacy rights of Canadians are increasingly challenged.  At the same time, a number of important experts have called for improved oversight of government activities that may impinge upon the right to privacy.

I would like to update you on new developments affecting the privacy rights of Canadians. 

And I want to reiterate to you my core message regarding the Privacy Act, which is that now, more than ever, we need a comprehensive rewrite of the Act. 

But I do have a new message for you, one which I believe is equally significant, and which is that immediate and easy changes to the Privacy Act are doable!

Indeed, there are a number of changes that Parliament could undertake now, changes that would be straightforward to implement, and which would be of significant benefit to Canadians.  Some of these changes would simply incorporate into the law existing federal government policies and practices.  In other cases, the changes would correspond to provisions that already exist in or are being contemplated for PIPEDA—Canada’s personal information protection legislation covering the private sector.

My staff has provided you with an addendum to the June 2006 report on reforming the Privacy Act.  The addendum provides further comment on the 2006 report in light of new developments in national security, transborder data flows, breach notification, and Privacy Act coverage.  Allow me to quickly list for you some of the changes to the Privacy Act that this Parliament could easily initiate.  (Proposals 1 to 8 are described in more detail in the addendum.)

Immediate changes

1. First, Parliament could create a legislative requirement for government departments to show the need for collecting personal information.  This “necessity test” already exists in Treasury Board policies as well as in PIPEDA.  And it is an internationally recognized principle.
2. The role of the Federal Court could also be broadened to review all grounds under the Privacy Act, not just denial of access.
3. Parliament could enshrine into law the obligation of Deputy Heads to carry out Privacy Impact Assessments prior to implementing new programs and policies.
4. The Privacy Act could furthermore easily be amended to provide my Office with a clear public education mandate.  PIPEDA contains such a mandate for private sector privacy matters.  Why shouldn’t the Privacy Act for public sector matters?
5. Parliament could amend the Act to provide my Office with greater flexibility to report publicly on the government’s privacy management practices.  As it now stands, we are limited to reporting by way of annual and special reports only. 
6. Greater discretion at the front-end to refuse complaints and/or discontinue complaints if their investigation would serve no useful purpose or are not in the public interest is another needed change. This would allow the OPC to focus our investigative resources on those privacy issues that are of broader systemic interest to address.
7. Parliament could amend the Act and align it with PIPEDA by eliminating the restriction that the Privacy Act applies to recorded information only.  At the moment, personal information contained in DNA and other biological samples is not explicitly covered.
8. Parliamentarians could strengthen the annual reporting requirements of government departments and agencies under section 72 of the Act, by requiring these institutions to report to Parliament on a broader spectrum of privacy-related activities.

Other important changes

There is another easy change I would like to recommend to the Committee, and which is not listed in the addendum.  In my view, the Act should be amended to provide for regular five-year reviews of the legislation, as is the case with PIPEDA. 

Finally, there is another area where I urge the government to make speedy progress.  It concerns the transfer of personal information from the Canadian government to foreign states.  The Act does not impose a duty on Canadian government institutions to identify the precise use for which data is being disclosed abroad.  Nor is there any obligation imposed by the Act on a disclosing institution to ensure that adequate measures are taken to maintain the confidentiality of shared information.

The “privacy landscape” is a dynamic, constantly evolving one.  It is not unreasonable to expect that Parliament should review the Privacy Act on a regular basis, in light of new technologies or government measures that may impact on the right to privacy of Canadians.

The straightforward changes I am suggesting would begin the process of aligning the Privacy Act with modern data protection legislation around the world.   It is high time that Canada regain the leadership role in privacy promotion and protection it once held, when the Privacy Act was first adopted some 25 years ago.  The immediate changes I am proposing today would begin to do that. 

Guidance or law

I recognize that good work has been done by the Treasury Board Secretariat on privacy matters.  TBS has provided guidance to line departments as it relates to the signing of information sharing agreements and the outsourcing of personal data processing.  Nevertheless, the Privacy Act per se is in critical need of renewal in this area, and this will require a concerted horizontal effort.

We asked the Public Policy Forum to organize two roundtable discussions for us in June and October 2007, involving senior government officials who have a stake in privacy promotion and protection. 

And we recently retained the services of a renowned privacy expert who is preparing a reflective paper on Privacy Act reform, which I plan to table with this Committee in the coming months.

I urge—and I think this Committee too should urge—the federal government to amend the Act to provide clearer guidance in this regard.

Thank you once again Mr. Chairman for inviting me to speak to you on this issue.  I would be pleased to take the Committee’s questions.