Mr. Paul Szabo, M.P.
Chair of the Committee
Standing Committee on Access to Information,
Privacy and Ethics
House of Commons
Ottawa, ON K1A 0A6
Dear Mr. Szabo:
The Government welcomes the opportunity to respond to the Tenth Report of the Standing Committee on Access to Information, Privacy and Ethics entitled The Privacy Act: First Steps Towards Renewal, released on June 12, 2009. This Report is the culmination of work that began in the spring of 2008. At that time, the Privacy Commissioner tabled with your Committee her 10 recommendations for immediate reform of the Privacy Act. She referred to these as "Quick fixes", and recently added two more recommendations to her list.
The Report states that the Committee fully supports five of the Privacy Commissioner's 12 recommendations, and gives qualified support to one additional recommendation.
We would like to point out that Canada has a strong legislative, administrative and constitutional framework to assure the privacy rights of Canadians: the Privacy Act and its regulations, the Canadian Charter of Rights and Freedoms, as well as several government policies, directives and guidelines, govern the federal public sector.
We note that one of the Commissioner Stoddart’s recommendations is clearly based on her view that the Privacy Act should be amended so that it more closely resembles PIPEDA. We refer to her seventh recommendation that the Privacy Act be amended to cover both recorded and unrecorded personal information, as is the case in PIPEDA. In this regard, it is important to bear in mind that the public and private sectors are different in important ways. Normally, private sector entities engage in commercial activity and do not derive their authority for carrying out their mandates from federal statutes. Nor are these entities covered by the Charter. Further, the accountability structure in the private sector is quite different from that in the federal public sector.
In our view, the current definition of personal information in the Privacy Act, together with the application of the Charter, is sufficient to address the scenarios raised by the Privacy Commissioner.
In addition, a number of the Commissioner's recommendations propose to enshrine current policy in law. For example, government institutions are required by Treasury Board Secretariat Policy to report annually on a spectrum of privacy-related activities and to ensure that personal information is safeguarded. The Commissioner proposes that these policy requirements be made into statutory requirements in the Privacy Act. While a legal requirement appears to be more potent than a policy requirement, federal government institutions are nevertheless obliged to adhere to policies. Policy instruments are also much easier to adjust in light of changing circumstances, including the impacts of new technologies.
The Treasury Board Secretariat has put into place a number of policies, directives and guidelines to govern the operations of government institutions in relation to the creation, collection, and handling of personal information. In 2008, a new Policy on Privacy Protection was issued, along with a Directive on the Social Insurance Number. The Treasury Board Secretariat is currently developing three additional privacy directives. These include (1) the Directive on Privacy Requests and Correction of Personal Information to establish consistent practices for processing requests for access to or correcting personal information that is under the control of government institutions; (2) the Directive on Privacy Practices to set out the requirements for sound privacy practices and the management of personal information under the control of government institutions; and, (3) the Directive on Privacy Impact Assessment (PIA) to ensure that privacy implications are appropriately identified, assessed and resolved before any new program or activity involving personal information is implemented. A handbook for the use of ATIP officers at all institutions is also being prepared to provide detailed guidance and best practices for the day-to-day administration of the Privacy Act.
We note that the Committee endorsed the Commissioner’s recommendation to "strengthen the provisions governing the disclosure of personal information by the Canadian government to foreign states", but stated that an amendment may be needed to exempt law enforcement activities. We believe the Committee thereby recognizes that law enforcement and security agencies require a flexible approach to information sharing. Law enforcement and security agencies cannot operate in silos and must be able to share intelligence quickly and efficiently. They must be able to share their intelligence within Canada as well as with their foreign partners.
We wish to point out that there are other important government activities which could require federal government institutions and agencies to share personal information, both inside and outside Canada. Such activities include ongoing or proposed government programs relating to establishing, modifying or enforcing family obligations, addressing cases of international parental child abduction and suspected forced marriage, and responding to sudden worldwide health threats. Without efficient means of sharing personal information globally and domestically, these entities would be seriously hampered in their efforts to assist and protect Canada and its residents. Furthermore, efforts to provide greater domestic legislative support to our treaty obligations under international conventions could be seriously hampered.
For all these reasons, any change to the way in which Canada shares sensitive and important personal information must be carefully considered before any decision is made on possible amendments. Further consultation with government institutions and agencies that are responsible for the security as well as the health and welfare of Canadians would be required to ensure that the Privacy Act does not restrict the flexibility or pose additional barriers to information sharing.
The Privacy Act is a strong piece of legislation. It is crucial that careful consideration be given to the impact changes to the legislation may have on the operations of government institutions which are subject to the Act. Legislative amendments must be examined in the context of administrative alternatives, such as enhanced guidance and training that can be equally effective to realizing continued improvements.
Finally, your Committee recommended that we work more closely with the Privacy Commissioner to understand the intent of a number of her recommendations that you did not endorse at this time.
We assure you that we will continue to work closely with the Office of the Privacy Commissioner to ensure that the privacy of Canadians continues to be protected.
The Honourable Rob Nicholson
Minister of Justice and Attorney
General of Canada
c.c.: The Honourable Vic Toews, President of the Treasury Board