Theme One: Technological Changes

1. Clarify requirements for information-sharing agreements: Require that all information sharing under paragraphs 8(2)(a) and (f) of the Privacy Act  be governed by written agreements  and that these agreements include specified elements.  Further, all new or amended agreements should be submitted to the Office of the Privacy Commissioner of Canada (OPC) for review, and existing agreements should be reviewable upon request.  Finally, departments should be required to be transparent about the existence of these agreements.

2. Create a legal obligation for government institutions to safeguard personal information: Create an explicit requirement for institutions to safeguard personal information with appropriate physical, organizational and technological measures commensurate with the level of sensitivity of the data;

3. Make breach reporting mandatory: Create an explicit requirement for government institutions to report material breaches of personal information to the OPC in a timely manner and to notify affected individuals in appropriate cases;

Theme Two: Legislative Modernization

4. Create an explicit necessity requirement for collection:  Amend section 4 of the Privacy Act to create a more explicit necessity requirement for the collection of personal information, consistent with other privacy laws in Canada and abroad;

5. Replace the ombudsman model for the investigation of complaints with OPC powers to issue binding orders;

6. Consider creating a statutory mechanism to independently review privacy complaints against the OPC;

7. Require government institutions to conduct privacy impact assessments (PIAs) for new or significantly amended programs and submit them to OPC prior to implementation;

8. Require government institutions to consult with OPC on draft legislation and regulations with privacy implications before they are tabled;

9. Provide OPC with an explicit public education and research mandate:  Add a provision to the Privacy Act explicitly conferring the Privacy Commissioner with a mandate to undertake public education and research activities in respect of public sector privacy issues;

10. Require an ongoing five year review of the Act;

Theme 3: Enhancing Transparency

11. Grant the Privacy Commissioner discretion to publicly report on government privacy issues when in the public interest: Amend section 64 of the Act to create an exemption from confidentiality requirements to allow the Privacy Commissioner to report publicly on government privacy issues where he considers it in the public interest to do so;

12. Expand the Commissioner’s ability to share information with counterparts domestically and internationally to facilitate enforcement collaboration;

13. Provide the Privacy Commissioner with discretion to discontinue or decline complaints in specified circumstances: Amend section 32 of the Act to grant the Commissioner with discretion to decline complaints or discontinue investigations on specified grounds, including when the complaint is frivolous, vexatious or made in bad faith;

14. Strengthen transparency reporting requirements for government institutions: Strengthen reporting requirements on broader privacy issues dealt with by federal organizations as well as specific transparency requirements for lawful access requests made by agencies involved in law enforcement;

15. Extend coverage of the Act: Amend the Act to extend coverage to all government institutions, including Ministers’ Offices and the Prime Minister’s Office, and extend rights of access to foreign nationals;

16. Limit exemptions to access to personal information requests under the Act: Exemptions to personal information access requests should be limited.  They should generally be injury-based and discretionary to maximize disclosure.

Source: Office of the Privacy Commissioner, “Review of the Privacy Act - Revised recommendations,” 1 November 2016.