On Tuesday, Assistant Commissioner Bernier and I had the privilege of presenting to Parliament our latest annual report on the Privacy Act. I believe it is an important document for all Canadians because it highlights some vital developments and future trends in public sector privacy. Through the lens of the audit and review and the complaints investigation work of my office during the 2008-09 fiscal year, the report explores the privacy challenges posed by two broad societal influences: national security initiatives and technology.
I will touch on key highlights of the report in a moment, and then I propose to share a few thoughts on the unresolved matter of Privacy Act reforms. First, though, I would like to underscore the principal message that emerged from our annual report.
That message is that privacy rights should not be at odds either with public security or with the use of information technology. On the contrary, we contend that measures to respect privacy must be integral to all these new developments.
First of all, I'd like to talk briefly about the FINTRAC audit. In this annual report, my office reports on what we discovered in privacy audits of two major national security initiatives: the passenger protect program, better known to Canadians as the no-fly list; and FINTRAC, the Financial Transactions and Reports Analysis Centre of Canada. Our FINTRAC audit found that the agency generally has a robust and comprehensive approach to securing the personal information of Canadians. However, our examination of the sample of files in FINTRAC's database turned up personal information that the centre did not need, use, or have the legislative authority to collect. In some cases, in fact, reports existed absent even a shred of evidence of money laundering or terrorist financing. Clearly, excess personal information should not be making its way into the FINTRAC database.
One of our key recommendations was that FINTRAC do more work with reporting organizations to ensure that it does not acquire personal data beyond its mandate. After all, it is a bedrock privacy principle that you collect only the personal information you need for a specific purpose.
Aside from the recommendation on data collection, we also called on FINTRAC to delete permanently from its holdings all information that it did not have the statutory authority to receive. We recommended that FINTRAC analyze all Proceeds of Crime (Money Laundering) and Terrorist Financing Act guidance issued by its federal and provincial regulatory partners to ensure that such guidance does not promote client identification, record keeping, or reporting obligations that extend beyond the requirements of the act.
We were very pleased that FINTRAC accepted 10 of our 11 recommendations. We had recommended that it strengthen its information sharing agreements with foreign financial intelligence partners by including mandatory breach notification and audit provisions, but the centre maintained that its efforts in this area were sufficient.
I am now going to discuss our Passenger Protect Program audit. A second audit summarized in the annual report relates to our examination of the Passenger Protect program. In general, we found that Transport Canada collects, uses and discloses personal information related to the program in a way that safeguards privacy. We did, however, identify a few gaps.
One related to the information that officials supply to the deputy minister, who is ultimately responsible for adding to or removing people's names from the no-fly list or Specified Persons List.
In light of the serious consequences flowing from every one of these decisions, we found that officials have not always provided the deputy minister with all the relevant information on which to base a sound decision.
Our audit also revealed that Transport Canada had not verified that airlines were complying with federal regulations related to the handling of the Specified Persons List. The risk of a breach was especially high for the handful of air carriers that relied on paper copies of the list. Further, we found that air carriers were not obliged to report to Transport Canada security breaches involving personal information related to the no-fly list.
The audit also found that the computer application used to provide air carriers with information on the no-fly list was not subjected to a formal certification and accreditation process designed to ensure the security of sensitive personal information.
We were, however, pleased that Transport Canada responded positively to all our recommendations.
We'd like to now turn to investigations and inquiries.
The annual report we presented to you this week also includes details of our engagement with Canadians through our public inquiries and complaints work.
Over the 2008-09 fiscal year, my office received more than 12,000 calls and letters from Canadians concerned about privacy issues.
With respect to concerns focused on the public sector, we received 748 complaints in 2008-09, down slightly from the previous year. The most common complaints related to problems people encountered in accessing their personal information in the hands of the federal government and to the length of time it was taking departments and agencies to respond to access requests.
In analyzing our caseload, we noted that technological glitches can have an extraordinary impact on the privacy of Canadians. For instance, we found that a hacker, using amateurish off-the-shelf software, was able to penetrate a computer at Agriculture and Agri-Food Canada, exposing about 60,000 personal data records of farmers using a federal loan guarantee program. But we were equally disturbed to discover, 26 years after the passage of the Privacy Act, that too many data breaches could still be traced to decidedly low-tech origins, from a briefcase left on an airplane to the careless mishandling of sensitive documents.
That said, I want to underline that the vast majority of public servants we have worked with across the government do take privacy issues very seriously.
I will now talk about the challenge the backlog presents. In all, our office was able to close 990 complaints files related to the Privacy Act during the fiscal year, up almost 13% from the previous year.
You will notice that we closed more files than we opened. That is due to a concerted effort to tackle a significant backlog of cases, which had driven up our treatment times from an average of about 14 months in 2007-2008 to 19.5 months in 2008-2009.
Our backlog challenge was exacerbated over the past fiscal year when we decided to redefine when a file is deemed to be in backlog, to more accurately reflect how long Canadians actually have to wait for service.
As a result of the redefinition, 575 files were backlogged in April 2008. Fortunately, through a significant re-engineering of our systems and processes, we managed by the end of the fiscal year to cut that number down by 42% to 333 cases. We are on track to eliminate it altogether by next March.
I will now discuss the Privacy Act reform. Over the past year, my office and this committee have also continued to work toward the modernization of the Privacy Act, to ensure it properly protects the fundamental right to privacy in the digital age. Reform of this statute is essential to meet the modern privacy needs of Canadians. And yet, despite our efforts and those of this committee, I confess to a measure of disappointment when it comes to the government's response to this committee's report of last June.
As we all know, Mr. Chair, updating antiquated privacy legislation and ensuring that privacy principles apply uniformly to the public and private sectors is becoming increasingly urgent in this globally interconnected era. Indeed, other industrialized democracies have already recognized this imperative. Australia, for instance, is rewriting its federal privacy laws so as to create a single set of principles covering government agencies and businesses alike, address emerging technologies, and introduce consistent new provisions on cross-border data flows.
The European Commission has announced that it will be re-examining its 1995 directive to see whether it is still capable of fostering the level of data protection required for the modern technological era. In light of the fact that our own Privacy Act is 12 years older, we can no longer ignore the need to make significant updates to our own law in order not to be left behind.
In summary, Mr. Chairman, I would like to end with a few words about the work of my office as we continue to move through 2009 and 2010.
I can tell you that we're already deeply engaged in several key files, all of them with significant impacts on the privacy of Canadians. Notably, with the 2010 Winter Olympic and Paralympic Games just around the corner, the challenge of integrating privacy and security will come to a head in an unprecedented way. We have already engaged security officials in a constructive dialogue to build privacy considerations into their security measures.
At the same time, we are taking a close look at Citizenship and Immigration Canada's plans to roll out initiatives using biometric information. For example, CIC is collecting fingerprint data from refugee claimants and is sharing it with other countries.
And we will continue to make known our views about Bill and Bill , legislation to oblige wireless, Internet, and other telecommunications companies to make subscriber data available to authorities, even without a warrant.
Since the terrorist attacks of 9/11, Canada has seen a proliferation of new national security programs, many involving the collection, analysis, and storage of personal information. We fully appreciate that the underlying aim of many security programs is to protect Canadians. But as we will continue to remind Parliament and Canadians at every opportunity that it is critical that privacy protections be integrated into all such initiatives at the outset.
Thank you very much, Mr. Chairman and members of the committee. My colleague and I welcome your questions.
I don't think I'm going to suspend. I would like to go on to our other matter of business, which is the consideration of the government response to the tenth report, on the privacy quick fixes.
We did receive a letter from the minister, and that was previously circulated. There are copies available and I think those are being circulated again, just for the members' information.
For the members' recollection, in regard to the privacy, this is a project that actually started in the prior Parliament, and the committee, after the last election, adopted a motion to bring that matter forward to the current Parliament. We have had the minister this Parliament for one hour—that's it—and his correspondence.
Our report and our work were substantive, I think. And as was indicated in the dialogue with the Privacy Commissioner, there is a clear understanding that we were not in total agreement with all of the so-called quick fixes. We did embrace five, or possibly six. I think it's fair to characterize the others as maybe either premature or that we need more work on some of those. So we'll have an opportunity to consider those, if necessary, when we do continuing work.
I think we will want to consider in a steering committee meeting, which likely will be held next week, whether there is any further work. So I would ask the members to refresh themselves on that.
We do have a call for a vote in half an hour. Normally when a vote is called, the committee should not be meeting without the unanimous consent of the committee. Could I have an indication from the members whether or not they would like to proceed for a short while, or shall we adjourn?