ETHI Committee Meeting
Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.
For an advanced search, use Publication Search tool.
If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.
CANADA
Standing Committee on Access to Information, Privacy and Ethics
|
l |
|
l |
|
EVIDENCE
Tuesday, April 29, 2008
[Recorded by Electronic Apparatus]
[English]
Good afternoon, colleagues.
This is our 30th meeting. Our order of the day is Privacy Act reform.
Today our witness again is Ms. Jennifer Stoddart, the Privacy Commissioner, from the Office of the Privacy Commissioner of Canada. I'm going to allow her to introduce her colleagues.
I had a little discussion with Ms. Stoddart pursuant to our discussion at our last meeting, where we had a review of the estimates and some particular questions regarding some of the human resources issues, particularly recruitment, lapsing salaries, etc.
The commissioner has undertaken to provide a document, which has been circulated to all of you. I hope you have it. It's called “Supplemental Information on Human Resources Management”, dated April 29, 2008.
Since this is not really an order of reference but rather a follow-up, we will have some comments from the commissioner on the human resources issues raised by the honourable members at the last meeting. We will probably want to carry this discussion forward to our next meeting with the Treasury Board to see if we can get a little more information. Then we'll decide whether or not the committee wishes to do anything further. There are a couple of options we can discuss at that time. We'll deal with that initially. It won't take very long.
Following that we are going to deal with the other report, also dated April 29, “Proposed Immediate Changes to the Privacy Act”, which I believe all members received in their offices. I want to compliment the commissioner and her staff for doing an excellent job on that document.
Commissioner, welcome. Let's start with the HR subject matter. Maybe you can introduce those who are going to help us get our focus on this matter.
You know Patricia Kosseim, our general counsel. Exceptionally, the director of human resources, Maureen Munhall, is joining us. As well, we have Raymond D'Aoust, who is the Assistant Privacy Commissioner particularly responsible for the Privacy Act.
Mr. Chairman, you asked us to begin with the issues of human resources, which we discussed at the last meeting, and so we put together this short paper, which we hope illustrates some of the answers to the questions you asked. Perhaps I'll just go through it and bring your attention to some of the major themes of it. We'll go from table to table, because it's easier sometimes to look at this mass movement of population in a graphic way.
First of all, the challenges that we face in recruiting and retaining employees are common to the public service. Table 1 and table 2 are illustrating our movement compared to the movement in the civil service. In table 1, hires and departures, the red columns are the level we're funded to and the blue columns are our actual employee population. However, you will notice that over the years we've been able to increase our actual population at a greater rate than the increase in our budgeted population, so we are making headway. Table 2 shows the evolution of the actual population, which is steadily going up across the years, in spite of the high level of departures.
Table 3 then shows that in two key occupational groups for us, the PMs--these are particularly people who do the investigations--and the ES group, which does a lot of the privacy analysis, the technological analysis, and so on, there are fewer turnovers as compared to the same occupational groups in the rest of the public service.
Table 4 on page 4 illustrates the issue of retirement, about which we had a few questions the last time. In fact, when we look into it, our rate of retirement is slightly below that of the public service, although this aging of the workforce is expected to continue.
So we think that all in all, although things aren't optimal, we are gradually improving, and there are more employees being hired and retained than are leaving.
What are we doing to strengthen our population base? We're recruiting, of course, and we're moving to, in many cases, Canada-wide recruitment, which is very interesting for us, because they're highly specialized jobs. We're taking into consideration the employment equity representation, which has been a concern of this committee in the past. I draw your attention to table 5, which shows that in some areas we are above the average for the public service. For example, for visible minorities and persons with disabilities, we're well above the average for the public service. We're a predominantly female organization.
In terms of retaining our employees, if we look at table 6, there are several reasons for departures, and many of them in fact are normal departures. If you look at page 6 regarding the normal departures, end of term may refer to employees who are simply hired for a certain time, whose term has come up. As you know, we're not supposed to be turning employees over at the end of their term so that they become in effect permanent employees, so much of that—33%—is those who are moving on.
Finally, our challenge to that in terms of retention--as we mentioned at the bottom of page 6--is to have an exit questionnaire in order to try to focus in more specifically on why employees are leaving, if they're valued employees, and what we could have done to retain them.
[Translation]
I'll continue in French.
We're also developing a work place fitness program and an awards and recognition program, in accordance with Treasury Board policies.
The work place fitness program is very much appreciated, particularly by young employees who are very focused on work-life balance.
We've also invested a great deal in dialogue with employee representatives and the various unions in the work place, and in occupational health and safety at all levels.
Lastly, we have learning plans for every employee so that they can develop the personal and linguistic knowledge necessary for promotion in the Public Service of Canada.
I hope this overview has illustrated the dynamics of our work place a little better. If you have any other questions on it, I will be pleased to answer them.
[English]
Thank you for presenting us with the supplementary report. I think it will be useful for members to be able to follow this issue.
Why don't we move to questions, starting with Mr. Dhaliwal. Then we'll go to Madame Lavallée and Mr. Tilson.
Thank you, Mr. Chair.
Thank you, Commissioner, and thank you also to your associates.
I'm looking at table 5, and I'm very encouraged to see that 71% of the employees there are women. When it comes to equity regarding women and visible minorities, you have these numbers, but when it comes to pay equity, where does your department stand?
I hope people are adequately and equitably remunerated, but we do not have discretion on the distribution of pay. We pay people according to their collective bargaining agreements and, for the non-unionized employees, according to the directives set down by Treasury Board, which are, as you probably know, formally asexual. I believe the unions across the public service have settled with the Government of Canada as to any adjustment necessary for the female-dominant categories.
Thank you.
Also, you mentioned that you have a balance when it comes to workplace and home life. What are the specific needs of the employees, and how do you deal with those particular needs?
Well, I hope I didn't convey the impression that we have a perfect balance between work and home life. I said we were trying to be sensitive to that.
We find that to be a value that's particularly important to the younger generation of employees that we want to attract, notably because of their skills and their understanding of our technological world. We are looking at what kinds of advantages we can offer them in the workplace in order to meet their needs for a work-life balance--for example, facilitating their access to places where they can do exercise at noon in order to get out of the office and maintain their health.
Women make up 70% of the employees, and women face challenges particularly when it comes to maternity and post-maternity issues. How are you dealing with those situations to make them favourable to employees who are in need of those benefits? This is besides the government standard offers, such as one year off work. I'm just wondering what additional benefits or incentives you have for employees who work for your department.
I don't know that we give them additional benefits or incentives. As you know, the management framework in which we administer personnel benefits is very strictly regulated.
But we have, I think, a fairly normal rate of maternity leaves. This is accepted as a normal part of the working atmosphere, and they come back after usually a year now. We have managers now who go on maternity leave. Their jobs are there, and they come back after a year. We try to schedule all work activities during normal working hours because of possible clashes with day care, family situations, and so on. Some employees, depending on what they do, can exceptionally work at home, if their children are sick, if there are some of the many crises, including the care of elder parents. We have a flexible policy on that. I don't know if there are any other....
I'm interested in knowing, other than the normal benefits every employee gets, what is additional. You mentioned exercise. That's a very small incentive. The second one you mentioned was that they're allowed to work out of their home places. Is that true? Is there anything else you can list?
Mr. Chairman, attitude counts for a lot. I try to foster the attitude that it's normal to have a family and to look after your family as well as giving a high level of professional service to the Government of Canada. We try to be understanding of families' needs. I certainly try not to schedule meetings at all hours. I don't expect employees to work on weekends. Now, some of them may have to, exceptionally, if there's a big deadline, and it's usually the managers. There was a lot of discussion about the use of BlackBerrys, and so on. I don't phone them at home to find out what they think about something for the next day; that's their family time. This is a very important value to me, so I try to make sure those values are respected throughout the office.
[Translation]
I'd like to thank the Commissioner for providing supplemental information. Personally, I don't have any questions, but my colleague Richard Nadeau may want to ask some.
Thank you, Mr. Chairman.
Good afternoon, Commissioner. Good afternoon to all your colleagues.
We're talking about amending the Privacy Act. I saw in the addendum that you made the last time and in other documents that referred to the act two points of greater interest to me. You talk about stating a clear public education mandate. What does that mean? From what comes to my mind, that involves calling Service Canada for information, but I imagine it will go further than that.
Yes, it will go much further, and I'll come back to that later.
When this act was drafted and implemented, no one ever thought that one of the Privacy Commissioner of Canada's most important roles—some would say the most important—was to provide the public with information on a broad scale concerning threats to their privacy, how to preserve their privacy and, increasingly, navigating in this technological world that is beyond the understanding of many.
Another image that comes to my mind is that of Maher Arar. We know what happened and in what circumstances. That individual suddenly wound up in another country in spite of himself, his privacy in tatters, and so on. That's no doubt an extreme case, and I hope that no one else winds up in that situation.
When an individual winds up in a situation in which he is asked for documents or must face a government institution such as a police department, and is surprised to learn that they know things about him, how can you react if that person hasn't even had the reflex to think that there was a Privacy Commissioner?
I think it would be quite difficult for us to provide any help in that case. The brief that we filed today contains two recommendations on the situation you've just outlined.
The first refers to the need to tighten up disclosure of personal information regarding Canadians to foreign states. This practice is currently quite relaxed. The second talks about giving Canadians more rights under the Personal Information Protection Act, in particular the right to damages, or to ensure that they have access to a recourse procedure when their right to information has been breached. Currently, it's extremely limited. So it's not very useful for Canadians.
You talked about cross-border information movements. Does that mean that, through international agreements or I don't know what, the Canadian government can transmit information on Canadian citizens to another country, whether they are in Canada or elsewhere in the world?
In what circumstances can that kind of thing occur? In your opinion, should the act be amended to protect people? There's the criminal world, on the one hand, but, on the other hand, approximately 99% of the population does not belong to the criminal world.
Precisely, and that's the last recommendation we're making to you today. We feel that this entire practice should be much more structured than it currently is. That should be entered in records. It should be determined who has access to that information. The agreements should be indexed, which is not currently the case. As I mentioned, this practice is currently quite relaxed. I believe that each department can establish international agreements as it sees fit.
The departments can establish agreements of that kind, but no process is in effect to manage the matter.
If I may, I'll supplement Ms. Stoddart's answer. The Treasury Board has issued guidelines on information sharing agreements. The departments are therefore subject to the Treasury Board policy. It establishes guidelines and parameters in the event an information sharing agreement or contract is entered into. That includes the need to protect information once it is transferred to the foreign government authority and the need to obtain assurances that that information will not be subject to any secondary use. These guidelines exist, but we see in practice that very few oversight mechanisms are applied in the case of these agreements, apart from the work that we do at the time of an audit or investigation.
[English]
I'd like to turn to the topic of staffing, with respect to the supplementary material that you gave to us. In some of the comments you made, you mentioned that there are problems in recruiting. Can you elaborate on that?
I think it's a couple of things. One is the time it takes to recruit compared with the short retention period of some of these employees. There is now a dearth of employees. They are rapidly offered, once they are in the civil service—
We've talked about this before. I look at your commission and compare it with other commissions or other agencies that are doing investigatory work, like the Auditor General. They're all specialized jobs. My question is, why would you be any different from anybody else?
I'm not. I'm different from the Auditor General. She has a separate employer. That allows her to offer different conditions and perhaps arguably to also adjust her offers of employment more quickly to the labour market offer. As for the others, we all need the same types of employees. Investigators, for example, are in high demand these days, so there's a certain movement.
From what I can observe, I would say that's often the case. We are a small organization, and another of the rules is that you can't create too many levels, become too hierarchical, and so on. So for employees who want and who deserve a promotion, often the only way to get it is to go to a much larger organization, where there are promotions and a level up. That has happened to many employees recently, particularly in our investigation area.
The managers move on because they can get promotions when people see the skills they have, and the employees move on and obtain promotions and so on. So there we are, back hiring people.
I'll add that in our particular case, because we're looking at privacy files, there's now a six-month wait for secrecy clearance.
A percentage of your employees are contract employees and a percentage of them are full-time employees, or whatever the terminology is. Can you tell us what the breakdown is of those two groups, roughly?
Of 122 employees, there are nine term employees right now. So it's a small number of contract employees at the present time; they're mostly full-time.
Yes, we realized we needed more fine-tuned knowledge in order to prevent the exit of these valuable employees.
I appreciate that you're working on this, but obviously it's a serious problem, to be efficient, to investigate. If you don't meet your timeframes or if you aren't as thorough as one should be because you're short-staffed or you don't have the appropriate people, that's a problem.
Presumably, if you're going to complain about that, or you're in the process of trying to improve this, I think the committee would like to hear from time to time your progress on this. There clearly is a problem, and I think the committee would like to hear interim reports on how you're progressing.
Yes, I'd be glad to give them, Mr. Chairman.
I mention also in this document that I'm involved in something called the heads of federal agencies, which is simply an informal group led by the Librarian and Archivist of Canada that groups about 160 small agencies, I think. Some of them are called micro-agencies and have four or five people, up to ones that have nine hundred or so. We are attempting to bring to the attention of Treasury Board the challenges of trying to manage a small agency with the same rules as the ones that are set up, for example, for the Department of National Defence or Transport Canada.
I think Mr. Wilson has been quite successful in bringing Treasury Board's attention to the challenges we face and how perhaps some of the rules are difficult for us and cause unforeseen difficulties for us and what the alternatives would be.
Because you're behind, how much of that is attributed to this problem that we're talking about right now?
A great amount, because as this problem has been chronic over the years we've built up a backlog of old cases. The new cases get added on to them. We get some out and they're still there. So a good part of it has to do with this.
Are there other agencies of the government that you can approach to...? I know you're very capable, but sometimes a second thought is a good one. Are there other agencies of the government you could discuss this with and obtain suggestions as to how this dilemma could be solved?
Yes, particularly the Canadian Human Rights Commission. They had a huge backlog several years ago, and we've been consulting them regularly on how they finally got on top of it. There are presentations within the groups of heads of federal agencies about how these small agencies, which have limited budgets too, have dealt with their backlog--for example, the RCMP complaints commission. So we've learned from their experience as it applies to us.
But each act, of course, is different, and the powers under each act are different.
I was involved as chair and vice-chair of the government operations committee during the Radwanski time. Mr. Martin was also there. There was a serious culture problem within the department. Are there any remnants of taboo in terms of the privacy commission office right now, publicly, in terms of potential applicants for jobs?
We're still able to attract a good quantity of candidates. It hasn't seemed to have hindered our ability to attract. We do submit annual reports to central agencies, reporting on our management practices, and the feedback received from them has been quite favourable. In April 2006, following the removal of staffing delegation, we did receive it back, as we had indicated to the Public Service Commission that....
It depends, but generally, if we're doing a full process where we're advertising it, it would be between three and six months, and that may or may not include the requirement for security clearance.
The advertisements are done through a service provided through the Public Service Commission of Canada. We present our information to them and we post, we get clearance. If they're external to the public, then we use the service through the Public Service Commission. If they're within the government, for employees, we have an internal mechanism.
Where would someone see the public ones? I've had people on the Hill looking for work, college graduates, and to the best of my understanding I've never seen an advertisement or posting yet for jobs with your group.
Are they posted on a website? How long do they stay on that website?
The website that is used is jobs.gc.ca. That's the common government site that is used to post externally. The length of posting can depend, based on the nature of the job, your anticipated applicants, etc.
At the clerical level, it's within the national capital region right now. We've extended it to include some perimeter areas such as Kingston, Maniwaki, Pembroke. We've gone that circumference.
With other jobs that you look to fill, do you have a restricted area? If you're from Quebec City or from Winnipeg, can you apply? Do you have geographic limitations on applications?
We have areas based on the level of the position, and that's standard throughout the Public Service Commission, a national area of selection. For officer-level positions, which a lot of ours are, they're posted at a national level.
When you speak, though, of having difficulty getting people, are you talking about difficulty getting people within a geographic location or difficulty getting Canadians from everywhere to look for jobs with your commission?
But what I'm saying is that if you don't offer the opportunity, how do you know that somebody from Fredericton, New Brunswick, or Vancouver or Surrey, British Columbia, is not qualified? If you don't give them a chance to apply, how can you get successful applicants?
They have the chance to apply in that it's posted on the website that is hosted by the Public Service Commission and it's open all across Canada. So it's not restricted on geographical—
Are you positive about that? I'm from New Brunswick. The people in my office watch the Government of Canada service for jobs every day of the week. I'll have to go back and ask, but I have never seen or had brought to my desk any information suggesting your commission is looking for workers.
We have actually hired someone and relocated that person from Nova Scotia, just last year. We have another person coming in from Toronto. So we are reaching them. I can't explain why—
I can't help but be amused, though, by your putting that as an example. You know, “one time we hired someone from Nova Scotia”, “maybe someone came from Toronto”.
You know, we are a national government, and when you restrict employment to certain geographic areas in a job as demanding as yours.... Have you hired someone from Saskatchewan lately?
The area from which people can apply is not restricted. It's open to all Canadians across Canada. So the results have indicated that the qualified person has been from a certain geographical location, but—
The yellow here seems to indicate you have a lot of new hires each year. It would appear that in the years 2007 and 2008.... Would that seem to be 50-some new hires?
Yes, I would say. All the jobs that are open to the public, excluding the clerical positions, have an area of selection open to all Canadians.
Could we have a few examples of your advertisements, your job postings, so we might see how they have gone?
Say if you hired 60-some, you must have had 50 or so postings. Could we see maybe ten of them to see how they applied across the country?
Could I perhaps direct your attention to page 4, where we talk about the fact that we've developed web-based written exams and that we even have, as candidates, Canadians who are in India and Malaysia, who successfully wrote our exams? I just wanted to assure this committee that we are trying to bring Canadians, not only from all across Canada, because we do our investigations and we serve Canadians all across Canada, but from places where Canadians are travelling.
It's a little joke. It's hot in here.
I always appreciate getting numbers. I'm having difficulty already with the first chart. In the estimates, you talk about 154 and then it goes down to 150, but in this chart we're showing 145 as the target. Which is more accurate? Is it the 150 that's in the plan, spending estimates, full-time equivalents, or is the 145 more accurate? Are they both accurate? You can explain the difference.
That's a good question. I don't have that other table. They are both accurate.
A voice: One is last year; one is this year.
Ms. Jennifer Stoddart: Okay, it's not the same.
So this chart is saying 2007-08 at 145, and I see in forecast spending full-time equivalents of 154, and this is actual. So I'm assuming that's targeted. The actual is 122. That is accurate, right? I think you told me 122 at the last meeting. Is that correct?
I'm just pointing out that there seems to be a discrepancy right there.
If I look at this correctly, from 2004-05 to 2007-08--which is I guess what we just finished up--you've had a 58% increase in staffing. Is that driven by changes in workload?
So the actual is 122 minus the 77, divided by 77 gives you 58%. Well, 0.58 times 150%, so there you go. But is it driven by workload? In four years you've gone up 60% in workload?
Yes. We presented a business case to the first parliamentary panel. There is a long and special history behind this. The office was only funded when PIPEDA came into force for three years, as I remember, and then it underwent an unusual situation, you will remember. So for two years our funding levels stayed the same and we didn't even have the catch-ups.
Yes, we had an initial increase in PIPEDA work in 1999 for 2000, but then because of the events at the office it was hard to assess this every year. It was granted based on what people thought the PIPEDA workload would be. And when we went back to it in 2005, in front of the parliamentary panel, that then was the rise you see from 2005-06.
So I'm with Mr. Tilson, in that once you've done your survey.... Do other departments do an exit survey, or are you starting something new?
I know the private sector does that. I don't know if the public sector is doing it.
I'd be interested, in a year or two, getting a response when you do your annual report as to the reasons people are leaving.
In 2007-08 you have 61 new hires and 122 people. Half your workforce looks like its new hires. What's your definition of new hires--hired within that calendar year? Is that what you're telling me?
And then how long does it take for an employee, on average, to become what you would call productive, after training and so on? What kind of time lag is that?
It depends on what they're doing and the level at which they're supposed to be functioning and how much experience was factored into their initial hiring. So for a manager you're supposed to be functional right away, for example, but at the professional level--for example, at the investigator level--I would think that after about a year we expect people then to be fully functional.
Okay.
I appreciate the work you've put into this. It's excellent.
On your projected retirements for 2011-12, is that telling me that it spikes that high in that one particular year, or is that a future view after...? Is that an actual?
It spikes because it's based on a static population. We're using the base of where we are now, but we're not factoring in new hires or turnover. So if we stayed the same as now, that would be the projected retirement--
My final question is one I think you've spurred me on to ask, actually. Mr. Hubbard talked about competitions across Canada, which I think is actually very important, and I appreciate his questioning. I have questioned the Minister of Citizenship and Immigration. As you know, we're potentially making some changes there. Is that skill set we're looking for available in new immigrants who we haven't been able to attract to this area?
The changes would allow the minister to identify skill sets that are not readily available in Canada or are going in high demand. Is it almost impossible for a new immigrant to get a job in your commission just because they don't have the skill set, or is it something that does exist around the world and something we may be able to attract?
There's a range of jobs at our office. We have many people—I don't know if they're recent immigrants—but perhaps their families haven't been in Canada as long as those from some of the more traditional groups.
Maureen.
There is still some discussion under way with the Public Service Commission surrounding who a competition or a process may be open to. Priority is given to Canadian residents first. That's a discussion that has been ongoing with the Public Service Commission. We have to keep in tune with this. We provide input if we encounter problems within the recruitment area.
Actually, it's a good segue, because we are going to talk about the Privacy Act and some expansion. We'll also be looking at the capacity problem. You can make all the changes you want to the Privacy Act, but if you don't have the human resources to deliver, we may have our priorities a little askew. So human resources will be relevant to the rest of this.
I think the members have received the document, the proposed media changes. We had indicated that this was a document we wanted to build on. That doesn't mean we won't be able to add anything. I have read it, as you probably have as well, and my assessment is that there are three or four—maybe even five—items that are pretty straight-forward, pretty no-brainer. We won't need a lot of witnesses to corroborate it.
I am suggesting, Madam Commissioner, that we don't have much time. I think the members have read this, have reviewed the document properly. I believe that we should try to go quickly through the ten, spending very little time on the straight-forward ones, particularly those that are mirroring existing legislation in, say, PIPEDA or provincial law. I think they're self-evident.
For the balance of the session, we would like to identify some of the areas where we may need expert witnesses. Questions may very well come up as we move towards reshaping the Privacy Act, at least to the extent that we've covered it in this report. I don't think we want a major presentation, but it would be helpful if you could walk us through. I want to get to the questions of the members first. That's the important thing for us. So we would ask that you go through and suggest which ones really need attention, placing a little less emphasis on those that speak for themselves.
Would that be okay?
Please proceed, then. Let's agree to take no more than ten minutes for this, and then we'll go to questions from members.
Thank you very much.
We have tabled a document that we hope is helpful. I'd like to remind the members that we have no pretensions that this is the definitive take on the Privacy Act, nor on the problems of Canadians' information rights. This is a very contextual document. It's meant to suggest some very needed and more easily made changes to a document that now dates from 1982. Throughout the world, it is one of the few information rights laws that has not been modified. So in the group of democratic nations--for example, the U.K., Australia, and so on--we find that our public Privacy Act is now very dated.
I'll go through these recommendations and try to indicate to you the implications of each of them. The first one:
Parliament should create a requirement in the Privacy Act for government departments to demonstrate the need for collecting personal information.This “necessity test” is already included in Treasury Board policies as well as PIPEDA. It is an internationally recognized privacy principle found in modern privacy legislation around the world.
Here we're behind our own most recent standard that this House voted on in PIPEDA.
The second one states:
The role of the Federal Court should be broadened to allow it to review all grounds under the Privacy Act, not just denial of access.
That is, people have the right to see what is in their file. That is the only right they have under the current Privacy Act. They have no right of correction. They have no right to ask that it be modified. They have no right to go to the Federal Court if this information is incorrect, if it's incorrectly released. This was discussed in the case of Murdoch v. Murdoch, which was discussed in this committee. This again is unusual in modern privacy legislation, and much below the PIPEDA standard.
The third one simply enshrines into law the current practice that, according to Treasury Board directives, deputy heads are supposed to carry out a privacy impact assessment before a new program or policy is implemented. The most public example of that is the no-fly program.
We can notionally group together sections 4, 5, and 6, because they're already in practice to some extent and are internal to the workings of the government. I don't think they're things that should cause huge debate. One is a public education mandate, which one of the honourable members asked about. We don't have this mandate. Again we have it in PIPEDA. So in budgetary terms, we are not formally given money to do public education on the do-not-fly program, for example, which many Canadians are concerned about. We are spending money, because you'll see something on our website about the do-not-fly program, but that's not the ideal situation.
Number five is the need for increased flexibility for me to report to the public and to Parliament about privacy management practices. I function in a very secretive way. I report to Parliament and make my findings public once a year, and then unusually in a special report. I first made use of the special report in February about the RCMP's exempt banks. But in the world of information management now, you may have gone through several generations of technology. If you wait to report to Parliament until 18 months after something has happened, Parliament may be breaking up for the summer when you report it. So this is something that should not be difficult to fix, and it would allow me greater flexibility in bringing things to public attention and to Parliament's attention.
Number seven is a housekeeping affair. Once again we're below the level of definition of information that is already consecrated in PIPEDA. This is important because it doesn't explicitly cover DNA samples. As you know, the government is increasingly moving into the use of DNA for crime-fighting purposes.
Oh, I'm sorry, yes.
My office would like to have greater discretion to refuse or to discontinue complaints if the investigation we suggest would either serve no purpose or is not in the public interest. This is a power that several commissioners across Canada have, and this is again to focus our available resources.
I don't think the public should throw more and more and more money into investigations that have been done over and over and over again. We could put the information on the website and say if this is your problem, read this on the website and try to correct your situation. That would free up resources for us to do systemic investigations into major problems that may take not only a lot of resources but increasingly outside expertise. I'm thinking of accountants, technologists, informatics people, and so on. So that is to have more discretion in handling complaints.
Right now under the Privacy Act I am formally obliged to investigate every complaint that comes in. This is an unusually heavy burden now. Laws tend to give you more discretion; PIPEDA certainly does.
I go on then to number eight. Perhaps I could ask you to explain this one.
Yes. We believe the annual reporting requirements of government departments should be strengthened. We reviewed section 72 reports for a sample of departments, and the information at best is sketchy, uneven, and completely decontextualized. Even the minimal requirements of the Treasury Board policy as it stands right now are not being met by most departments. We believe that enshrining this in law would ensure a consistent response, if you will, across the federal government.
Number nine is simply to add an ongoing five-year review. Again, that's in PIPEDA. In an area of privacy that is now so highly technologically dependent, I would think the least we should do is review it every five years.
Finally, number ten is the issue that was already discussed here--that is, enshrining the existing Treasury Board guidelines, which are not in the Privacy Act. These guidelines date from about two or three years ago.
No, the cross-border transfer of personal information, simply enshrining it in the law as law rather than guidelines. But that already is Treasury Board policy.
So you see many of them are things that are policy or are in place in other jurisdictions.
Okay. In their book there is an eleventh one; it's the privacy training issue, and it goes back to the HR responsibilities to make sure people are able to do their job.
I want to go straight to questions. Let's find out where the members are.
We have Mr. Pearson, Madame Lavallée, Mr. Martin, and Mr. Hiebert on the first round.
Thank you, Mr. Chair.
Welcome, everyone. It's nice to have you with us.
In one of your recommendations you suggest that grounds for an application for Federal Court review be brought to include a full array of privacy rights and protections under the Privacy Act and then to grant the Federal Court the power to award damages under that. I'm interested in that. To what extent would you propose to use that power?
I guess it would depend on the powers I have under the act. If the powers were similar to that of PIPEDA and given that my office is an ombudsman's office, what you want is a solution. You don't necessarily want litigation, you want a solution. So you would investigate. You would ask if this was a problem. Do you recognize--probably in this case would be a government--that this is a problem, and can it be fixed in a way that is acceptable to us and to the complainant? If so, there's no need to go to court. In the very few cases where a solution wasn't possible or was refused, we would then go to court for the complainant.
I could ask the general counsel to give you a very interesting example of a case that's under way in the Ontario courts, because currently government employees can't have recourse under the Privacy Act to the acknowledged and admitted misuse of their personal information.
There are several examples. One is a case where the personal information of prison guards got into the hands of inmates. But to remedy that situation of wrongful disclosure of information under the Privacy Act, there was no possibility of recourse to the Federal Court under that act. The only available means to get enforcement by a court would be to go through the civil courts for civil remedies. There are several possible recourses, none of which the Privacy Act intended to provide individuals in Canada--namely, a more manageable, non-litigious way to try to resolve the issue—and if not available, to proceed to Federal Court as a last resort, under a regime that already allows them a head start when they get there and doesn't require such enormous financial means to be able to sustain protracted litigation.
Those are examples of cases where obviously a remedy or recourse in the context of the Privacy Act would give individuals a head start to get there.
Thank you.
Just quickly, then, what would the cost implications be? Also, on the legal services side of things in your department, would you be able to handle the opening up of that into the Federal Court? Do you have those capacities to do that, should that happen?
Should that happen, we might need additional legal capacities. We haven't costed that out, because I think we'll wait till we see the law reformed. The idea is not to open the floodgates for everybody to sue the government; the idea is that in the cases you'd have to have no remedy brought by the government, and you'd also have to show some real damage. You can be displeased because the government has mailed something to the wrong address, and so on and so forth, but you would have to show the damage. We would look at that before we got involved in a case. We would look at that very closely.
[Translation]
I have a number of questions on the recommendations. First of all, the third one concerns the evaluation of privacy factors. I asked you this question in your last appearance, and you answered that it was a privacy impact assessment.
Is there an analytical grid for evaluating those factors? Am I being a little too naive?
Thank you.
There is indeed a very detailed policy, including an analytical grid and a series of questions that the manager must consider in analyzing the privacy impact of a policy or program. It's an extremely exhaustive policy. We've taken the 10 founding principles of the Personal Information Protection and Electronic Documents Act and integrated them into the policy that applies to the public sector. That means that the Treasury Board acknowledged that the Personal Information Protection Act was outdated, and it used the Personal Information and Protection and Electronic Documents Act as a frame of reference. It must therefore be shown that there is a need for collection, security measures, the management framework and we must ensure that there is an obligation for managers to be accountable. It's an extremely rigorous exercise.
The grid exists under a Treasury Board policy adopted in 2002. The act makes no reference to impact studies. That is why we propose to entrench an obligation to conduct such studies in the act.
That's good. However, you're not proposing the grid itself. I imagine that the grid, or something similar, is also used in other countries.
That's correct. New Zealand is one of the countries that has the most significant experience in privacy impact studies. Its policy is extremely well developed. We very recently met with senators from the United Kingdom. We talked about evaluating privacy factors, and we sensed genuine interest in the Canadian experience in this area.
So the grid exists and has already been used on a number of occasions. Is it currently being used by the people from your office, even though it is not yet in the act? You simply want to make the grid official.
I would like to know what actually happens when the grid is used. If, for example, a department wants to gather personal information and someone asks whether it's really necessary, you then delegate someone with your grid, and you review the grid. Is that how it really happens? After answering the questionnaires and gathering all the information, is it possible that someone may say not to request a particular piece of information or any information? Is that possible?
That actually happened in one case. I don't exactly remember the file. Information had been collected and the collection of one piece of information was questioned. The department ultimately reconsidered the entire matter and decided not to compile that information because it wasn't necessary.
We think this dialogue is extremely useful because it enables us to get a clearer understanding of the program or policy in question and you have a dialogue that makes it possible to prevent privacy risks rather than correct the situation after the fact.
I'd also like to go back to recommendation 7, which concerns recorded information. You wrote, and I quote:
The Act should be aligned with PIPEDA by eliminating the restriction that the Privacy Act applies only to “recorded” information. At the moment, for example, personal information contained in DNA and other biological samples is not explicitly covered.
That's on page 3.
The expression “recorded information” refers to the fact that the information must be transferred onto a sheet; it's a form of coding, in a way. This increasingly causes definition problems, particularly when we're dealing with human tissue, DNA in particular. It isn't necessary for the material to be recorded or written; it's the information in itself. In one sense, there's nothing more private than DNA. However, it's not clear that it's included in that definition.
To add to what Ms. Stoddart just said, let's consider, for example, the collection of genetic fingerprints for criminal investigation purposes, in other words the genetic data base for identifying criminals. The DNA sample as such would not be covered by the act, whereas the profile contained in CODIS, which makes it possible to determine whether an individual has committed a crime based on elements left at the scene of the crime, would be protected. We think the definition should be expanded to include biological samples as well.
I simply want to understand and put that in context. That would mean that someone who would want information, such as a list of inmates, couldn't obtain it, but could obtain a DNA sample. Is that what you want to change?
No, because the act doesn't allow that. There is an act that concerns that data base. However, we've had cases involving the recording of voices and the non-recording of voices. If we had a camera that didn't record, it wouldn't be currently subject to the act.
[English]
Thank you, Chair.
Thank you, Madam Stoddart, and also thank you for sounding the alarm as to just how badly we need to reform the Privacy Act. The more I read, the more I'm convinced that we've let this go far, far too long. This is badly overdue.
I just came across one paragraph you wrote in a report earlier this month, April 2008, where you said:
The Privacy Act is at the hub of the informational relationship between state agencies and individuals. If the legislative framework that governs this relationship is weak, the entire edifice of accountability is undermined. Privacy is too important to be left to the vagaries of internal policy and management.
I think that sums it up very well for us.
One of the things you cited or made reference to in this document is the need to make the first-ever special report to Parliament regarding the RCMP's exempt data banks. I think this opened the eyes of a lot of Canadians, when you found that more than half of the files examined as part of your audit did not properly belong in exempt banks at all. This one case demonstrated or graphically illustrated for Canadians how your right to privacy is being compromised or perhaps not protected adequately, which is what I'm getting at.
In the little time I have, could I concentrate on your recommendation ten? I'm starting at the back, and thank you also for these easy-to-follow recommendations. I think that will save the committee a great deal of time.
You cite examples where the cross-border flow of information is frequent and common and wasn't even contemplated perhaps 25 years ago when the act was written, the Canada Border Services Agency sharing information about travellers; and FINTRAC, the Financial Transactions and Reports Analysis Centre, has 40 agreements with other financial intelligence units.
You're saying that the Privacy Act currently doesn't impose any duty on the disclosing institution to identify the precise purpose for which the data would be disclosed or limit its subsequent use by foreign governments for that purpose. Can you expand on what changes we would make to the act to tighten that up?
Yes. Here, although this may seem a huge change, I did underline in my presentation that in fact appropriate rules already exist in a policy that was devised in consultation with us by Treasury Board, and that is a policy. So in saying these are things that should be fairly easy to adopt in a law, if they're a policy, why wouldn't they be our law?
Exactly, and give it that importance. So these rules, which can be consulted—Treasury Board publishes them—lay out specific guidelines, such as is it necessary to send the information abroad? Is there no other—
—alternative that exists? What are the security safeguards? What is it going to be used for? Do you have this contractually bound? Who is going to see the information? How do we know what they're going to do with the information, and so on?
No. We've quoted the relevant part of the Privacy Act that just talks about an “arrangement” or an “agreement”.
You went to the Air India inquiry regarding a financial monitoring regime in Canada. In your recommendation there, did you cite this very amendment or did you recommend to them that the Privacy Act be changed, or was your testimony in other contexts?
I believe we did. We pointed out some of the challenges of cross-border information, and so on, although a lot of the inquiry was talking about the use of personal information appropriately as a factor in strengthening security. So this brought us back to the other two inquiries going on, that have just been finished.
Yes.
So this is part of the same issue of accountability, that information sharing abroad is necessary in today's world, but for what purposes, why, who's seeing it, and what are they going to do with it?
How would the national security act, as you see it, trump changes we might make to the Privacy Act? Do you see a danger of being overridden by the national security rubric argument?
I don't think it would necessarily override it. I think it would force those who are sharing information abroad.... I think the two can coexist. But the idea is that in sharing this information--some of which can be very benign, not necessarily what we'd think would be used for national security purposes--we would think more carefully about how the information is shared.
As we found out in our Canada Border Services Agency audit a couple of years ago, sometimes the information was just shared verbally over the border. I guess that had its place--there was a close relationship that Canadians were proud of--but it meant--
Exactly. If the information was mistaken or shouldn't have been shared, there was no track of it, which meant the agency couldn't correct its own practices.
Yes.
I've dog-eared item six in here as well. I agree that you should be able to separate the wheat from the chaff, and you should be able to triage complaints as they come in. Is your recommendation here enough to give you the power to be able to say, “Well, we answered a similar complaint last week, and we don't need to go through all the steps again”?
I guess we want to do what we can to free you up to be able to be as effective as you can without being repetitious or dealing with.... For instance, what if a complaint is malicious or vexatious? Do you even have the right to make that judgment call and disregard a complaint on that basis?
It's a huge problem. It presumes that everybody is acting in good faith on issues over which public money should be spent to try to untangle them. And increasingly the issues are systemic, such as some of the things we just talked about.
Frankly, many proper complaints would be waiting in line while you dealt with ten nuisance complaints or repetitious complaints first.
I think you could find broad agreement that we will be able to fix that, if this recommendation would do it.
Thank you, Mr. Chair.
Ms. Stoddart, I have far too many questions and not enough time, so I'll keep my questions concise. I would ask you to try to keep your answers concise as well.
In your 2006 report, you talked about the ombudsman role shifting to more of an order-making model. Can you give me any examples of commissioners, or people in similar offices in other countries, where they have more of a mandate for an order-making model?
Yes. Just briefly, in Canada the provinces of Quebec, Ontario, Alberta, and B.C. have order-making power.
Internationally, the U.K. commissioner can go to a tribunal. In France the system is so different that I think it's hard to draw parallels. In Spain the commissioner has extensive order-making power. I could perhaps go on; if you were really interested, we could look up the order-making power.
I would add, though, that I think it's important to distinguish order-making power from damage assessment power. None of the Canadian provinces can award damages. They can make orders but not award damages.
Certainly the Spanish commissioner can. They've levied million-dollar fines on multinationals that were transgressing Spanish law. That's in the private sector.
Have you put some thought to the impact this change would have on the role of the Federal Court? Currently it plays the enforcing role in privacy legislation. Certainly you've talked about expanding the powers of the Federal Court in this area.
What would happen if the Federal Court got the expanded powers that you're suggesting and if the Office of the Privacy Commissioner got an expanded mandate to refer things to the court? Would that not solve a lot of the problems, as opposed to having your office take on the enforcement powers as well?
I mean, we want some separation of power here. We know that's a model that works well. I'm a little bit concerned about having the monitoring, enforcement, and prosecution under the same roof.
Yes, and rightly so; it's often a difficult coexistence. The legislation has to be very carefully drafted.
I'm not asking for direct enforcement powers. I'm asking that Canadians have the right, with my help when it's appropriate, to go to Federal Court on issues of correction or on issues of damage. That is a full range of rights as they have in the private sector act.
Again, if I may take a bit more time, I'd like to remind the committee that in fact we have very little litigation under the private sector act. Because we say, “We'd like to settle with you, but if we can't come to a settlement we will take it to the court, and the court will decide whether we're right or wrong”, in practice, most of the organizations settle. And I would predict that this is probably what will happen under an amended Privacy Act.
On the prosecution side, have you put some thought into having the role of the new public prosecutor expanded, with the Office of the Privacy Commissioner having a mandate to recommend violations and then making those recommendations to the public prosecutor as opposed to the Federal Court? Have you put some thought into that?
Okay.
Changing the subject a little bit, British Columbia has introduced a pilot project on enhanced drivers licences. This is related to the passport requirement at the border. They're using new technology to reduce costs and maintain Canadian access to the United States.
With the use of this technology, there needs to be a balance in protecting the privacy of the information on these smart cards. I was wondering if you could provide us with any information, solutions, or suggestions on how to balance these applications of technology with the need to maintain the privacy of the people who use those cards. Could you tell us whether striking such a balance would require legislative amendments?
I will begin, then the assistant commissioner will continue. He has worked directly on this project, and we've been consulted by CBSA.
I don't think there need to be any substantive amendments to the Privacy Act. It's a question of appropriately interpreting the principles of the act and balancing the convenience that many Canadians seek with the protection of privacy principles.
We're looking at the design of the program and the security standards of the RFID technology. This technology can be fairly vulnerable to outside use. We're looking at the authenticity of the identification documents to make sure that people are given proper documentation, in the correct name and so on. We're watching the pilot project with great interest. Depending on the results of the pilot project, the full-time project will go ahead.
We also have to look at U.S. access to Canadian information. In the interests of national sovereignty, we want to limit this access to what is necessary for an efficient transborder solution, which is also privacy protective.
That leads me to another question.
In one of your reports you talk about how Canada is lagging behind the international community in this area. You give the example of the European Union as being one that has a protocol in place for sharing information with non-EU countries. Can you give us any other examples of nations that have policies in place to protect citizens from the sharing of this information? Are there some things that we should be looking at?
The EU, I may say, has quite a few nations in it—30 or so. I think the EU is probably the only one with that standard. There is some spot legislation in the United States, for example, having to do with not sharing information with Cuba, but that's in a national security context. Other countries have also legislated in a national security context.
In your fifth recommendation for some possible immediate changes, you suggest that the Office of the Privacy Commissioner
...release information on its own initiative concerning the personal information management practices of a government institution where this serves the public interest.
Help us to understand what you mean by “public interest”. What criteria would you use to determine whether some sort of public announcement would be needed?
Criteria would include, first, the educational value of the information, the fact that it allows Canadians to make better informed decisions, and second, the timeliness issue. I find it very difficult to report publicly to Parliament some 18 months after something happens. For example, if I find a huge privacy problem in a department or an institution that runs a service that affects most Canadians, I would think it might be appropriate, in some circumstances, to inform Canadians about this right away, rather than to wait 18 months. It might also provide a greater incentive for the department to be privacy proactive.
Thanks, Mr. Chair.
I think number four is very significant. Really, we're dealing with the two pieces of legislation you deal with. Then we have the provinces involved. We have the charter.
Yesterday in the House a question was asked about a recent Supreme Court decision on privacy, with a school and an individual who was apparently at a bus depot. This week we had the privacy debate in our own newspaper, with the student at Carleton University, I believe it was. Then you have the situation with airlines, which is probably outside your mandate. For example, there was the person who was tasered in Vancouver. When his mother went to the airport.... As a mother, as a brother, or sister, if you went to the Air Canada or whatever desk and they couldn't tell you whether or not that passenger was on the plane....
When we look at situations like that, how, as a committee, can we try to look to some solutions that might avoid problems?
It seems rather difficult that a very senior person at the university is being contradicted by somebody else about the interpretation of privacy. Is it because we don't know which piece of legislation, provincially or federally, is being applied? Where can we attempt to give the public good information on the privacy rights of individuals but also address the concerns that maybe a mother from British Columbia has about a Polish son who can't speak English coming into the airport in Vancouver?
How can we overcome those kinds of situations?
Well, Mr. Chairman, that's perhaps a very ambitious set of objectives for one committee.
In the case of the student, I think that does fall under provincial legislation. So I think that has to be dealt with provincially, if indeed there is a problem.
The Supreme Court decision to which you referred I think illustrates the debates about privacy and the fact that there is not just one view of it. It's highly personal, by definition. It's highly contextual. It depends on culture, institutions, and circumstances, and it always has to be interpreted and re-interpreted. So it's very hard, I think, to say that this is the one way to go in definitive circumstances.
As for the issue in the Vancouver airport, which is in federal jurisdiction, I think it's ironic from a privacy point of view that one easy way to fix that problem would be to have us all tracked through the airport with a little RFID. Then they would know exactly where we were and who was in the airport. Having no information on who is in the airport gives the people in the airport a tremendous amount of autonomy.
It's rather surprising in these days of heightened national security that apparently you can get off the plane and nobody notices, or at that time they didn't notice, that you had in fact exited. Again, it's the challenge of the difficulties in dealing with privacy. You could track everybody off the plane and something would start to beep if they weren't out of the airport in an hour and a half or something, but that would be very privacy invasive.
So in terms of the passenger mandate, if you call the airport and ask whether your brother is on the plane, the Air Canada desk will say they're sorry but they can't tell you. Is that a fulfillment of the objectives of this legislation that we're talking about?
Perhaps not so much this legislation as parts of the Aeronautics Act and national security legislation.
There's the whole issue of authentication. I phone and ask if my brother is on the plane. Well, my brother may be the person I'm trying to blow up.
It's a many-faceted solution to the issues you're bringing up.
Colleagues, we have five more members who want to ask questions and only four five-minute slots, so if you could make your questions really tight, everybody can get their chance.
Mr. Van Kesteren, Mr. Nadeau, Mr. Harvey, Mr. Martin, and Mr. Wallace.
Thank you, Mr. Chair.
Thank you, Madam Stoddart, and everyone else, for attending.
The last time you were here I didn't have much time to ask you about this, but I noticed in your financial statement, and I also noticed the same in the access to information.... You touched on it briefly, that much of your efforts are around inquiries from correctional facilities. Is that correct?
Can you tell us what's going on, just briefly? It's a huge thing, and nobody wants to talk about it. What's happening?
This is perhaps a context in which people are concerned about what's in their file more, perhaps, than those of us who are not incarcerated. It's a difficult context both for the people who work there and, of course, for those who are incarcerated. That's why this litigation is going forward now in the Ontario Supreme Court.
Sometime it's one incident that gives rise to complaints by different people. This happened a couple of years ago; it is the phenomenon at the origin of the current backlog, or which has certainly contributed to it.
How many inmates complained?
And then all the guards complained. That's the case that's before the courts.
When I say I would like to have more discretion—
—that's one of the reasons: there are certain situations where people are using their rights intensely, shall we say.
In light of number six, how do you justify or how are you going to be able to enforce the provisions in recommendation number two, when the act, in section 41 and 42, says “Any individual who has been refused access...”? Isn't there a little bit of a discrepancy there?
When groups are creating mischief, and I think possibly some of the correctional inquiries could be related to some mischief, if you have the discretion not to give information or to stop it, what do you do with the sections 41 and 42 of the act, which you've copied in recommendation number two—“Any individual who has been refused...”? How do you reconcile that?
I think we're pointing this out to you because it would need to be looked at again: that I have the right to refuse to investigate complaints, and only in certain cases could the individual go to court.
There's something called judicial review in law, which means that when I exercise my discretion unwisely, unreasonably, or incorrectly, depending on the standard—and that's standard for all decision-making bodies—the courts would catch any errors I made in using my discretion and not investigating certain cases.
All that is something I couldn't discuss in public, but I think there's a consensus that if you haven't been brought to the attention of the public authorities, you're unlikely to use something like the Privacy Act, which would mean we would then go to the RCMP and ask whether they have a file on A, B, and C. The RCMP could say no, but then the RCMP would ask who A, B, or C is and why the person wanted this. So in fact, we have very few such complaints.
Can you recommend as witnesses anybody who would help us to find a healthy balance with this specific point?
You might consider as witnesses some of the provincial commissioners, who are very able, very experienced. The ones in British Columbia and Alberta, Commissioner Loukidelis and Commissioner Work, have just gone through revision of their own laws. There's also my former colleague in Quebec. Quebec, again, has done a major revision of its privacy act. I'm sure you could call Monsieur Saint-Laurent too as a witness.
[Translation]
Thank you, Mr. Chairman.
You raised the issue of education, and I emphasized some aspects of that earlier. Do you have a plan, a program designed to make people understand what a Privacy Commissioner is? What part of the population are you targeting in particular?
Our Public Education and Research Section has a mandate to do public education. We increasingly see that privacy studies are segmented by population ages. More recently, with certain provincial commissioners, we've developed a module for youths who go on to sites specially designed for youths: Facebook and other social networking sites. However, these sites can become very invasive in terms of their personal information if the youths are not well informed.
Are the Education departments of the various provinces affected by that? Are they your entry point for facilitating your work?
We in no way want to encroach on the provinces' education jurisdiction. In fact, that model was created at the request of certain provincial commissioners. All the provincial commissioners think it is a good idea for us to collaborate with them, but we do nothing in the province without the provincial commissioner's involvement.
We're talking about youths, but what approach do you want to take to ordinary people, adults who are in the labour market, the population as a whole?
It's an approach with a number of components. We've made an enormous investment in our publications and the presentations we offer, not only the deputy commissioners and myself, but also all staff members, who each have a different niche. For example, Ms. Kosseim often talks to lawyers. The technology people talk to engineers and computer scientists and so on. We offer about two presentations a week in and outside Canada. Our website has had a lot of success recently. It's been visited much more frequently than a few years ago.
Earlier you gave some examples of requests from outside Canada. In the departments, in general or in particular, depending on the case, are employees assigned to that service?
Yes. Every department has a directorate that handles access and personal information protection issues with a full-time team. For example, at Health Canada, approximately 40 persons work in access and personal information protection. We deal with those professionals a lot.
Earlier you were saying that certain provinces had taken action and that, internationally, the European Union was doing the same.
Is the Canadian act within the international average? Should it be given a good sprucing up? Are we a few decades behind?
We get a lot of congratulations on the act concerning the private sector, the sector that gets the international attention because it regulates trade. This is one of the most modern and most flexible acts. It adjusts, but its standards are those of the European Union. So they're quite high.
Few people outside Canada are interested in the Personal Information Protection Act because it governs only Canadians and landed immigrants. We're already seeing that there's a problem because fundamental rights apply to persons who are already in Canada, even if they're Canadian, but it was drafted a long time ago. So few people are interested in it, but Canadians who are interested in it agree that this act is outdated.
[English]
[Translation]
Good afternoon.
I'm very pleased to be able to talk to you today. I'm not a permanent member of this committee, but I'm very much interested in this issue.
You've no doubt recently heard about the visit of a tracking dog, a drug-sniffing dog in a school. The Supreme Court has ruled that that dog should not have been in the school.
What is your opinion on that?
In fact, that judgment should be considered together with another judgment involving a man who had transported drugs in a suitcase and was arrested at a bus station. I think that these are very important judgments and that they generally contain a lot of positive points. The judgments acknowledge that students and individuals who travel have reasonable expectations regarding their privacy. This is a fairly flexible approach based on the manner in which the court interprets the interests involved and the facts in each case.
Lastly, I could say a lot of this subject, but I'm going to conclude by saying that the Supreme Court has adopted the average standard rather than the most demanding. As Privacy Commissioner, I would have liked the most demanding standard to be applied. The judges debated the question, but there was no clear consensus. There was a majority, but it was a very slim one.
Whatever the case may be, I think that underscores the fact that Canadians should be informed about their right to privacy and know what expectations they can have in that regard and in what circumstances. So I come back to my request for a specific public education mandate.
An individual may find an error has been made in his case, not know to whom to turn or how to go about correcting that error. That individual then runs into an immense wall. These are things that happen. I feel that we too often forget that the public service and MPs are not on the job to serve their own interests, but rather those of their clients. And our clients are all those who pay taxes. When those taxpayers can't find a solution, they feel lost. As a last resort, they can even call on you, who are the highest authority in the field.
How is it that no quick recourse is available in such cases. I come from a computer and electronic background, and I know that certain computers perform billions of operations per second. The NAG 2 software, the compression process that Bell and all broadcasters adopted, was supposed to be unstoppable. However, six months later, software was available on the Internet to unlock it. There's increasing talk about identity theft. Last week in Quebec City, police arrested a group who had managed to hack into 10,000 computers and access whole sets of personal information such as birth dates, social insurance numbers, credit card numbers and so on. What is being done to protect people in those circumstances?
Mr. Chairman, a number of recommendations that I am submitting to you today concern precisely those problems. In the case you mentioned, the taxpayer or citizen can simply say that, in his view, there has been a mistake in his case. Unless the department agrees with him, that individual is not entitled to have the error corrected or to go to Federal Court to report a computer or other problem in his file, a human error that causes a problem. I think that's a serious omission.
As I've already said, I can't make things public quickly. If a mistake were made in a department and it was going to affect a lot of other individuals other than the one who filed the complaint, the department would be well advised, I believe, to issue a news release to draw the attention of those other individuals. That would encourage them to examine their files, to have the mistake corrected and to take measures to subsequently protect themselves. Currently, I have to talk about these things 10 months later. That's why I'm seeking changes to the act.
[English]
Now I think Mr. Martin has a brief question or two, and Mr. Wallace may have at least one question, I think. Let's just see.
I can be very brief, but bells are going to ring at any moment.
Madam Stoddart, I'm still interested in section 10, the cross-border sharing of data and information. It strikes me that if the privacy of your personal information is compromised domestically, it might be inconvenient or you might even be ripped off in a credit card scam, but if your personal information is compromised internationally you might wind up in a Syrian jail being tortured and might be killed. It's really serious.
What struck me is that your office did a study, an overview, of 21 information-sharing agreements between Canada and the U.S. and found that two-thirds of them didn't have any kind of adequate protection in terms of the type of information to be shared or any third party controls. In other words, we could share that information with one agency, but there's no stated limitation on their sharing it with further agencies. So we lose control of it.
If we get your recommendations into the Privacy Act, will that move have, in your opinion, a ripple effect to add elements to those international agreements? Will we have primacy? Will the Privacy Act automatically permeate into those international agreements, or would they have to be renegotiated, in your view?
That's a good question.
I would think it would be that any new agreements that are drawn up would be drawn up more carefully.
If you change the law, those departments that have these kinds of agreements will then revise them according to the new standards, because unless they were grandfathered, strictly speaking they'd be illegal.
Wouldn't Canadians' right to privacy be afforded by the Privacy Act? Would they not carry those rights...? I'm just wondering whether those rights flow with them in their treatment by these international treaties, or whether the treaties themselves would have to stipulate a new set of rules. You'd have to renegotiate them all.
We're proposing that there be a kind of registry, so at least the public could see, as is done in what we propose. That is that you could see the list of treaties, unless there's some issue of national security. But if you're sharing information on, say, traffic across the borders—arguably this is not vehicle traffic and so on—there may be reasons under the Access to Information Act why a person could not have access to his or her own file.
But maybe there aren't; maybe I could ask to see my file on how many times I have crossed the border. I think more transparency is what we need. A good way to promote privacy is through transparency, so that it's not misuseable.
I think we're going to have to cut it off there.
Madam Stoddart, to you and to your colleagues, thank you kindly for your assistance. It's evident that we are going to have you back. We will be building our case with regard to the changes.
For the committee, we have Treasury Board on Thursday and we will be giving you some information with regard to witness propositions.
That's the Department of Justice; we're negotiating to get them here.
In any event, I think the commentary of the committee with regard to HR issues speaks for itself. I don't want to make any further conclusions, but there is a linkage, obviously, in terms of your ability to deliver the service levels you've committed to. We'll continue to work with you to make sure we give ourselves the best chance to do the job properly.
Thank you very kindly.
I may not agree with the Privacy Commissioner on these ten things. If we implemented them all, there would be a reaction, and there might be other sides to the story.
Have we picked all our witnesses now?