New Brunswick Legislature
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Notes for appearance before the Select Committee on Law Amendments
November 7, 1996
Fredericton, New Brunswick
Bruce Phillips
Privacy Commissioner
(Check Against Delivery)
Mr. Chairman, Ladies and Gentlemen, thank you for this opportunity to discuss with you what is fast becoming one of the most pressing issues of our information society and economy.
I am sure you have your own specific questions or issues you would like to focus on and I do not propose to consume too much of your time. Nevertheless, I thought it might be helpful if I were to give you a somewhat personal view of a federal privacy commissioner's mandate and operations. A more dispassionate description can be found in the legislation and an outline of our operations which I understand you have already received. I should also like to touch on the broader issues which have come to assume such importance in our work.
I am going to focus on some of our experience with the legislation and our mandate. I hope to convince you that a privacy commissioner, whatever model you choose, performs an essential function in an information society.
First, and most obviously, you have to begin with solid legislation. The first stab at protecting Canadians' privacy was in part IV of the Canadian Human Rights Act. This limited legal protection was subsumed into the Privacy Act which took effect on July 1, 1983. Overall, this act was a good effort for second generation legislation but it is showing signs of age. In fact, the federal government has begun reviewing the current legislation with a view to making it both a more effective tool for the information economy, and to reinforce the social value which it protects.
The act set out a code of fair information practices which control government collection, use, disclosure and disposal of the personal information needed to administer its programs.
The act gives individuals the right to see their personal records. It limits and specifies any exemptions, and allows applicants to ask to correct errors or annotate documents. The act also makes the political head of each government institution responsible for administration of the act in his or her organization.
Now, with 13 years experience, I think our office can indulge in a little editorial comment.
One of the most important features of a powerful act is how it defines that essential concept, information. Any legislation whose definition of information is not supple enough to accommodate everything from a doctor's notes on a World War II veteran, to his grandson's e-mail traffic or genetic sample, will ultimately fail in its purpose. It will simply frustrate both complainants and data protectors and court the risk of irrelevancy.
Canadian legislative drafters must be congratulated. The federal Act defines information as recorded in any form and thus allows us to keep pace with the wildest dreams of scientists and engineers. There may be one possible exception, human tissue and fluid samples. While we would argue that a blood or urine sample records personal information, I have recommended that Parliament expand the personal information definition to include bodily samples.
We have another recommendation: exemptions to an individual's right of access must be limited and specific. This is essential. Privacy legislation is founded on that principle, enunciated clearly by Supreme Court Justice La Forest, that information about individuals is, in a fundamental way, their own. Governments are mere custodians and hold the information in trust. As former Privacy and Information Commissioner Inger Hansen once put it, "embarrassment is not an exemption".
Another essential feature of these acts is that they define the roles and powers of the complaint handler and establish his or her independence. From our experience, it is evident that the function must be independent of the government process it is mandated to investigate. It must have the necessary power to conduct meaningful investigations. And it should have the resources to do the job.
I and most of my provincial counterparts are officers of their respective legislative bodies, appointed by and reporting directly to legislators who review their ongoing operations.
The commissioners have broad powers to enter premises, call witnesses, administer oaths and subpoena documents. (In fact, the federal officer has the power of a superior court of record.) We may initiate our own complaints and launch compliance investigations without a complaint.
At this point the federal and existing provincial models part company. The Ontario, Quebec, B.C. and Alberta models establish the commissioner as a quasi-judicial tribunal with the power, once the investigation is completed, to make orders.
These provinces have one act which combines both access to information and privacy; one office and one commissioner. Investigators begin by gathering the evidence and attempting to settle the appeal informally. However, if they are unsuccessful, the process moves to a more formal process which culminates in an order from the Commissioner.
At the federal level there are two acts; the Access to Information Act and the Privacy Act. Each act has its own independent commissioner to investigate complaints although, for administrative efficiency, the two commissioners share premises and administrative support. Each commissioner has his own legal counsel and investigators.
The federal privacy commissioner's powers are two-fold. He investigates all privacy complaints, whether about individuals' access to their own personal records or improper government collection, use or disclosure of personal information. He also can conduct audit-type investigations into overall compliance with the privacy code or examine an issue government-wide.
The act also gives the commissioner a monitoring role. Government agencies must notify him of any new consistent uses of personal records of which the public has not been advised. And they must advise him of any disclosures of an individual's personal information in the public interest, allowing him to notify the person if necessary. (I should underline that the commissioner cannot intervene to prevent such a release.)
Finally, it is government policy to notify the privacy commissioner in advance of proposed linkages of electronic databases. This allows his office to assess the match and to act as an advocate for the individuals who will be affected. And agencies are expected to consult the commissioner on new legislation which could have a privacy impact.
But the most significant feature of the federal model is its ombudsman approach. Although we are sometimes criticized as being toothless tigers, being an ombudsman has several undeniable appeals.
It avoids casting the commissioner's office and the government agency in adversarial roles. The object of the investigation is to determine whether there is a problem and, if there is, to solve it.
Make no mistake, these are real investigations. We interview all the parties, gather the documents, hear representations from those who want to make them. But the flexibility of being an ombudsman allows investigators and legal counsel to examine documents, discuss differences of opinion, offer advice and nag, chivvy and goad reluctant bureaucrats into seeing things our way. Thus, the office becomes a privacy resource centre which public servants can call without fear of compromising their position in a formal process. So the second advantage is that a complaint investigation frequently serves an educational purpose.
A less formal process has the added benefit of not intimidating those who turn to us for help. Complainants who suspect they have been manipulated by the bureaucracy, whether accurately or not, don't need or want to fight another one.
We don't always succeed. Sometimes neither government agencies or complainants are completely happy with outcome, probably a fair sign that we are doing something right.
The commissioner also holds the ultimate stick in cases where he thinks someone has been improperly denied access to personal information, and he cannot pry the information loose. He can ask the Federal Court to review the government's decision to deny access.
So which model do I think works best? Personally I think both have strengths and weaknesses. There may be a time advantage in having the power to order a resolution. But I think we accomplish the same thing in the somewhat longer run.
Another indicator of the utility of an office like ours is that we received more than 1 600 complaints last year and expect even more this year. Some of these may not be earth shaking, but each one is important to the complainant. The records might be all that is needed to get a pension supplement, to bolster a grievance procedure or to fight a deportation. Some complaints advance our understanding and interpretation of the act. And others change government policy. I don't think that's bad return on an investment of 38 people and $2.9 million dollars.
Whatever the process, perhaps the most important function of an office like mine is to serve as the focus for privacy issues. First, the commissioner is Parliament's privacy watchdog. In an age when privacy threats are literally as close as your telephone, your health card and your personal computer, legislators and the public appreciate having someone to alert them. This is the Privacy Commissioner as gadfly, as Justice Minister Allan Rock recently put it!
During the past year, I have made several appearances before Parliamentary committees, for example; to recommend stringent safeguards for customer data when the financial sector legislation is amended in 1997; to discuss the new permanent electronic voters list, and to discuss the surveillance powers new technologies are providing the private sector, employers and the state.
We commented on the government's bill to allow the taking of DNA samples from criminal suspects. We also commented on the proposal to assemble a national DNA databank, made several submissions to the CRTC on Caller ID and sale of customer records to private directory publishers.
Offices like ours can also be a resource outside narrow jurisdictions. We worked with the Canadian Direct Marketing Association to develop its privacy code which is now mandatory for its members, and as part of the Canadian Standards Association's working group on the model private sector code. And we are also members of several government working groups examining everything from data warehousing to using smart card technology.
It's a paradox that one of the most effective roles a special ombudsman can play is one we have not been given, that is, public education. And without the mandate there are no resources. It's clear that Parliament never anticipated the scale of public concern and interest in privacy issues. One thing our experience has demonstrated, and which any legislature should keep in mind when establishing a data protector. The public expects its ombudsman to be the information source, not the government whom it suspects (whether fairly or not) of having various axes to grind. In my view, public education is essential to defence of the public's information rights.
You have a tremendous opportunity before you, to craft a privacy law that will be state of the art; to protect your citizens while you benefit from the technology. This is not some passing fad, some trendy issue. Privacy is the value at the heart of liberty in a modern state. It is fundamental to our understanding of autonomy and personal freedom. It is the right to control what others know about us.
This value is honoured in the Universal Declaration of Human Rights and the European Convention on Human Rights and Freedoms. It even made a brief specific appearance in early drafts of our Charter. Despite its disappearance from the final document, the Supreme Court has made it clear that privacy is the primary value served by section 8 of the Charter, our right to be free from unreasonable search and seizure.
The European Community, Australia, New Zealand, Japan (and even some nations emerging from the former Soviet regime), protect privacy in law and appoint independent data commissioners to oversee the process. And at the recent international privacy commissioners conference in Ottawa, Justice Minister Rock committed his government to catch up with these nations. The Justice and Industry Ministers will work with the provinces to put national private sector privacy legislation in place by the year 2000.
There is no debate about modern societies living without electronic information processing. But the quid pro quo is legal protection for the individuals whose personal data can be amassed, mined, manipulated and disclosed, often, one might even argue, usually, without the subjects' knowledge or consent. Privacy is the quintessential social value for an information age.
If I may be so presumptuous as to give you my personal advice, it is this: act boldly. If we want individuals and government to benefit from the technology, improve service delivery, and cut costs, effective data protection is the trade-off. Your citizens will thank you for it.
Thank you.
- Date modified: