We really appreciate this opportunity, Mr. Murray and I, to appear before you. We know you've already heard from the statutory review committee: Clyde Wells, Doug Letto, and Jennifer Stoddart. They certainly addressed the rationale for the recent changes in Newfoundland and Labrador with respect to our access and privacy legislation.
I've been commissioner for just over three months now, and as a newcomer to access and privacy, I find it quite remarkable how the ability in our present society to collect, analyze, and unfortunately, abuse information has grown dramatically and continues to grow. However, I was surprised to learn that the federal Privacy Act had not really been amended for over 30 years.
The situation that we're in now in the digital age is that, formerly, being secure in your home and being secure in your life meant basically that your home was your castle, and now, with the proliferation of information, its storage, and its use, the keys to that castle exist out there in the digital world, and you can be deprived of your privacy and sense of well-being without anybody coming through your door. It's vitally important that all government institutions collect only that information that is necessary and then do their utmost to safeguard that from inappropriate uses and from being accessed by sources outside of government.
We are in a very enviable position here in Newfoundland and Labrador because of the Access to Information and Protection of Privacy Act, 2015. We believe it's one of the best pieces of legislation in the country. However, we recognize that the solutions we are using here and that were implemented here may not apply universally, and perhaps, in particular, may not apply to the federal system. Issues of volume and resources may dictate or require different solutions.
As an example, in regard to mandatory reporting of privacy breaches, we have all breaches reported to us, not just material breaches. However, again, based on our volume of reports, that may be more practical in a jurisdiction such as ours and less practical with an institution the size of the federal government.
The recommendations that have been made by the federal commissioner in terms of necessity for collection, public education, and public research mandate are all, we think, extremely positive. For the most part, I think we support all of the recommendations that have been made by the federal Privacy Commissioner.
We believe that our experience, in terms of now having had over a year to deal with our new legislation and responses to it and accumulate data, may be of some benefit to the committee. Between ourselves, Mr. Murray and I, we will hopefully answer any questions you have today to the best of our ability.
I haven't appeared before this committee before, so I thought I'd give you a bit of my background, which might give you some idea of the kinds of questions I might be good at answering for you.
I've been practising in the area of access and privacy law for 15 years. I've worked inside government. I administered the ATI, the access to information and privacy program, for the attorney general, the solicitor general, and the aboriginal relations departments in British Columbia for six years. My shop processed about 2,000 to 3,000 requests a year and we produced hundreds of privacy impact assessments. We administered the act inside a government department.
Then I switched to the oversight agency in British Columbia, where I was assistant privacy commissioner. In that capacity, my group of investigators and mediators investigated hundreds of privacy breaches and remediated thousands of complaints about access to information. British Columbia has an order-making power, so the small percentage of files that didn't settle moved over into the adjudication unit. So I'm familiar with that model of oversight.
I then spent a couple of years at Canada Post administering access and privacy on behalf of that federal institution under the Privacy Act and the Access to Information Act as the director of access and privacy. Now here I am in Nova Scotia, as the information and privacy commissioner. This is a recommendation-making authority in the province, so I've been inside and outside order-making and recommendation-making regimes.
I think you've heard from many people about the need to modernize the Privacy Act. In fact, I share the same concerns in terms of what's happening here in Nova Scotia. I'm in the process of developing a series of recommendations to modernize Nova Scotia's law, which was last significantly amended in 1993. It's 10 years newer but shares a lot of the shortcomings of the Privacy Act.
In preparation for this hearing, I looked at the submissions of my colleague Commissioner Therrien and I can say honestly that pretty much everything he is suggesting to your committee will be things that I'm suggesting to the legislature here in Nova Scotia. There's certainly a consistency in terms of where we see the need for these types of laws to go to be effective.
I thought I'd make three suggestions to you by way of introductory comments.
First, I would recommend that you try as best you can to make your changes as consistent as possible with private sector privacy standards, because from the citizens' perspective, what they don't get is that there would be different rules for the government as opposed to business. Often they find that the rules that businesses follow make more sense to them.
In terms of things such as collection of personal information, I know Commissioner Therrien recommended that you add a requirement of necessity. That's absolutely what's expected in the private sector. It makes perfect sense, of course, in the public sector and is a common standard across other jurisdictions, just not under the Privacy Act.
My second suggestion is that you consider adding a detailed purpose clause. I make that recommendation because Nova Scotia has a detailed purpose clause. It's one of the best parts of our old law. It's a very rich purpose clause and has served the courts well in their interpretation of the act. It has given a really good indication of what the legislature intended with the access to information and protection of privacy act here in Nova Scotia.
The third recommendation I would make to you has to do with breach reporting. Nova Scotia has a unique breach reporting requirement under the Personal Health Information Act. There is no breach reporting requirement under our old Freedom of Information and Protection of Privacy Act, but under the Personal Health Information Act, health custodians have to report minor breaches to my office. Real risk of significant harm or material breaches that you talk about at the federal level only require a notification to affected individuals, so I'm certainly recommending to the legislature that it include a notification of material breaches, much like Commissioner Therrien is recommending to you. I would also suggest that it would be worthwhile to require that institutions keep a list of all breaches, basically a privacy breach log.
That is something that the Europeans have done in the general data protection regulation in Europe. They must keep a log of all privacy breaches and keep it available should the commissioner wish to see it, and they must further report material breaches to the data protection authorities in Europe.
That seems to me to make sense, and I'll tell you why. Just looking at these minor breaches gives you an idea of what's going on and where the risks to personal health information are.
In Nova Scotia, for example, we had a 75% increase in minor breaches last year by health custodians. The patterns are really quite troubling. They give you very good intelligence about where training is required and where technical solutions are required in order to prevent the minor breaches, but also to prevent potential major breaches.
Those are three ideas that I thought I would suggest by way of introduction. I'm happy to address any other issues or any questions you might have.
Thank you very much for the invitation.
My office provides independent oversight and enforcement over B.C.'s access and privacy laws. The enforcement and oversight extends to over 2,900 public bodies, including ministries, local governments, schools, crown corporations, hospitals, municipal police forces, and more. They're subject to B.C.'s public sector privacy law, the Freedom of Information and Protection of Privacy Act or FIPPA.
It extends to over 380,000 private sector organizations, including businesses, charities, associations, trade unions, trusts, and more that are subject to B.C.'s Personal Information Protection Act or PIPA.
Today I am going to focus my comments on three areas that are part of the deliberations of this committee to which the B.C. experience may be informative: commissioners order-making powers, an explicit obligation to safeguard personal information, and mandatory breach notification. Under order-making power and mediation and consultation, in British Columbia the mandate of the office includes the promotion of access and privacy rights, public education, advice to public bodies and businesses, investigation of complaints, mediation, and independent adjudication. These functions are complementary, and in my opinion, best delivered under one roof. It would be extremely difficult for another administrative tribunal or court to attain the same level of expertise and provide for efficient and timely resolutions for citizens.
Privacy and access to information issues are dynamic in the modern digital world. It's in the interests of organizations, individuals, and public bodies that the individuals making legal and binding decisions have the requisite skills and up-to-date knowledge about what is happening on the ground. Having the responsibility for adjudication plus advocacy, education, and investigation ensures the necessary expertise in the law. Our adjudicators receive the same technical training and professional development as our investigators, and are routinely exposed to new technologies, emerging ideas, and global trends affecting privacy and access to information law.
Combining the investigation and adjudication into one office provides clear benefits to citizens. Combining those provides one-stop shopping for citizens. This clarity and convenience is important. There is no confusion about which oversight agency or tribunal citizens need to direct their complaint to. They need merely to address our office. Citizens don't feel as though they are caught in or bounced around an unnecessarily bureaucratic system.
We have not found that the public education or the advisory functions of a commissioner pose a risk of undermining the adjudicative function. We do take steps to protect the integrity of the adjudication process. For example, no information about investigative files or attempts at informal resolution are ever disclosed to the adjudicators. The adjudicators do not report to the same supervisor, and they are not located on the same floor as the investigators.
When providing the public with advice and consultation, we clarify that our view is based on the information provided at the time, and that it is not binding on the commissioner with respect to making a formal finding in the event that we receive a future complaint.
In our consultations, we communicate about general principles and recommend best practices without prejudging individual cases. We are able to perform these various roles effectively because our legislation also explicitly gives us these powers and spells them out in detail.
Adjudication enhances our ability to resolve issues through mediation. The adjudicative function lends greater authority to our investigators by focusing the minds of the parties, and it provides an incentive to both parties to avoid formal adjudication. As a result, we resolve 90% of our complaints and reviews in mediation. In the last year we had 1,056 complaints and requests for review, of which only 109 went to inquiry. Of those that went to inquiry, only a little over 1% were judicially reviewed.
The fact that we have public education and advisory functions, complemented by investigative powers, with the ultimate ability to order compliance through our adjudicative function, gives us a level of authority that can influence the public and the government. Without that complete suite of functions, we would not have that same level of influence.
B.C.'s public sector privacy law has an explicit requirement for public bodies to safeguard personal information. We consider this legislative requirement as being fundamental to a public body's responsibility for the personal information it collects from citizens. Given the negative repercussions that can occur to citizens in the event of a breach of their personal information, it's almost unbelievable that a privacy protection statute would not incorporate this requirement.
Section 30 of our act states:
||a public body must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.
Citizens rely on this section and expect that a public body is taking adequate measures to protect their personal information. It's the legislative requirement in most jurisdictions across Canada and internationally. Having this requirement in legislation is important from the perspective of public trust, as a clear and binding requirement on public bodies. It indicates the importance that governments place on this requirement.
While B.C.'s legislation does not explicitly address physical, organizational, and technological measures commensurate with the sensitivity of the data, our office has set out similar expectations in investigation reports and orders. In my view, placing this language explicitly in the legislation would be consistent with international standards regarding the protection of personal information.
Also, we have been clear that, as our province's regulator, we evaluate “reasonable security arrangements” on an objective basis, and that the determination of what is reasonable is contextual. The standard is not one of perfection but varies based on the sensitivity and the amount of personal information in question.
On breach notification, a privacy breach occurs when there is unauthorized access, collection, use, or disclosure of personal information. It is unauthorized if it occurs in contravention of one of our privacy laws. An important element of safeguarding personal information is ensuring that the privacy commissioner and affected individuals are notified when a privacy breach occurs.
Privacy breaches can carry significant costs. They put individuals at risk for identity theft and serious financial or reputational harms. They can also result in a loss of dignity and a loss of confidence in public bodies. We trust public bodies with some of our most sensitive and comprehensive personal information: social security records, tax data, health information, financial information, and the list goes on. We have no choice but to provide that information to the public bodies.
It seems every week that privacy breaches are reported in the media. We hear about laptops and portable storage devices being lost or stolen, human error resulting in disclosure, unauthorized access, or snooping as well as cyber-attacks.
Breach reporting in B.C. is currently voluntary in both the private and public sector. However, my office has recommended that it be made a mandatory requirement, and let me explain why. In British Columbia, we examined the government's privacy breach management process and we published those results in 2015. We learned that nearly 3,000 breaches were reported to government during the period of 2010 to 2013, but only 30 of those had been reported to my office. This told us that, under a voluntary reporting requirement, my office was receiving reports of only about 1% of all the breaches that occur within government ministries. Of those, the majority, 72%, were classified as “administrative errors”. The breakdown of other types of breaches included unauthorized disclosures at 16%, lost or stolen at 4%, unauthorized access at 3%, and cyber-attacks or phishing at less than 1%.
It shows that it's important to set out a clear threshold where notification must occur. We don't want to hear about every breach, but we need to know about the important ones. In B.C., we have recommended that the threshold be where the breach would be reasonably expected to cause harm to an individual, or where the breach involves a large number of individuals.
Mandatory breach reporting to a privacy commissioner also means that the commissioner's office can work with public bodies to learn from their mistakes and implement lasting preventative strategies. Mandatory breach notification also ensures that affected individuals are made aware of breaches without unreasonable delay, so they can take the important steps to protect themselves.
For these reasons, my office has recommended to the legislative committees reviewing B.C.'s privacy statutes that mandatory breach notification be added as a requirement. Both of these committees agreed and recommended in their final reports that the privacy laws for the public and the private sectors be amended to require breach notification to the commissioner and to affected individuals in the event of a privacy breach. The B.C. government has stated that it is committed to addressing mandatory breach notification at the next available legislative opportunity.
The federal Bill added breach notification requirements to Canada's private sector privacy law, and it is difficult for me to understand why the government would not hold itself to the same standard as it holds the private sector.
That concludes my remarks.
Colleagues, that brings to an end this particular discussion with our esteemed panellists, our guests here today. Thank you, Mr. Molloy and Mr. Murray, for coming again. I know you were here at our previous study. Mr. McArthur and Mr. Weldon, it was a pleasure having you here. Apologies if anything on our end kept us from connecting on the video side of things, but we certainly appreciated your testimony. Of course, Ms. Tully, we appreciate your perspectives, as well. I know that this will help us as we make recommendations and draft a final report. Hopefully, we will see some legislation in this Parliament that will address this antiquated legislation. I have every reason to believe that's going to happen.
Thank you again for your time and for your patience, and we know that we can count on you if we need further clarification. If there's anything else that you'd like to follow up with us on, please get it to the committee for consideration.
Colleagues, I have just a couple of housekeeping items. We have witnesses this Thursday. We have Chantal Bernier, who's a former privacy commissioner. Canada Revenue Agency and Shared Services Canada will also send folks in. On the Tuesday after we get back from Thanksgiving, we have CSIS, CBSA, and the RCMP. We're lining up witnesses for the 20th. We don't have confirmation from any of the ministers yet, but we're still working on that and waiting to hear back.
At some point in time, after we get back, I think we're going to have to have a discussion about what we're going to do next. I know there's a motion on the floor to propose what we're going to do next, but we need to have that discussion, as well.
I'm just going to let the committee know that I've already spoken to Mr. Lightbound, who will chair the meeting on Thursday. I have to go back to Alberta for some personal business that I need to attend to on Thursday, so I appreciate that. I know you're in good hands.
That brings me to the point where I wish you all a happy Thanksgiving, and I hope you have a safe constituency week. I look forward to seeing you in the House for the next couple of days, but I will be returning back to Alberta tomorrow night.
Does anyone have any questions or comments or anything they want to bring to the committee's attention?