Appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics on the 2009-2010 Annual Report to Parliament on the Privacy Act and the 2009 Annual Report to Parliament on PIPEDA
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
October 19, 2010
Ottawa, Ontario
Statement by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Introduction
Thank you, Mr. Chair, for the opportunity to speak to the Committee about my two most recent annual reports to Parliament.
The annual report on the Personal Information Protection and Electronic Documents Act (or PIPEDA, Canada’s private sector privacy law) was tabled in June of this year, and as you will also recall, Mr. Chair, we presented our most recent annual report to Parliament on the Privacy Act just two weeks ago.
Over the next few minutes, I propose to offer some highlights from those reports and of our work over the past year.
And then I would be happy to take any questions that members of the committee may have.
Privacy Act annual report
The Privacy Act report traced our efforts to safeguard privacy rights in the face of two key challenges: rapidly evolving information technologies, and the pressures of national security and public safety measures.
On the whole, it is safe to say that most public servants take good care of the personal information entrusted to them by Canadians. Still, there were some exceptions.
One complaint, for instance, involved the unauthorized access by Canada Revenue Agency employees of the tax records of prominent Canadian athletes. While such a breach cannot be undone, it did lead the CRA to update its audit capabilities to better control access to personal information.
Wireless and disposal audits
The annual report also summarized two privacy audits we undertook during the year.
One found significant shortcomings in the way government institutions dispose of surplus computers, with many still containing sensitive data. We also discovered that documents are shredded by private contractors without the necessary degree of government oversight.
A second audit of the use of wireless networks and mobile devices of five federal departments and agencies uncovered numerous gaps in policies and practices that could put the personal information of Canadians at risk.
Veterans Affairs
Just a few weeks ago, we announced plans to conduct another privacy audit – this one of privacy policies and practices at the Veterans Affairs Department.
This, as you know, was sparked by concerns that came to light during our investigation of a complaint lodged by a veteran who had been an outspoken critic of the department.
Our investigation determined that the veteran’s sensitive medical and personal information was shared – apparently with no controls – among departmental officials with no legitimate need to see it. The information then made its way into a ministerial briefing note about the individual’s advocacy activities, something I deemed entirely inappropriate.
We are still working out the scope of the audit. We hope, though, that it will provide guidance as the department implements the recommendations stemming from our investigation.
Mortgage brokers audit and PIPEDA annual report
In June, we also published our findings in an important audit on the private-sector side. This one was triggered by a string of serious data breaches among Ontario mortgage brokers that compromised the personal information of thousands of Canadians.
Our audit under PIPEDA found that the breaches caused several of the brokerages to take steps to better protect personal information. And yet, we determined they had not gone far enough.
Indeed, our audit raised concerns about data security; the haphazard storage of documents containing personal information; inadequate consent by clients; and a general lack of accountability for privacy issues.
The audit was summarized in the PIPEDA annual report, which also highlighted the challenges of enforcing privacy rules in a world where data flows readily and instantly around the world.
Google Buzz and international collaboration
We recognize that addressing this global challenge will demand agility and resourcefulness on the part of all privacy authorities.
That is why, when Google disregarded privacy rights in the rollout of its Google Buzz social networking service last February, we opted for an innovative alternative to our conventional tools of audit and investigation.
Instead, we led nine other data protection authorities from around the world in an unprecedented and highly effective tactic:
The joint publication of an open letter that urged Google and other technology titans entrusted with people’s personal information to incorporate fundamental privacy principles directly into the design of new online services.
We are engaging with global partners in numerous other ways as well. Last month, for instance, we joined other data protection authorities from around the world to establish the Global Privacy Enforcement Network, which aims to bolster compliance with privacy laws through better cross-border co-operation.
Later this month at an international conference of data protection and privacy commissioners, I will be co-sponsoring a resolution that would see privacy considerations become embedded into the design, operation and management of information technologies.
Google Wi-Fi and Facebook
Just this morning we released our preliminary findings in an investigation of Google’s collection of Wi-Fi data by camera cars shooting images for the company’s Street View mapping application.
We have learned that, while collecting Wi-Fi signals, Google had also captured personal information, some of it highly sensitive. The collection appears to have been careless and in violation of PIPEDA.
We are making several recommendations that would bring Google in compliance with Canadian law, and help safeguard the privacy of Canadians.
But, Google isn’t the only major technology giant we have had concerns about during the past year.
In September we were able to wind up an investigation of Facebook that was heavily publicized last year. In 2009, Facebook agreed to make certain changes to its site, which took a year to fully and satisfactorily implement. This concluded lengthy and intensive discussions between my Office and Facebook, which eventually led the social networking company to significantly boost the privacy protections available on its site.
Looking ahead
I look forward to many other initiatives to strengthen the privacy rights of Canadians.
You will, of course, be familiar with two pieces of legislation currently before the House that are of particular interest to my Office:
Bill C-28, the anti-spam legislation, would give us important powers to control which cases we investigate, and permit the sharing of information for the purposes of enforcing Canadian privacy laws.
I mentioned earlier the Global Privacy Enforcement Network, the group of data protection agencies who together are working toward ensuring better compliance. For us to be an effective member we need the ability to share information with our international counterparts when necessary and the provisions in this bill will assist in making that possible.
Bill C-29, meanwhile, would amend PIPEDA to, among other things, make breach notification compulsory for private-sector organizations.
Over the longer term, we welcome the next statutory review of PIPEDA. We will be publishing in the near future a draft report on the comprehensive public consultations that we hosted in spring, on such cutting edge topics as tracking people’s online activities by companies and cloud computing. While this report is not our contribution to the PIPEDA review, the consultations raised issues that we will need to focus on for the upcoming review.
On the public sector side, we continue to advocate for a long-overdue modernization of the Privacy Act which was passed in 1982. Some of you may remember that 1982 was the year that the first affordable home computer – the Commodore 64 - hit the market, and we lined up at movie theatres to watch E.T.
We are also working with experts to develop privacy policy guidance documents for decision-makers working in four key areas. The first, focused on national security, should be ready for publication in the near future, with others to follow in the areas of information technology, genetic technology and identity integrity.
I hope, Mr. Chair, that I have been able to give you an overall sense of our activities over the past year. I would be happy to respond to questions.
- Date modified: