Issue Sheets on the examination of the federal government’s constitutional, treaty, political and legal responsibilities to First Nations, Inuit and Métis peoples and any other subject concerning Indigenous Peoples

Appearance before the Standing Senate Committee on Indigenous Peoples, February 27, 2024

---

Limits of federal jurisdiction under the Privacy Act

Key Messages

• The Privacy Act applies to personal information held by federal government institutions (s.2).
• However, the information must be “under the control” of the government institution to be subject to the Act.
• The Act applies to any department or ministry of state of the Government of Canada, to the bodies and offices listed in the Schedule to the Act as well as to Crown corporations and their wholly-owned subsidiaries (ss.2 and 3).

Background

• The term “control” is not defined in either the Privacy Act or the Access to Information Act, despite being used in both statutes (see e.g. ss.7 and 8 PA; ss.4 and 12 ATIA).
• In the “PM’s Agenda case”, the Supreme Court employed a two-part analysis to determine if records in a Minister’s office were “under the control of a government institution” for the purposes of the ATIA. First, do the records relate to a departmental matter? If yes, then could a senior government official expect to obtain a copy of the record.
  • The analysis involves factors such as the substantive content of the record, the circumstances in which it was created, and the legal relationship between the government institution and the record holder. (Canada (Information Commissioner) v. Canada (Minister of National Defence), 2011 SCC 25 at paras. 54-56).
• While possession will play an important role in a control assessment, it is not determinative. Records held in a Minister’s office (which is not in principle subject to either the PA or ATIA) could still be found to be under the control of the related government institution that is subject to both statutes.

Prepared by: Legal

---

What constitutes personal information under the Privacy Act

Key Messages

• Under section 3 of the Privacy Act, “personal information” (PI) is broadly defined as information “about an identifiable individual that is recorded in any form”.
• An identifiable individual is “someone whom it is reasonable to expect can be identified from the information in issue when combined with information from sources otherwise available” [Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157 at para 43].

Background

• Examples of PI (non-exhaustive list):
  • Info. related to race, national/ethnic origin, religion, age, marital status;
  • Info. related to one’s education;
  • Info. related to one’s medical, criminal or employment history;
  • Identifying numbers or symbols;
  • Address, fingerprints, blood type of individuals;
  • An individual’s personal opinions or views; and,
  • Individual’s name if appears with other PI and disclosure would reveal information about that individual.
• But some types of information are excluded from the definition for certain purposes under the PA (such as the requirement for consent for use or disclosure) and are not exempt from disclosure under the ATIA (s.19).
  • Exclusions include: where more than 20 years have passed since the death of the individual (s. 3(m)); information about officers or employees of government institutions that is related to their position or functions (s. 3(j)).
• Note that information that is “publicly available” is not subject to the consent requirements for use or disclosure (s. 69(2) PA).

Prepared by: Legal

---

Access to personal information requests under the Privacy Act

Key Messages

• The purpose of the Privacy Act is two-fold:
  • to protect the privacy of individuals with respect to personal information that federal government institutions hold about them and
  • to provide a right of access to that information (s. 2 PA).
• An individual can seek access to their own personal information by making a request in writing that either identifies a personal information bank or provides enough information about the subject of the request to allow the government institution to retrieve the information (ss.12(1) and 13 PA).
• The government institution has 30 days to respond; it may extend that period up to 30 days if required to complete consultations or to avoid “unreasonably interfer[ing] with the operations of the government institution” (ss.14 and 15 PA).

Background

• An individual can request access to their personal information using the Access to Personal Information Request Form set by the Treasury Board Secretariat or by letter indicating their request is under the Privacy Act (s.8 Privacy Regulations and s.71(1)(c) PA; see also “Make an access to information or personal information request”, Treasury Board Secretariat website).
• Any personal information under control of a government institution that is or may be used for an administrative purpose or is retrievable using the name of an individual should be included in a personal information bank (s.10 PA).
• An index of personal information banks (PIBs) is published annually. This index also includes all classes of personal information under the control of government institutions that are not contained in PIBs (s.11 PA).
• When a government institution makes use of an extension in responding to an access to personal information request, it must inform the requester of their right to complain to the Privacy Commissioner about the extension (s.15 PA).
• Where a request is refused, the government institution must indicate either that the information requested does not exist or the specific provision of the PA on which the refusal is based. That notice must also inform the requester of their right to complain to the Privacy Commissioner about the refusal. (s.16 PA).

Prepared by: Legal

---

Role of authorized representatives (s.10 Privacy Regulations)

Key Messages

• People wishing to exercise their right under the Privacy Act to access or correct their own personal information held by a government institution do not need to do it alone; they can get someone to help them.
• Individuals may, in writing, authorize another person to exercise their rights on their behalf under the Privacy Act [PA] via the Privacy Regulations [s.10(c)].
• Individuals who cannot authorize another person do to so in writing (e.g., minors, individuals lacking legal capacity, deceased persons) may nonetheless benefit from a 3rd party exercising their rights under the PA on their behalf [Privacy Regulations ss.10(a)-(b)] in some circumstances where it is permitted by federal or provincial laws.

Background

• Adults with the requisite legal capacity may consent to having a 3rd party represent them vis-à-vis their rights under the PA [s.10(c) of Privacy Regulations] if they advise the government institution in question in writing to assist them with things like accessing or correcting their own personal information held by the institution.
• Adults without the requisite legal capacity, including minors and deceased individuals, can have someone else represent them to exercise their rights under the PA [ss.10(a)-(b) of Privacy Regulations]; the representative must, depending on the circumstances, be authorized by or pursuant to federal or provincial laws to administer their affairs or estate (such as a parent, guardian, person with power of attorney or executor).

Prepared by: Legal

---

Disclosure for research or statistical purposes (s.8(2)(j))

Key Messages

• The head of a government institution can disclose personal information without the individual’s consent “to any person or body for research or statistical purposes” but only if certain conditions are met [s. 8(2)(j) PA & s.6 Privacy Regulations]:
  • they are satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates [s.8(2)(j)(i)]; and
  • they obtain from the person or body a written undertaking that no subsequent disclosure of information will be made in a form that could reasonably be expected to identify the individual to whom it relates [s.8(2)(j)(ii)].

Background

• “Under s.8(2)(j) of the Privacy Act, PI may be disclosed at any time for research or statistical purposes” [Canada (AG) v Fontaine, 2017 SCC 47 at para 55]
• As per s.6 of the Privacy Regulations, personal information already transferred to the Library and Archives of Canada by a gov’t institution for archival or historical purposes may be disclosed to any person or body for research or statistical purposes where:
  1. the information is of such a nature that disclosure would not constitute an unwarranted invasion of the privacy of the individual to whom the information relates;
  2. the disclosure is in accordance with s.8(2)(j) or (k) of the PA;
  3. 110 years have elapsed following the birth of the individual to whom the information relates; and
  4. in cases where the information was obtained through the taking of a census or survey, 92 years have elapsed following the census or survey containing the information.

Prepared by: Legal

---

Disclosure to Indigenous government or association (s.8(2)(k))

Key Messages

• There are limited circumstances under which personal information can be disclosed without consent. These are set out in subsection 8(2) of the Privacy Act.
• Among these, paragraph 8(2)(k) provides that personal information can be disclosed to an Indigenous government, related institution or association, or to an Indian Band, for the purpose of researching or validating the claims, disputes or grievances of Indigenous peoples.
• The Federal Courts have interpreted this provision as allowing the privacy rights of Indigenous individuals to be set aside for the purpose of furthering claims related to collective Indigenous rights, including land claims.

Background

• The phrases “Indian band” and “aboriginal government” are both exhaustively defined under the PA (see s.8(6) and 8(7) respectively).
• The OPC has had limited direct experience with these provisions but is aware that Indigenous stakeholders have recommended that the Privacy Act be updated to better facilitate sharing of information with Indigenous governing entities.
• “Parliament intended to ensure that privacy of information about individual members of Indian bands could be set aside for the purpose of enhancing the rights of the present and future members. It is a form of quid pro quo between the protection of the privacy of individual members and the enhancement of their collective rights. To the extent that privacy could stand in the way of the recognition of collective rights, it was expressly allowed to be lifted.” Canada (Information Commissioner) v. Canada (Minister of Industry), 2007 FCA 212 at para. 34 per Décary JA. in concurring reasons.
• “[T]he phrase “researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada’ appears to contemplate formal claims or disputes brought by aboriginal peoples in their capacity as aboriginal peoples.” Sutherland v. Canada (Minister of Indian and Northern Affairs) (T.D.), 1994 CanLII 3493 (FC), per Rothstein J.

Prepared by: Legal

---

Disclosure in the public interest (s.8(2)(m))

Key Messages

• Despite the Privacy Act’s many restrictions on disclosing personal information (PI) to 3rd parties, the head of a government institution can still do so for any purpose if they are of the opinion that the disclosure is:
  • clearly in the public interest (and clearly outweighs any invasion of privacy resulting from such a disclosure) [s.8(2)(m)(i)]; or
  • clearly beneficial to the individual to whom that PI relates [s.8(2)(m)(ii)].
• Disclosures under s.8(2)(m) are discretionary (i.e., may be disclosed rather than must be disclosed if criteria are met).
• The Privacy Act requires that my office be notified in writing in advance, or as soon as possible after such disclosures; while I cannot prevent disclosure, I have the discretion to notify the affected individual of the disclosure (s.8(5)).

Background

• Discretion to disclose under s.8(2)(m) is very broad and discretionary [Dagg v. Canada (Minister of Finance), [1997] 2 SCR 403 at para 109]; even if a disclosure could either be clearly in the best interest of the public or beneficial to the individual to whom the PI relates, the head of a gov’t institution is not obliged to actually disclose that PI if that is how they choose to exercise their discretion.
• Once gov’t institution head establishes that something is PI under the Privacy Act, his/her decision to refuse disclosure under s.8(2)(m) may only be reviewed on the basis that it constituted an abuse of discretion [Dagg v. Canada (Minister of Finance), [1997] 2 SCR 403].
• Canadian common law requires that decision-makers be able to explain/articulate how they make decisions/exercise their discretion; heads of gov’t institutions ought to provide reasons why they choose/refuse to exercise their discretion to disclose PI under s.8(2)(m) of the Privacy Act.

Prepared by: Legal

---

Treatment of personal information of third parties (s.26 Privacy Act)

Key Messages

• Sometimes a record that is responsive to a personal information access request contains the personal information of more than one individual.
• In such cases, the government institution must refuse to disclose the information unless they have the consent of the other individual or unless one of the exceptions to the consent requirement applies (s.26 PA).
• If the requester does not have the consent of the other individual, the government institution may be able to sever the personal information belonging to the third party and disclose the rest to the requester.
• In some cases, however, the same information may be considered the personal information or more than one person. This may require a balancing of interests (both public and private) to determine whether disclosure should occur.

Background

• Unlike the Access to Information Act (s.25), the Privacy Act does not have a specific provision dealing with severance. However, severance can still be employed in responding to an access to personal information request.
• Where personal information belongs to more than one person, the government institution should examine the requester’s private interest in access versus the third party’s private interest in non-disclosure. Then, they should consider the public interest in disclosure versus the public interest in non-disclosure (Canada (Information Commissioner) v. Canada (Minister of Citizenship and Immigration), 2002 FCA 270 at paras. 28-35 “Pirie”.
• The Personal Information Access Request Form specifically asks requesters to consider whether they anticipate the requested records will contain the personal information of third parties and if so, whether they have their consent to release of the information.

Prepared by: Legal

---

Life span of privacy protection under the Privacy Act

Key Messages

• Under the Privacy Act, the protection of personal information from disclosure to third parties is time-limited. For personal information held by a government institution, this protection expires once the individual has been deceased for more than 20 years (s.3(m));
• Where personal information is held by Library and Archives Canada, this protection ceases 110 years after the individual’s birth (Privacy Regulations, s.6(c)).
• Personal information about an individual who has been deceased for more than 20 years may also be subject to disclosure under the Access to Information Act.

Background

• Library and Archives Canada Materials:
  • According to s.8(3) of the PA, “personal information under the custody or control of the Library and Archives of Canada that has been transferred there by a government institution for historical or archival purposes may be disclosed in accordance with the regulations to any person or body for research or statistical purposes”—but it would not be limited to those purposes if the PI relates to an individual who has been dead for over 20 years (i.e., it could be disclosed for any purpose).
  • As per s.6(c) of the Privacy Regulations, personal information transferred to Library and Archives Canada by a government institution may be disclosed to any person or body for “research or statistical purposes” where “110 years have elapsed following the birth of the individual to whom the information relates”.
• Private Museum/Library Materials: Regardless of the 20/110-year timeframes, if personal information is placed in the Library and Archives of Canada (or in certain museums under federal jurisdiction) by persons or organizations other than government institutions, neither the Privacy Act [s. 69(1)(b)] nor the Access to Information Act [s.68(c)] apply to such information (and the OPC would have no jurisdiction) even though those libraries/museums are “government institutions” for the purpose of both Acts.

Prepared by: Legal

---

Relationship between Privacy Act and Access to Information Act

Key Messages

• The Privacy Act and Access to Information Act are intended to be a “seamless code”, constructed harmoniously according to a “parallel interpretation model” [Leahy v Canada (Citizenship and Immigration), 2012 FCA 227 at para 68].
• There are no gaps between the Acts; their provisions are interdependent and intertwined to strike the right balance on accessing government information and respecting privacy.
• For example, the ATIA incorporates the definition of “personal information” found in the Privacy Act (s.3 PA and s.3 ATIA).
• Parliament ensured that both statutes recognize that the protection of privacy is paramount over the right of access (except as prescribed by law) [H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13 at para 2].

Background

• Principles developed in jurisprudence under the Access to Information Act (ATIA) and the Privacy Act (PA) are relevant to the interpretation and application of both statutes (VB v Canada (Attorney General), 2018 FC 394 at para 44).
• If the PA applies to a record containing personal information, so will the ATIA (and vice versa); either both Acts apply or neither one does.
• Unlike the provinces, where access and privacy are generally addressed in the same statute, at the federal level it is split between two statutes (PA & ATIA).
• At the federal level, the Privacy Commissioner enforces the PA while the Information Commissioner enforces the ATIA; at the provincial/territorial level, a single Commissioner enforces a combined statute covering privacy/access.
• (Although note that the PA provides that the Information Commissioner can also serve as Privacy Commissioner; this occurred on an interim basis in June 2022 when Commissioner Maynard also served as Privacy Commissioner between the end of former Commissioner Therrien’s mandate and the appointment of Commissioner Dufresne (s.55 PA)).

Prepared by: Legal

---

Canada v. Fontaine and Independent Assessment Process records

Key Messages

• The Indian Residential Schools Settlement Agreement (Settlement Agreement) provided for the creation of an Independent Assessment Process (IAP) to decide claims relating to the most serious forms of abuse that took place at residential schools across Canada.
• In 2017, the Supreme Court held that records created as part of the IAP are not subject to the Privacy Act or the Access to Information Act, in large part because absolute confidentiality was a condition for the creation of the IAP and because claimants participated based on that expectation (Canada v. Fontaine, 2017 SCC 47).
• However, survivors who made claims with the IAP can elect to have their records archived with the National Centre for Truth and Reconciliation (NCTR), the Indigenous archive created pursuant to the Settlement Agreement.
• Records not transferred for archiving are subject to a destruction order that will take effect in September 2027.

Background

• The IAP Records can be divided into seven categories: “(1) applications submitted by the claimants; (2) mandatory documents containing private personal information; (3) witness statements; (4) documentary evidence produced by the parties; (5) transcripts and audio recordings of the hearings; (6) expert and medical reports; and (7) decisions of the adjudicators and any appeals” (Canada v. Fontaine at para. 10).
• The NCTR was created “to archive and store the records collected by the Truth and Reconciliation Commission, along with the historical records regarding residential schools” (Canada v. Fontaine at para. 11 and Settlement Agreement, Schedule N re the TRC’s mandate).

Prepared by: Legal

---

GA Consultations

Key Messages

• In January 2022, we were informed that Crown Indigenous Relations and Northern Affairs Canada (CIRNAC) intended to release 1.5 million residential school records to the National Centre for Truth and Reconciliation under the public interest disclosure provision (8(2)(m)) of the Privacy Act.
• During that engagement, we confirmed that the Privacy Act is not a barrier to disclosure, and advised that the disclosure should be governed by an information sharing agreement (ISA) and protecting during transmission.
• In March 2021 the OPC was contacted by Crown-Indigenous Relations and Northern Affairs Canada/Indigenous Services Canada ATIP regarding disclosure of First Nations personal information to entities including the First Nations Information Governance Centre for research purposes under section 8(2)(j). We advised of the need to establish information sharing agreements specifying purposes and that agreements should be posted to the departmental website for public transparency.
• Since 2023, the OPC has had observer status on the Interdepartmental Collaborative Committee on Indigenous Data (ICCID), co-chaired by ISC and Statistics Canada, where issues of related to indigenous personal information are discussed quarterly.

Background

• The release of 1.5 million records by CIRNAC was intended to replace those which we understand were corrupted and/or of poor quality for archiving when previously disclosed by the Truth and Reconciliation Commission to the Centre. We have offered to continue our consultation regarding additional residential school records to be shared; we have not to date been consulted further.

Prepared by: GA

---

Complaints against ISC, CIRNAC and predecessor departments

Key Messages

• In the past five (5) years, the OPC accepted 57 complaints against Indigenous Services Canada or Crown–Indigenous Relations and Northern Affairs Canada or its predecessors (Indian and Northern Affairs Canada and Aboriginal Affairs and Northern Development Canada).
• With regards to complaints specific to accessing records concerning residential schools, we accepted six such complaints.
  • Five were closed during our early resolution investigative process by being either resolved or abandoned by the complainants.
  • One complaint is still under active investigation

Background

• Out of the 57 accepted complaints, complainants primarily alleged that i) they did not receive information they requested, ii) the institutions took too long to respond, or iii) personal information was used or disclosed in a manner that was not in keeping with the requirements of the Privacy Act.
• While not recent or specifically related to residential school records, we note the following complaint concerning the Indian Land Registry from 2013:
  • The complainant alleged that (redacted).
  • During the course of the investigation INAC proposed a solution that, in our view, satisfies its legislative obligations to maintain a publicly accessible registry and addresses the concerns raised by the complainant. Complaint was closed as “Resolved” in 2016.

Prepared by: Compliance

---

Breach reports from federal institutions of interest to APPA

Key Messages

• The OPC has not received any breach reports in the past five years from Indigenous Services Canada (ISC) or Crown–Indigenous Relations and Northern Affairs Canada (CIRNAC).
• In accordance with TBS policy, institutions are required to report material privacy breaches to TBS and to the OPC no later than seven days after the institution determines that a breach is material.
• Our Office is concerned about under-reporting, as many of the government institutions subject to the Privacy Act that handle sensitive personal information have never reported a breach to us, including CIRNAC and ISC.

Background

• The OPC has not received any breach reports in the past 5 years from ISC or CIRNAC. This includes its predecessors (Indian and Northern Affairs Canada and Aboriginal Affairs and Northern Development Canada).
• Under TBS policy, a material privacy breach is defined as one that could reasonably be expected to create a real risk of significant harm to an individual.
  • Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. This definition mirrors that under PIPEDA.
• In 2017, CIRNAC reported three privacy breaches to our Office for which personal information (redacted).
• The last report received from CIRNAC was in June 2018. The breach resulted from an employee who accessed the personal information of their colleagues without authorization.
• We have not received any breach reports from Indigenous Services Canada (ISC).

Prepared by: Compliance

---

Global Affairs Canada Breach

Key Messages

• On January 26, GAC verbally advised our Office of a breach of their Canadian VPN network from 20 December 2023 to 24 January 2024. The breach is now contained.
• GAC submitted a preliminary breach report to our Office on February 2, 2024. While GAC is still investigating, it advised that the breach was caused by a cyberattack on its VPN and that data, including personal information, may have been compromised.
• After receiving several complaints about the matter, our Office has launched an investigation which will examine the adequacy of the safeguards employed by GAC to protect personal information and assess compliance with the Privacy Act.

Background

• In accordance with TBS policy, institutions are required to report material privacy breaches to TBS and the OPC no later than seven days after the institution determines the breach is material.
• GAC has submitted a preliminary/partial privacy breach report to our Office in which they identified 1,761 affected individuals.
• GAC indicates that any information stored in affected employees’ personal and corporate shared drives, along with any unencrypted communications, may have been compromised in the breach.
• As of February 21, 2024, our Office has received 5 complaints related to this breach.

Prepared by: CIRD

---

Department of Justice engagement with Indigenous partners

Key Messages

• We welcome the Government’s commitment to ongoing engagement with First Nations, Métis, and Inuit partners on the modernization of the Privacy Act.
• In 2019, in response to a Department of Justice technical engagement with experts on the future of the Privacy Act, we noted our support for early, meaningful engagement with Indigenous partners.
• We also recommended that Indigenous peoples be consulted on any changes to the Act pertaining to them, and that collective interests of Indigenous governments be reflected.

Background

• As part of its Privacy Act modernization efforts the Department of Justice held a technical engagement with experts that we responded to in 2019, a public consultation we made a submission on in 2021, and held discussions with First Nations, Inuit and Métis partners during the 2020-2021 time period.
• Engagement with Indigenous Partners: In November 2023, the Department of Justice published its Report on Engagement with Indigenous Partners. That report expanded upon earlier consultations, with recurring themes and potential proposals for updating the Privacy Act in the context of reconciliation, such as:
  • addition of a purpose clause to highlight reconciliation.
  • updating terminology referring to Indigenous peoples.
  • broadening disclosure for Indigenous governing bodies.
  • developing mechanisms to support broader sharing or transfers of personal information.

Prepared by: Legal/PRPA

---

OCAP Principles

Key Messages

• While my office does not have expertise in the OCAP® principles, members of my team have received training to better understand the fundamentals of OCAP® and the intersection with privacy.
• We are pleased to see that the Department of Justice has been engaging with Indigenous communities to see how the concept intersects with the Privacy Act and how OCAP® principles might be integrated into legislative reform.
• My office will continue to develop knowledge on OCAP® and seek opportunities to learn from Indigenous groups to better understand their views on privacy.

Background

• OPC staff (PRPA) received group training from the First Nations Information Governance Centre (FNIGC) on the OCAP® principles in 2021. A few PRPA staff members have received individual OCAP® training. Staff have also attended conferences and events focused on OCAP® principles for the past several years.
• OCAP® expresses jurisdiction over information about First Nations communities. The interpretation of OCAP® is unique to each First Nations community or region. Through OCAP®, First Nations assert the right to govern how information that describes them will be used and disclosed (regardless of where it is held), and what limitations or conditions must be placed on its use.
• OCAP® principles reflect First Nations’ commitments to use and share information in a way that brings benefit to the community while minimizing harm. The FNIGC and others have criticized access and privacy legislation for not explicitly recognizing communal privacy.
• In its Report on Engagement with Indigenous Partners, the Department of Justice highlights the OCAP® principles as an example of a significant development that highlights the uniqueness of Indigenous interests in relation to personal information since the coming into force of the Privacy Act.

Prepared by: PRPA

---

Indigenous Data Sovereignty

Key Messages

• My Office has been following and is supportive of the work being done by the Department of Justice to engage with Indigenous communities on Privacy Act reform and on Indigenous Data Sovereignty.
• While we are not experts on Indigenous Data Sovereignty, my Office has also been following work by Indigenous groups to advance the concept.
• We read with interest the First Nations Data Governance Strategy (March 2020), which is the first national strategy for Indigenous Data Sovereignty, and have met with the First Nations Information Governance Centre and discussed key themes from the report.
• We also funded a First Nations Information Governance Centre project on data sovereignty and PIPEDA through our Contributions Program that is available on our website should it be of interest to the Committee.

Background

• In its Report on Engagement with Indigenous Partners, the Department of Justice noted that it received feedback on the need for Indigenous sovereignty over their data. This would require Indigenous peoples to be directly involved in the decision-making process related to how their information is used and disclosed. The report notes that this may require legislative, policy, and process changes, such as the establishment of appropriate enforcement and appeal mechanisms.
• PRPA staff met with the First Nations Information Governance Centre for a briefing on the First Nations Data Governance Strategy. We also engaged with the organization to learn more about Indigenous Data Sovereignty at roundtables held in 2021 and we recently funded the organization through our Contributions Program for a project on First Nations Data Sovereignty and PIPEDA.
• The need for First Nations to govern their own data is prioritized in numerous reports, commissions, resolutions, and calls to action dating as far back as the Penner Report (1983), followed by the Royal Commission on Aboriginal Peoples (1996) and several Auditor General Reports.

Prepared by: PRPA

---

United Nations Declaration on the Rights of Indigenous Peoples

Key Messages

• The United Nations Declaration on the Rights of Indigenous Peoples (the Declaration) is an international human rights instrument that affirms and sets out minimum standards for the survival, dignity and well-being of Indigenous peoples worldwide.
• Given Canada passed the United Nations Declaration on the Rights of Indigenous Peoples Act in 2021 to advance the implementation of the Declaration at the federal level, it is important to assess how the Act should inform reform of the Privacy Act.
• While First Nations, Inuit and Métis Nations have collective rights under UNDRIP, these are not explicitly reflected in federal privacy legislation, which generally focuses on individual rights. This could be a point to consider in Privacy Act reform.

Background

• The Government of Canada endorsed the UNDRIP in May 2016, and on June 21, 2021, the UNDRIP Act received Royal Assent and became law in Canada.
• While privacy rights are not specifically outlined in the UNDRIP, related themes include the right to self-determination, the right to be recognized as distinct peoples, the right to be consulted and provide free, prior and informed consent on legislation before adoption, and the right to participate in decision-making matters which would affect their rights, though representatives chosen by themselves.
• UNDRIP recognizes and affirms “that [I]ndigenous peoples possess collective rights which are indispensable for their existence, well being, and integral development as peoples” (Preamble). It identifies several collective rights, including rights to self government.
• The Act requires the Government of Canada, in consultation and cooperation with Indigenous peoples, to 1) take all measures necessary to ensure the laws of Canada are consistent with the Declaration; 2) prepare and implement an action plan to achieve the Declaration’s objectives; 3) table an annual report on progress to align the laws of Canada and on the action plan.

Prepared by: PRPA

---