Response of the Privacy Commissioner of Canada about Possible Fusion of the Offices of the Privacy Commissioner of Canada and the Information Commissioner of Canada

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Submission of the Office of the Privacy Commissioner of Canada to the Hon. Gérard La Forest, who is reviewing the issue

October 2005

Various mergers and combinations of services are being contemplated across government. As part of this broad reconsideration of the way government delivers services, this paper examines some of the central issues surrounding a possible fusion, or “merger,” of some or all of the functions of the Office of the Privacy Commissioner of Canada with those of the Office of the Information Commissioner of Canada.

This paper is the product of extensive consultations about fusion within the various branches of the Office of the Privacy Commissioner of Canada. In large part, it reflects the thinking of people who work at “ground level” on privacy issues.

The process began with a meeting between the Commissioner, Assistant Commissioner (PIPEDA) and the Hon. Gérard La Forest. It was followed by discussions within the Office and the development of a preliminary document outlining issues and questions to be addressed when considering fusion (these are highlighted in bold in the current document). These issues and questions were sent to Mr. La Forest to assist him with his work examining the possibility of fusion. The issues and questions also served as a guide for the staff of this Office as they developed further observations about fusion, ensuring greater cohesion in our response. These observations are set out in this paper.

The object of this current paper is to examine the issues flowing from a decision to retain the status quo or to move to a “twinned” system like that in place in several other Canadian and foreign jurisdictions. As will be seen, the paper concludes this is not the appropriate time to consider fusing the two offices. However, whichever course of action the government takes, that course of action should be based on a thorough consideration of its implications.

Unfortunately, there is little scholarly literature on the merits and problems associated with either the Québec “twinned” model or the federal model. A decision to move towards a particular model must necessarily be based more heavily on assumptions than on a historical record.

It is also important not to allow the discussion about the potential framework for asserting access to information and privacy rights at the federal level to detract from other important concerns affecting these rights – among them, an appropriate legislative framework, adequate resources to fulfil legislated functions, and a broad mix of tools and processes to foster a culture of compliance that shows respect for the values represented by privacy and access laws. We also recommend that the government undertake a considered review of privacy and access to information legislation to ensure that these laws serve Canadians as effectively as possible. This task is paramount and should precede the discussion of organizational models — to fuse or not, to share common services or not, etc. The world is changing rapidly, and our privacy governance and access to information frameworks, fused or not, must be able to accommodate and address those changes. Privacy and access are affected by the same drivers: rapid technological changes, lagging and deficient legislation, a paucity of core competencies (for example, to build a robust privacy architecture in both government and the private sector), and high public expectations of organizations and governments to respect privacy.

Models of Privacy and Access to Information

The federal Privacy Act and the Access to Information Act, and their accompanying structures, stand as the only example in Canada of separate privacy and access to information bodies operating under separate legislation. However, even here, as Professor Colin Bennett reminds us, it was one bill in 1982 that contained the provisions that eventually became two separate laws – one dealing with privacy and the other with access to information.^{Footnote 1} The issue, it seems, is not whether provisions on access to information and privacy are found in one piece of legislation or two; instead, the issue is how these two concepts interact in practice.

Most of Canada, and many jurisdictions abroad, have adopted the “twinned model” of access to information and privacy first developed in Québec. In 1982, the Québec National Assembly enacted legislation to address both access to information and privacy issues. It also created a new, independent body, the “Commission d’accès à l’information.” At the time, Québec was unique in this regard. The creation of this Commission represented the first time in any jurisdiction that the two functions resided under one piece of legislation and under one roof.^{Footnote 2} Since then, many other jurisdictions, both in Canada and abroad, have adopted the “Québec model” of accommodating the access to information and privacy functions within one agency, under one piece of legislation and under the guidance of one commissioner. In Canada, all provinces and territories have adopted a model where one person^{Footnote 3} supervises both the access to information and privacy functions set out in legislation, and all but one of these jurisdictions (New Brunswick^{Footnote 4}) address both functions in one piece of legislation.

The roots of the “twinned” Québec model deserve particular mention. The Paré Commission^{Footnote 5} was established in Québec in 1980 to examine how to ensure access to information held by government and at the same time to protect personal information. The Commission had no precedent to guide it. What emerged was the concept of one law governing both access to information and the protection of personal information, and one agency to oversee both. Creating a single body to address both access to information and privacy issues responded to the one of the main goals of the members of the Paré Commission – to simplify the necessary arbitration between access to information and privacy.^{Footnote 6} However, a second reason for combining the two functions under one roof related to the economic realities of the early 1980s. Simply stated, the Québec government, out of financial concerns, did not want to create multiple agencies. The decision to create one agency was heavily influenced by the thinking that one all-encompassing commission would be less expensive than two.

The challenge now is to determine which model – the model pioneered by Québec, or the federal model that separates access to information and privacy functions – is the better choice at the federal level.

With a view to identifying the considerations that may come into play, this paper examines several aspects of the “fusion” or “merger” issue:

the forces for and against fusion;
the potential scope of fusion;
the impact of fusion on the airing of opposing views when privacy and access to information conflict;
the role of fusion in information management in government;
the impact of fusion on overseeing the private sector;
the impact on privacy of calls for greater openness in the access context;
the potential impact of fusion on stakeholder relations;
the impact of fusion on corporate services;
addressing fundamental issues of information management; and
whether fusion is really the central issue.

The forces for and against fusion

The debate about fusing of the OPC and the Office of the Information Commissioner is perennial. However, the reasons for bringing the two offices together have never been made clear. Does the current separation of the offices create particular problems in providing access to government information, or in protecting personal information held by government and the private sector? In other words, is fusion being discussed to address policy issues and deficiencies related to access and privacy? Even if there is no sound policy reason for fusion, or no serious deficiency caused by having separate offices, is there a “business” or administrative case for taking two largely separate entities and joining them (as opposed to creating a single body from the start, as in Québec)?

As for the business or administrative case for merging the offices, there is an immediate tendency to think of cost-cutting and resource savings. However, history has shown that there are costs associated with merging departments and organizations. How much would fusion cost and would there in fact be efficiencies gained?

On the policy side, both privacy law and the privacy landscape have evolved dramatically since the early 1980s, when two offices – one for privacy and one for access to information – were created separately. Why were the two offices created as separate entities in the first place, and does any justification for separating the two still hold true in our changed privacy and access climate? Does the evolution of privacy law and policy reinforce the need to maintain two independent offices with diverging mandates, or does it argue in favour of combining them in a related cause?

A number of forces would support fusion. As noted earlier, various mergers and combinations of services are being contemplated across government. There should be little surprise that this discussion is also taking place about access to information and privacy.

There may be another force at play leading to calls for fusion – the possible boost to access to information rights that fusion could engender. In remarks^{Footnote 7} at the September 2005 International Conference of Data Protection and Privacy Commissioners, Prof. Herbert Burkert spoke of “strategies of substance” that aim at promoting the basic principles of data protection in a changing world. One such strategy of substance, he argues, involves combining access to information and data protection.

Dr. Burkert argues that transparency (access) laws, which are even older than data protection laws, long ago began to extend around the globe. However, he maintains, it is only fairly recently that the close connection between data protection and access to government information has received attention. He also observes a trend in that more data protection agencies have also become responsible for overseeing transparency laws.

Dr. Burkert sees a benefit in this fusion of access and privacy. He argues that, unlike the situation with privacy, there is no generally acknowledged international right to access government information; a joint effort, perhaps a joint international conference of data protection and access to information agencies, on the need for a link between data protection and access rights, could give access to information greater weight in international human rights discussions. Merging the two functions might bolster rights relating to access to information.

Still, and perhaps not surprisingly, this Office has not heard calls by citizens for a fusion of the two offices. In fact, views we have received to date suggest support for the status quo. It is also not clear that merging the two offices would in any way help to address very practical issues such as the backlog of complaints, the demands for personal information arising from modern health care programs, and the privacy implications of technological change and national security.

Some might argue against fusing the two functions on the basis that there are few policy issues common to the two offices. The following are among those few issues:

The need to deal with government departments to encourage them to adhere to the laws, and provide resources and a management structure to improve compliance with the laws;
Transparency of operations. On some policy issues, privacy advocates and access advocates are fighting identical battles – for example, in calling for greater transparency in government action where personal information and civil liberties are concerned.

Others might argue against fusion because it would further reduce the voices calling for the preservation of civil liberties today. To these opponents of fusion, it makes little sense to remove one strong, independent, voice from the important public debate (as a complete fusion of the functions of both offices would do).

Still others might argue against fusion because it could complicate the task of finding the right person with the right expertise to oversee both access to information and privacy. They maintain that it will be easier to find a person who requires only a somewhat narrower range of expertise.

The ability to assess the impact of a fusion is limited by a lack of knowledge within the Office of the Privacy Commissioner of Canada of the day-to-day activities of the Office of the Information Commissioner. Unforeseen consequences – good or bad – would surface only over time.

Fusion could also lead to a shift in emphasis and changes in the allocation of power and resources within the combined structure, either immediately or in the longer term. For example, blending teams of investigators would require immediate attention to management, staffing and resources, which could result in a different emphasis on privacy and access issues than at present. Is this desirable?

Finally, even if fusion makes some sense from a financial or policy perspective, is this benefit sufficiently great to outweigh the potential challenges that fusion might raise – for example, the need to re-educate the public, assure the business community, and deal with the possible dislocation of employees of both offices?

Scope of Fusion

What would be the nature of a combined office? Would it entail a fusion at all operational levels (meaning just one Commissioner), a nominally combined office that shares administrative services and leaves operational activities largely untouched, or something in between? In other words, how would fusion work from day to day?

The nature of a fused office would depend in large part on the interest of the Government in fusion, since the two offices have a limited ability to “join forces” on their own. The two offices are already treated as one entity under the Financial Administration Act. However, over the years different perspectives on the operations of each office led to entirely separate administrative functions.

If one justification for fusion is cost savings in the management of the offices, it would be necessary to establish a method of determining whether cost savings are a realistic possibility. One important reason that Québec opted for a twinned operation within a single agency was its presumed cost efficiencies. However, it is difficult to determine whether a single large office brings cost savings over two smaller offices.

Furthermore, the Québec situation is not the same as that facing the federal government, and may therefore not be useful as a guide even if the Québec model has resulted in cost savings. Québec set up its access and privacy functions as a single operation from the start. At the federal level, on the other hand, the original configuration of privacy and access saw two offices created. Changing the structure from two offices to one might import substantial financial and human costs that would not confront a government establishing a privacy and access regime within one office for the first time.

Similarly, the fact that twinned models have recently been adopted within the United Kingdom and Germany adds little to the debate about whether to fuse privacy and access to information functions at the federal level in Canada. In both those jurisdictions, access to information was being introduced for the first time, and the access function was simply added to the existing data protection functions of the respective offices. This differs from the situation in Canada, where there is already an established infrastructure around access to information.

Even if merging the administrative functions or the larger functions of the two offices might result in financial savings, there will inevitably be a short- to medium-term non-financial “cost” flowing from the disruption that re-engineering the offices would entail, along with the cost of resources to plan and implement the changes. The scope of the fusion would dictate the level and depth of potential disruption and adaptation, and the resulting level of resources, both human and financial, needed to manage change. A blending of investigation teams, for example, would require immediate attention to questions of management, staffing and resources. Depending on the scope of the fusion, staff from both offices might require training in legislation, responding to inquiries, conducting investigations, and providing public education.

Overseeing the private sector

The Information Commissioner oversees a public sector law, whereas the Privacy Commissioner is responsible for both a public sector law and a law that covers most of Canada’s commercial private sector. Does this result in such a difference in the business lines of both offices that fusion would be illogical?

Some may suggest that fusion could, at least initially, create confusion in the private sector about the functions of a fused office. It might also cause concern over issues of confidentiality of business information among those who do not understand the purposes of the privacy and access to information laws and their relationship to each other. It could be necessary to invest resources in public education to allay such anxieties, however unfounded they may be.

The experience of implementing the Personal Information Protection and Electronic Documents Act (PIPEDA) suggests that fusion would initially cause an increase in inquiries and requests for information by the general public and business representatives. This, at least in the short term, would increase the workload of the combined office. If so, resources may have to be drawn from elsewhere, or entirely new funds obtained. This must be factored into the cost-benefit equation when examining fusion.

Privacy and access: airing of opposing views

At present, the two Commissioners sometimes stand on opposite sides of a policy matter or hold different opinions about the issues that arise from the intersection of their respective Acts. Some may argue that, when this type of tension occurs, the current model allows two clear and distinct voices to be heard in public – in the courts, ^{Footnote 8} the media and in and before Parliament. Each Commissioner brings forth arguments supporting the sometimes competing interests of privacy and access to information.

How would the two notions – access and privacy – be reconciled in the public arena in a fused operation? Would the debate over issues and laws take place less at the public level and more at the working level? Would the fusion of the offices result in a more or a less healthy discussion where these values compete? How would these values be balanced? Should Parliament or the judiciary continue to balance opposing interests, based on hearing both Commissioners, separately and independently, each with the requisite expertise to argue each side of the question? Or could Parliament and the courts resolve privacy and access to information issues satisfactorily by relying on the advice of a single Commissioner charged with both mandates and responsible for balancing opposing interests before Parliament or the courts?

Combining the two offices under one Commissioner (that is, a complete fusion) could, over time, lead to a fundamental change in the nature of public advocacy about privacy and access to information. Tensions between privacy and access would be resolved internally, unlike the current situation where the competing interests are addressed more publicly, including by occasional resort to the courts. However, on the other side of the equation, there are in fact few cases where the Access and Privacy Commissioners stand opposed.

Still, a body of case law has been developed under the dual Commissioner model. Representations from the Office of the Privacy Commissioner of Canada as a strong advocate for privacy, even when privacy may conflict with other strongly held social values such as security or access to information, are reflected in the judicial record and may form the basis for future decisions. Similarly strong advocacy for access to information and open government is put forward by the Office of the Information Commissioner. In a fused office, a process might need to be established for publishing and making transparent the various competing arguments and debate that led to a particular determination or to the taking of a particular stance flowing from a conflict between access and privacy.

Some might also argue that, given the risks inherent to sharing personal information, a fused office might give undue weight to the privacy of information in those few cases where access to information and privacy collide, rather than more equitably balancing protection of personal information with transparency of information generally. However, even in jurisdictions using a “twinned” model, there appears to be no significant difference from a “separate” model in the positions taken on privacy and access to information issues.

Potential impact on stakeholder relations

Would fusion of the two offices affect perceptions among the various stakeholders, for example, for the Office of the Privacy Commissioner’s key groups such as Parliament, government departments, the public, businesses, the media, etc.?

Will there be a need for measures to avoid potential conflict in complaint handling, for example, where confidential commercial information under PIPEDA is also third party information under the Access to Information Act?How would we handle a situation where third party information (for example, essentially commercial information about private sector organizations) under the Access to Information Act reveals questionable personal information management practices which may give rise to a Commissioner-initiated complaint or an audit under PIPEDA? Will this have an impact on organizations’ willingness to cooperate in the course of complaint investigations?

The Office of the Privacy Commissioner of Canada has generally maintained a fairly protective approach to dealing with the media with respect to making public information about complaints. The Office of the Information Commissioner clearly has a different relationship with the media (a key client of that office). Would a combined office and the constant interest of the media in access to information matters necessitate a change in approach on the privacy side?

Are government departments better informed by having two potentially different viewpoints – those of the respective Commissioners – before responding to an access request? Or would they be better served by the greater certainty that might flow from the advice of a single Commissioner who has already taken into account both access and privacy interests?

As for the public, how would a fusion meet their needs and expectations? For instance, if the Information Commissioner determines that information may be released because it does not constitute personal information about an individual, that individual, under the current regime, still has another avenue of complaint under the Privacy Act. How would a single Commissioner resolve such competing claims? Would fusion help avoid “forum shopping,” or would it result in the loss for an individual of a legitimate means of seeking redress?

The shift in the means of resolving conflicting privacy and access issues that could flow from fusion should be discussed with stakeholders before implementing any type of fusion, in the interests of receiving their fully informed views. In short, the various stakeholders in privacy and access matters should be asked whether they are comfortable with such a change.

The two offices also have largely different stakeholders. The differences in the internal culture and management styles of the two offices also result in a different type of relationship with stakeholders. It is difficult to determine which model of relationship would prevail in a fused office.

The Office of the Privacy Commissioner had a strained relationship with government departments and the private sector in the early 2000s. The Office has worked to re-establish credibility and to foster cooperative relationships with these groups since then. However, some may argue that the teething pains associated with a substantial change in the operation of the office due to a fusion might initially lower productivity and possibly have a negative effect on relationships with stakeholders. In addition, some critics may doubt the ability of a combined office to deal adequately and simultaneously with access and privacy issues. This could affect strategic partnerships, to the detriment of privacy, access or both.

Corporate services issues

How would accommodations, human resources, information technology issues, etc., be dealt with in the event of a fusion? How would responsibility for managing a fused administrative structure be addressed, and is there a danger that a fused structure would be considered the concern of neither Commissioner, with a resulting lack of oversight and accountability?

Human Resources: Merging the two offices would not be a workforce reduction exercise. Most positions would likely have the same or very similar duties in the new structure. However, certain positions may not be required. In these cases, staff would need to be reassured that every effort will be made to re-deploy affected employees, and the Workforce Adjustment Agreements (WFAA) – which provide assurance of reasonable job offers – will come into effect. Employees will be concerned about matters such as job security, classification levels, job opportunities, whether they will need to compete for their positions, and being treated fairly overall. It could be unwise to take actions that could unsettle the work environment, furthering the institutional instability that characterized the early years of the 2000s. It would be tragic if, at a time when privacy is under unrelenting siege, fusion led to instability that impeded the work of this Office on this fundamental right.

Planning and Implementing Fusion: Developing a new organizational structure requires a clear implementation plan and guidelines to ensure that all related issues are addressed. This would be a multi-phased process requiring time, beginning at the most senior levels of the organization and working its way down progressively. An oversight or steering committee would be needed to provide direction and ensure alignment to strategic directions. It would need to oversee the development of various sub-groups, including those dealing with human resources, information management and technology. It is also important to respect obligations to consult bargaining agents.

If a decision were made to merge, a review of accommodation requirements would be conducted. There might be changes to employees’ reporting relationships, but decisions on who would be moving, and where, would be made during a transition phase. It would be necessary to have a consultation phase with managers and employees. An overall accommodation plan would be presented to the decision-making body for approval.

Costs: There are costs associated with merging departments or organizations. A fusion could suggest savings in corporate services and human resources, but to what extent is not known. In fact, one reason for creating the “Québec model” of “twinning” was to reduce costs. As already noted, whether this actually reduced costs over establishing separate privacy and access to information bodies is not known. Even if the Québec model does turn out to be more cost effective, it is important to remember that in Québec the access to information and privacy organization began life as a “merged” entity. It did not need to incur the dislocation and possible additional costs that would be involved in taking two separate existing entities and developing a process for bringing them together.

Monitoring Fused Corporate Services: In the past, the two offices shared a common Corporate Services Branch. The Director General of the branch reported to the Executive Director of the Office of the Privacy Commissioner and the Deputy Information Commissioner of the Office of the Information Commissioner. We understand that there were competing demands, and it is not clear how effective the reporting relationship was. Therefore, means to ensure accountability and address competing demands would have to be considered in light of a merged “corporate services” function in a model that still retains two separate Commissioners but seeks to combine corporate services.

Service level agreements, or Memoranda of Understanding (MOUs), may be a useful way to ensure proper service delivery and accountability. A dispute resolution mechanism may also be necessary.

The recent initiative by the Government of Canada on shared services and the accompanying research to date could serve as a resource for the two offices if they are requested to determine the feasibility of a common Corporate Services Branch.

Reporting Requirements: At present, the two offices are considered one entity with two separate votes. They produce separate budgets, main estimates, Report on Plans and Priorities (RPP) and Departmental Performance Reports (DPR). It would not be difficult to combine the preparation of the Report on Plans and Priorities, the Departmental Performance Reports, the Main Estimates, the Financial Statements and the Public Accounts, since consultation on day-to-day financial matters already occurs between the two Finance Branches. A review of the Government of Canada — Treasury Board Secretariat (GOC-TBS) calendar of events for the financial cycle would be necessary to develop a comprehensive plan for completion of these financial and reporting requirements.

Is Fusion the Real Issue?

Does the discussion of fusion distract us from what may be a much more fundamental and significant issue – the deficiencies in the current legislative framework governing both privacy and access to information?

When they were first introduced in 1982, the Privacy Act and the Access to Information Act were intended to work together. The operating assumption was that all information recorded by government was to be accessible to the public, except for personal information as defined in the Privacy Act. The functions, duties and powers of the two Commissioners are, as far as possible given their different mandates, mirror-images of each other in respect of the complaint process, investigative powers, recourse to the courts and reporting requirements.^{Footnote 9} Technically speaking, a move towards a single Commissioner model would be possible under the current legal regime. In fact, this is a possibility which was expressly anticipated by Parliament, and provided for in the Privacy Act. Section 55(1) of the Privacy Act enables the Governor in Council to appoint the Information Commissioner as Privacy Commissioner as well. From a purely administrative law perspective, the establishment of a single Commissioner to administer both Acts, as originally drafted and as they still stand today, would not face any significant legal barriers.

Yet much has changed since 1982 and much is continuing to change, despite what was initially envisaged by their adoption as companion pieces of legislation. Although the two Acts mirror each other and are intended to be complementary, no provision was made requiring two Acts to be reviewed jointly on an ongoing basis, or requiring that a review of one take into account the potential impact on the other. As a result of several major legislative changes being introduced and discussed independently of one another, there is great potential for the two Commissioners’ mandates to diverge significantly.

Some of these pending legislative changes are as follows:

In 2000, PIPEDA was adopted, giving the Privacy Commissioner oversight over the information management practices of private sector organizations. PIPEDA is coming up to its five year review in 2006, and a number of substantive and procedural changes are being contemplated;
In December 2004, the Privacy Commissioner called on the Minister of Justice to introduce a much-needed reform of the Privacy Act to enable more effective oversight over rapidly-advancing information technologies and current-day national security concerns that could not be imagined twenty-five years ago when the original Act was under consideration;
In May 2005, a National Task Force on SPAM (unsolicited bulk email) called for a federal response, including federal legislation to combat SPAM and computer spyware, with appropriate oversight responsibility to be vested in the Privacy Commissioner;
On September 29, 2005, the Office of the Information Commissioner appeared before the House of Commons Committee on Access to Information, Privacy and Ethics, to present its proposed changes to the Access to Information Act, many of which may have implications for the Privacy Act. For instance, the proposed changes call for expanded coverage, greater government transparency and accountability of its information holdings, procedural changes for carrying out investigations, and a broader public education and research mandate for the Information Commissioner.

Underlying these proposed legal changes are fundamentally different philosophical approaches to regulating various spheres of activity. There are opposing tensions at play, depending on the perspectives taken. For instance, since the adoption of PIPEDA, there is growing pressure to call for similar personal information protections across both public and private sectors. According to this view, informational privacy, as an individual right, should be equally protected regardless of the status of the entity holding the personal information; government bodies should be held to the same standards as private sector organizations. Should this be the “chosen” view, it may have the effect of pulling the Privacy Act away from the model chosen in 1982 for governing public sector activity, to bring it into closer alignment with its private sector counterpart.

As another example, consultations in the context of the upcoming 2006 review of PIPEDA may suggest that, while both public and private activity ought to be regulated, the modes of regulation in each case need to be different. The ombudsman model may continue to be appropriate for governments in holding themselves publicly accountable for the information they have (including personal information), encouraging greater transparency about their activities (including information management practices), and brokering relations between them and the citizens they serve. However, this model may not be adequate for government regulation of private sector activity. It may not be as easily reconcilable with a wholly different slate of powers, duties and functions deemed necessary to regulate private sector activity.

The Report of the Access to Information Review Task Force^{Footnote 10} called for the Information Commissioner to move from an Ombudsman model to an order-making model in the medium term.^{Footnote 11} If the Privacy Commissioner were given an order-making power as well, the system would become unworkable. Two bodies dealing with the same subject matter (in those cases where access to information and privacy issues intersect) would lead to jurisdiction shopping. All jurisdictions in Canada that have provided an order-making power have done so where one person oversees both access and privacy functions. Moving to an order-making power at the federal level would necessitate fusing the offices as well.

As yet another possibility, should the federal government adopt the SPAM Task Force recommendations, the Privacy Commissioner may, in addition to oversight responsibilities under both public and private sector laws, be given oversight of SPAM and spyware-related activities. If so, we may see a tendency to extend the Privacy Commissioner’s traditional mandate about informational privacy to other spheres of privacy. The central role of information may be the common factor militating in favour of a fusion under current laws, but a shift in the role of the Privacy Commissioner to cover non-information aspects of privacy may lessen the fit between access to information and privacy.

The possibility that all these permutations could occur almost simultaneously creates a very complicated landscape at this juncture of the Commission’s history and evolution. The legal concept of privacy itself is at an important crossroad. Much debate has yet to occur around each of these major legislative initiatives before determining the appropriate policy choices for protecting privacy rights of Canadians and setting important future directions sufficiently flexible to withstand the lightning speed of advancing technology.

To decide at this time to merge the Office of the Privacy Commissioner with the Office of the Information Commissioner may have the unintended effect of pre-empting much of this vital public debate. Establishing design and structure first may have practical advantages, but may also foreclose innovative approaches, new public policy choices and appropriate future directions for adequately responding to the needs of Canadians in light of modern challenges.

For these reasons, it may be more appropriate to consider the fusion issue only after the substantive public debates around these proposed legislative initiatives take place.

Addressing Fundamental Issues of Information Management in Government

Could information management practices be improved if a comprehensive legislative framework was developed to set clearer parameters on how information (including personal information) is managed? Such a framework would likely require adopting a life-cycle approach that would cover all aspects of information management, from initial collection to storage and disposal. Comprehensive information management legislation would also need to specify the accountability and reporting requirements in the context of e-government and seamless service delivery (for example, Service Canada).

Some may suggest that Parliament established two Commissioners to set them against each other. There is some substance to this perception, since over time the two Commissioners have been at odds on various issues. This has diverted attention from important access and privacy issues and allowed the government to avoid its responsibilities in both areas. Fusing the two offices would eliminate playing Commissioners off against each other. It would be easier to task the government to focus clearly on the privacy and access issues at hand.

For example, the development of a robust privacy management regime that governs the collection, use and disclosure of personal information by federal departments and agencies has been a longstanding concern of the Office of the Privacy Commissioner. Privacy management frameworks are an integral part of sound information management policies and practices. In the late 1990s, then-Commissioner Bruce Philips called for a reform of the Privacy Act which would include the strengthening of reporting and accountability requirements. In our 2004-05 report, we dedicate a full chapter to privacy management frameworks as a complement to the key thrusts of our position on Privacy Act reform. A privacy management framework should be designed to help departments protect the personal information they control by identifying the inherent risks and how to mitigate those risks. We suggest that Treasury Board, as the locus for privacy policy in the federal government, assume a leadership and monitoring role in the development of a privacy management framework. As we note, the reporting requirements of federal agencies about their personal information management practices have been strengthened, along the lines we proposed. However, much remains to be done to ensure that privacy management is better integrated with mainstream management practices.

Conclusion

The foregoing discussion of a possible fusion of the two offices highlights the breadth of the issues involved. This paper has attempted to set out and address these issues as objectively as possible.

In short, we believe that both models – the Québec model and the model represented at the federal level with the Privacy Act, PIPEDA and the Access to Information Act, are workable. Each has potential strengths; each has potential weaknesses. Changing to a different other imports the possibility both of benefits and harms. Since this would be done without the benefit of any substantial historical record, we are left largely speculating on the outcome.

In the end, the important issue is perhaps not the shape of the container surrounding privacy and access to information, but the quality of the product inside the container. Privacy and access laws that address the needs of the 21st century, not those of a quarter century ago, are almost certainly more important than the debate about which form of governance of privacy and access is appropriate.

We have reviewed the case for and against fusion. We have listened to the opinions of many within our Office and our advisory committee. We conclude that fusing the two offices is not an appropriate measure at present, particularly when the Privacy Act and PIPEDA have not yet undergone a very necessary review, and when both the business and policy cases for fusion are less than compelling at best. In short, there are other, more pressing, issues that need to be addressed first if we are to protect the privacy rights of Canadians.

The federal Privacy Act is woefully deficient as a vehicle for protecting the privacy rights of Canadians. Time and again, Privacy Commissioners and privacy advocates have called for a thorough review and modernization of the legislation. The Privacy Act contains no effective mechanism to deal strategically with complaints, requiring that every complaint be examined – a potentially overwhelming, but unnecessary, burden. The Act was drafted well before the extensive penetration of computing power and surveillance technology into our lives. It was drafted long before the era of globalization and the extensive sharing of personal information across borders with corporations, with governments, and indirectly through corporations to foreign governments. It was drafted long before the era when the word terrorism began to fall from everyone’s lips amid calls for ever greater amounts of personal information in the quest to enhance personal and national security.

The commitment of government to provide adequate resources for both these activities will almost certainly have a far more profound impact on the fundamental right we call privacy than will the structure built to administer this right. Equally important for the health of privacy and access is the nature of the culture of compliance surrounding these rights. The federal government can take the lead in developing this culture, and this Office remains ready to help.

Footnotes

Footnote 1

Colin Bennett, “The privacy commissioner of Canada: Multiple roles, diverse expectations and structural dilemmas,” Canadian Public Administration, vol. 46, no. 2 (2003) 218 at 221.

Return to footnote 1

Footnote 2

P-A. Comeau, M. Couture, « Accès à l’information et renseignements personnels : le précédent québécois », Canadian Public Administration, vol. 46, no. 3 (2003) 364 at 365.

Return to footnote 2

Footnote 3

In some jurisdictions, these are called “information and privacy commissioners,” while in others the functions are assumed by an Ombudsman.

Return to footnote 3

Footnote 4

Although New Brunswick has two separate laws – one governing access and the other privacy – the duty to oversee both pieces of legislation, as in the other provinces and territories, falls to one person, the Ombudsman.

Return to footnote 4

Footnote 5

Commission d’étude sur l’accès du citoyen à l’information gouvernementale et sur la protection des renseignements personnels.

Return to footnote 5

Footnote 6

P-A. Comeau, M. Couture, « Accès à l’information et renseignements personnels : le précédent québécois », Canadian Public Administration, vol. 46, no. 3 (2003) 364 at 368.

Return to footnote 6

Footnote 7

Herbert Burkert, Research Centre for Information Law, University of St. Gallen, “Globalization - Strategies for Data Protection,” manuscript, September 14, 2005.

Return to footnote 7

Footnote 8

For example, Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police) (C.A.), [2001] 3 F.C. 70; Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403.

Return to footnote 8

Footnote 9

The Privacy Commissioner has duties with respect to information banks, while the Information Commissioner has duties with respect to the rights of third parties. Otherwise, the powers, duties and functions of the Commissioners are virtually identical under both Acts.

Return to footnote 9

Footnote 10

The Task Force was established on August 21, 2000, by the President of the Treasury Board of Canada and by the Minister of Justice and Attorney General of Canada. Its report was released on June 12, 2002.

Return to footnote 10

Footnote 11

Page 114, Recommendation 6-25.

Return to footnote 11

Date modified:: 2005-11-02

Language selection

Search and menus

Search