Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Study on the Annual Reports of the Privacy Commissioner

April 26, 2012
Ottawa, Ontario

Opening Statement by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)

---

Dear Mister Chair and Honourable members:

Good morning. I’m very pleased to have the opportunity to speak with you about our 2010-2011 Annual Report on the Privacy Act and our 2010 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA).

I am joined here today by Assistant Privacy Commissioner Chantal Bernier. I will focus my opening remarks largely on our public sector work, although there were certainly interesting developments on the private-sector side as well.

The principal focus of our annual report on the Privacy Act for the 2010-2011 fiscal year was the federal government’s stewardship of the personal information of Canadians. In particular, we looked at privacy in the context of law enforcement and aviation security.

The report examined whether departments and agencies collected, used and disclosed personal information in a way that complies with the Act.

This is of overwhelming importance, given the highly sensitive nature of so much of the personal data that the state needs in order to govern.

Indeed, we’re talking here about information related to people’s income, their taxes and benefits, their travel patterns and so many other aspects of their lives.

This is not information that individuals would necessarily want to turn over; it is simply collected to fulfill the requirements of various government programs or activities.

In the main, we found that the Government of Canada has solid policies and practices in place to safeguard the privacy of Canadians.

But we also said that the government is obliged to handle the personal information of Canadians with an uncompromising level of care—not some of the time, or even most of the time, but all of the time.

The fact is that over-collection, misuse or inappropriate disclosure of sensitive personal information could carry grave consequences for individuals.

Our annual report summarizes two audits that our Office conducted during the year.

CATSA Audit

One assessed whether the policies and practices of the Canadian Air Transport Security Authority, better known as CATSA, comply with the Privacy Act.

That audit concluded that the agency collects too much information about air travellers and does not always safeguard it properly.

In particular, we found that CATSA collected personal data about traveller activity that do not relate to aviation security—and that, in some cases, are perfectly legal and legitimate.

For example, CATSA will note when a passenger on a domestic flight is found to be carrying large sums of cash, even though there is no law prohibiting this.

The over-collection of data is worrisome because it can result in undeserved suspicion being cast on an innocent person. It did not help that our audit turned up gaps in the measures used to safeguard such records.

Indeed, in our spot checks of several major Canadian airports, incident reports were found on open shelving units and on the floor, in the same location where passengers are taken for further screening.

RCMP Audit

Our other audit looked at the Royal Canadian Mounted Police’s management of two operational databases that are widely shared with other police agencies, government institutions, and other organizations.

You may have heard of CPIC, the Canadian Police Information Centre, and PROS, the Police Reporting and Occurrence System.

CPIC has been described as the backbone of the criminal justice system. It provides computerized storage and retrieval of information on crimes and criminals and is widely used by the law enforcement and criminal justice community.

PROS, meanwhile, is the RCMP’s police records management system. It contains information on individuals who have come into contact with police, either as a suspect, victim, witness or offender.

Our audit found that, in general, the RCMP has policies and procedures in place to properly govern access to and use of data in CPIC.

However, one-third of the agencies that use CPIC were unable, for technical reasons, to implement the necessary protocols that ensure CPIC is only accessed by authorized users.

With respect to the PROS database, we also discovered that some outdated and erroneous personal information was being retained when it should have been sequestered or purged.

Specifically, we found that police and other agencies with access to PROS could continue to view records related to cases that had resulted in a wrongful conviction, or for which a pardon had been granted.

This contravenes the data-retention provisions of the Privacy Act. It also makes it harder for people to get on with their lives, free from the taint of unfair suspicion.

Both CATSA and the RCMP agreed to address our recommendations. We’ll be following up to see how the recommendations are implemented.

Progress Made

Our last annual report discussed follow up work on three audits we had conducted during 2008 and 2009.

We wanted to see how many of the 34 recommendations we made had been implemented. We found 32 of those recommendations had been fully or substantially implemented in the intervening years.

And the results were, in some cases, significant. For instance, a follow-up to an audit on the RCMP’s exempt databanks found that tens of thousands of surplus files had been purged to comply with our recommendations.

PIPEDA Annual Report

I will turn now to our 2010 PIPEDA Annual Report. The major issues in that report were online privacy and information disposal.

We highlighted an audit of a major retailer, Staples Canada Inc. – Bureau en Gros Ltée.

What we found was that Staples Business Depot stores failed to fully wipe customer data from returned devices such as laptops and USB hard drives, which were destined for resale.

This was a particularly disappointing finding given that we had already conducted two earlier investigations involving returned data storage devices at Staples and received assurances that the company would fix the problems we identified.

Although some steps had been taken, the audit showed those procedures and controls were not consistently applied, nor were they always effective. As a result, customers’ personal information was at serious risk.

The report also describes our investigation into Google’s collection of highly sensitive data from unsecured wireless networks in neighbourhoods across Canada.

The investigation found that Google Street View cars had inappropriately collected personal information such as e-mails, usernames, passwords, phone numbers and addresses.

Google’s explanation for this serious violation of Canadians’ privacy rights was that an engineer had developed code that included lines allowing for the collection of “payload data,” but failed to flag this to the company lawyer reviewing the project.

We were concerned about Google’s lack of controls over processes to ensure that necessary privacy protections were followed and recommended that Google ensure it has a governance model in place to comply with privacy laws.

We also recommended enhanced privacy training for Google employees.

There have been significant developments on that file since we published our annual report. Last year, we examined the remedial measures that Google had put into place following the investigation.

We found the company was well on its way to resolving serious shortcomings. However, we did request that Google undergo an independent, third-party audit of its privacy programs.

We asked Google to share the audit report with our Office within a year, and we look forward to reviewing the results in the near future.

We have also started to use that approach – requesting third-party audits – with other organizations as well.

Conclusion

I’ve touched on a very few of the many issues discussed in our two annual reports.

I believe both reports once again illustrate the very broad range of privacy issues that can have significant consequences for all Canadians; and also the importance of having strong legislation in place to protect our privacy rights.

Thank you. I now look forward to your questions.