Good morning, colleagues. We are very pleased to be wrapping up our study on the Privacy Act today.
We have waited to the end to invite the ministers responsible for the legislation we've been reviewing. We're very fortunate to have with us today Minister Brison, the President of the Treasury Board, Minister Wilson-Raybould, our justice minister, and with them, their staff: Ms. Dawson, Ms. Wright, and Ms. Khanna.
We appreciate your being here. You're slated to be here for the first hour Please help us in our deliberations and give us your insights.
Perhaps we have opening remarks from both of you for up to 10 minutes, and in the order I have on the agenda. If that's okay, we'll start with Minister Wilson-Raybould.
This is my first time before this committee, and it's a pleasure to be here this morning. I look forward to some discussion after we present our opening remarks. Thank you for welcoming my departmental officials.
As you know, and as you've been studying, the Privacy Act is a quasi-constitutional law that affects almost all activities of government. It has not been substantially reformed since it came into force in 1983.
You might approach Privacy Act reform by asking two questions. First, does the act contain the right principles for Canada in the 21st century? Second, does it feature the right rules and mechanisms to put them into effect? My remarks will focus on how we can move Canada forward in answering these two questions.
When we think about reforming the 1983 Privacy Act, our first instinct may be to focus on the impacts of changes in technology. Those changes can seem dizzying. Big data finds unprecedented ways of harnessing information. The Internet of things promises to cover human environments in a web of coordinated sensors and processors. The growth of artificial intelligence brings new ways of solving complex problems, and with quantum computing on the more distant horizon, there is the possibility that in our lifetime we will see an explosion of processing power with effects we can only dimly imagine.
Speculation about technology is exciting. It can also be scary. It might provide the push for law reform, but it does not provide the direction. Instead, I want to talk with you about two unchanging landmarks from which we can take our bearings for the review of the Privacy Act. They are trust and connection.
When you look at strong communities, democratic institutions, and functioning markets, one thing is clear. When people connect through relationships and networks based on trust, they can achieve great things, and great things should be in store for Canada. We are poised to be an open, secure, inclusive, prosperous, creative, and democratic information society. I am proud to be part of a government that is working on these goals.
To achieve them, Canadians need to connect with each other, with civil organizations, and with other democratic institutions. To connect, we need to be able to trust. When we connect with government online to seek information or a service, we need to be able to trust that the information we supply will be treated reasonably and respectfully, according to the law. We need to know that we can trust the connected systems that allow us to travel, communicate, enjoy safe food, and receive government benefits. We need to be able to trust that connecting with government will never make us vulnerable to manipulation or unjustified intrusions on our privacy.
Because ours is a democracy in which we collectively set rules for governments, we need to understand what governments do with information about us. The Privacy Act sets a basic framework for the protection of privacy in Canadians' relationships with government.
I agree with successive privacy commissioners, academics, organizations, parliamentarians, and Canadians who say that this basic framework in the Privacy Act is long overdue for a thorough review. That is why I have asked my officials in the Department of Justice to lead concentrated work, alongside other departments, towards modernizing the act.
The way I see it, privacy is not a drag on government institutions that are trying to achieve other important goals. Instead, privacy is a social good that makes all our collective projects better and more likely to succeed. Our government understands this.
The mandate letter handed to me by the asks me to ensure that our government's policy goals can be achieved with the least possible interference with the rights and privacy of Canadians. I will work closely with my colleague, the , who is responsible for the way the act is implemented across government. I will also work closely with my other colleagues whose portfolios use personal information as they serve Canadians. I hope to continue what this committee has started by connecting with Canadians of all groups and generations as we review the Privacy Act.
In your study, I encourage you to tackle some of the tough questions, always focusing on connections based on trust. For example, how should the act, which was designed to be technologically neutral, take account of the changes in technology? How can the act also serve us amid global, federal, provincial, and territorial flows of information in the service of important Canadian projects? How could the principles in the act guide government innovations to find new ways to serve Canadians better?
I think these questions are worthy of your committee's study. Eminent witnesses have appeared before you, such as the Privacy Commissioner, professional organizations, officials from other jurisdictions, government representatives, and accomplished academics. You are well equipped to influence the government's review of the Privacy Act and to effect the development of the law.
I encourage you not only to make recommendations but also to state considerations, questions, and areas for further study. I very much look forward to the results of your deliberations and your excellent—I'm assuming—report that's going to come forward and inform the work I'm undertaking.
Thank you, Mr. Chair.
I'm pleased to be back at your committee. I'm pleased to have with me today Joyce Murray, the Treasury Board parliamentary secretary, as well as Jennifer Dawson, the deputy chief information officer at Treasury Board.
The Privacy Act governs personal information-handling practices of government institutions. It applies to all the personal information we collect, use, and disclose about individuals or federal employees. It gives Canadians the right to access their personal information held by a government institution and gives them the right to request that the information be corrected if something is in fact inaccurate.
The Privacy Act, as my colleague, the said, came into effect in 1983.
Since the 1980s, advances in technology have provided many new ways of collecting and using personal information. Protecting this information is something we take very seriously, and it’s our responsibility under the Privacy Act to do so.
As the pointed out, we know the act needs modernizing. Treasury Board, as the administrator of the act, will be working closely with the justice minister, who will be leading this review. We will look forward to your committee's work to provide recommendations on how we can, among other things, modernize the law for the digital age.
The Treasury Board oversees the administration of the act across government. The plays an important role, as the Privacy Commissioner of course reports to Parliament through the justice minister. Our two departments work together to support about 240 government institutions that are subject to the act. I would like to take a moment to break down some of the key statistics around the administration of the Privacy Act.
Canadians submitted more than 67,000 requests for their own personal information in 2014-15. That has been increasing by about 4% per year since 1983. Seventy per cent of the personal information requests were responded to within 30 days. Another 11% were completed within the permitted 30-day extension.
In 2014-15, government institutions reported 206 material privacy breaches to Treasury Board or TBS. A material breach involves sensitive personal information and could reasonably be expected to cause injury or harm. The secretariat receives and reviews reports of material privacy breaches by federal institutions, and we support institutions in the follow-up to these breaches. In April 2016, I stated that the government will work with the Office of the Privacy Commissioner to improve breach reporting, and TBS is currently engaging with the office to strengthen reporting of material privacy breaches.
Also, within the secretariat, we set policies on how the act is to be administered, we provide support to government institutions as they carry out their responsibilities under the act, and we monitor their performance. We collect data from all government institutions and publish it in an annual statistical report on the administration of the act. This strengthens or contributes to accountability and transparency in how Canadians' personal information is protected and managed.
In my mandate letter, the asked me to ensure Canadians have easier access to their personal data.
In Budget 2016, we committed to two measures to do just that. First, we’re creating a simple, central website, where Canadians can submit requests for information about themselves to any government institution.
Secondly, we will not only make it easier to request personal information, but we will improve the speed of the government's response. There will be a 30-day guarantee for fulfilling such requests. If the response takes longer than 30 days, government institutions will have to provide the requester and the Privacy Commissioner with a written explanation for the delay, and we'll work with the Privacy Commissioner to develop new policy directions to implement this.
The fact is, we need to find the best ways to balance Canadians' need for better services with protecting their privacy. In closing, let me emphasize that balancing openness and transparency with protecting personal data is part of modernizing government in the digital age. We're continuously working to ensure that citizens' personal information held by government is well managed and that they have easy and timely access to it.
We are looking forward to working with parliamentarians and to your report. We are also looking forward to the's lead in terms of reforming the Privacy Act. During that period, we'll be working closely together to provide advice from the perspective of Treasury Board in terms of our role once that report is completed.
Thank you, Mr. Chair.
Good morning, both of you. I warmly welcome you and your officials to this committee.
I want to start with a bit of a broad question. One of the things you've both mentioned in your opening statements is about how important it is to modernize the act, but I also think there's an element of efficiency we should have when creating new policies, so I have just a general question, and maybe I can get your comments.
Do you see any value in having government departments consult at the outset of that policy-making process with the Privacy Commissioner regarding any policies that will affect the privacy of Canadians, as compared to at the end, when the Privacy Commissioner may be brought in to audit the policy? It's about working in concert from the outset to make sure there are no problems, that everything is smoothed over, and that there's an efficiency process, as opposed to the commissioner coming in at the end, once the policy has been drafted, and then having to audit that policy and make changes afterwards.
Maybe I can speak to that initially.
In terms of looking at the Privacy Act and in terms of potential law reform, I see great value in engaging with a whole host of individuals, including the Privacy Commissioner. I have had the opportunity to meet with him already on a number of occasions. I see value in continuing to do that throughout the course of our studies and investigations into what potentially could be most appropriate in terms of reform.
Likewise, I see tremendous value in receiving the report from this committee. We'll consider that in depth. As I said, I've already instructed my officials to start to do substantive studies around potential areas of law reform, and then further, at the end, included within this process, to do a substantive review of the Privacy Act as it is right now with an eye to modernization, to ensure that we engage with Canadians. It's my intention to do so in a substantive way.
Thanks to you and to your staff for preparing for today. I really appreciate your coming before us.
I can't help myself, Minister . With some of that logic, you would think that you would contact the Ethics Commissioner before you would have a type of fundraiser—or perhaps not. But I promised that I wasn't going to get too partisan today, so I'll just leave that to linger out there, if you will.
I want to talk about some of the comments you made here earlier. You said that 67,000 people have requested their information, and that has been increasing by 4.5% per year. In one of the recommendations from some of the witnesses we've heard from, they've suggested opening this up to outside of Canada. I'm hoping that we can get some of your thoughts on that, particularly based on the 70% of people who are seeing the 30-day commitment right now.
Thank you, Ministers, for being here.
I want to pick up where Mr. Blaikie left off to some extent with respect to SCISA and bulk data collection and retention.
Why I mention SCISA in the context of the Privacy Act is that both in the context of SCISA and in the context of the Privacy Act we talk about standards of collection, retention, and disclosure, and specifically the necessity standard. We had the Privacy Commissioner before us, who said that the most important change you would make is a necessity standard for collection across all government departments.
I wonder, Ministers, if you could speak to the importance of that standard and whether we can see that standard becoming law within our mandate.
I was thinking more of putting it in the context of the Privacy Act specifically, rather than in SCISA per se. It gets to the final authority, as it were, between SCISA and the Privacy Act. Perhaps the Privacy Act would make it crystal clear for the recipient agencies that when information is shared, not only must it be necessary for their mandate, but they'd have to operate strictly within their mandate, given that we have seen, at the very least, some worrisome behaviour from agencies.
I want to get to the resources for review. We have a lot of information sharing among government agencies. We have the Office of the Privacy Commissioner, with respect specifically to SCISA sharing, which has had some difficulties in obtaining all information from departments. We talk about whether the Privacy Commissioner's office has sufficient resources to do an adequate review of information sharing. Should they have the power to compel the deletion of unreliable information? If not the Privacy Commissioner, should we be looking at, in the context of SCISA, as we have heard, a super-SIRC type of body that would be able to look at information shared among government agencies?
How do we tell Canadians and show Canadians that we have a review body that is seized with this and ensure that privacy is in fact being adequately protected?
That leads me to my question. It has to with the seriousness of the Privacy Act, because legislation that has serious consequences.... You could say that in some places you're liable to be hanged for treason, whereas for singing the wrong words to the anthem, the punishment probably wouldn't be as bad.
As a municipal councillor and mayor, the most serious thing I was confronted with was about drinking water. Let me read to you the consequences for a municipal councillor:
The Safe Drinking Water Act, 2002 includes a statutory standard of care for individuals who have decision-making authority over municipal drinking water systems or who oversee the operating authority of the system. This can extend to municipal councillors. There are legal consequences for not acting as required by the standard of care, including possible fines or imprisonment.
What I'm looking for is strong wording in the Privacy Act that relates to breaches and consequences. I'm hoping that the government will be open to a review of how seriously we take these breaches and what consequences ultimately might be applied.
I'd be interested in your comments on that.
I appreciate the question and the comments.
Certainly, I think that in looking broadly at the review of the Privacy Act and reflecting on some of the comments I made in my opening remarks, the integrity of the Privacy Act and the review we're undertaking is dependent on, and wants to bolster, the trust that personal information data will be held in a secure manner, and that where there are breaches of the act, there is consideration of the appropriate remedies.
I'm certainly open to.... Again, not to sound like a broken record, but we really are at the investigative stage in understanding what's available in terms of the overview, renewal, and modernization of the Privacy Act as to what would be most appropriate. I'm very happy to receive feedback in that regard. To underline that, I think we need to ensure that individuals have trust that the governing institutions are appropriately managing and securing the data they acquire and have vis-à-vis the individuals.
Yes. It's not an easy thing to keep up with the technological changes. To write technologically neutral language is going to be one of the challenges that your department is going to face, Madam Minister, and I'm sure the committee is going to provide you with some excellent recommendations.
Colleagues, there is not enough time to start another five-minute question, so I would like to thank the committee members for their excellent questions.
Thank you very much to both our ministers and to the staff for appearing today. This concludes the witness list that we have for the review of the Privacy Act.
Mr. Blaikie, I'll get to you in a second.
I will let colleagues know that we will be reviewing the Privacy Act next week. We will be considering the draft report. We will be getting the draft report tomorrow.
It will not have had time to go through verification of the interpretation of both the French and English versions. Normally the analysts would do that, but in an effort to get the report in the hands of the committee members as soon as possible, before next Tuesday, you will have both a French and an English version, and it will not have yet been verified that the language is the same. Please don't get hung up on that. We'll deal with that next week. The analysts will come on Tuesday to talk about any differences in the language of the report.
Focus more on the content of what is there, and we'll begin those deliberations.
Thank you very much.
Mr. Blaikie, before we suspend, did you...?
Thank you very much, Mr. Blaikie.
We do have the Information Commissioner waiting, colleagues, so I hope we can deal with this expeditiously.
As you moved the notice of your motion last Tuesday, I asked the clerk to provide me with some guidance on this.
My initial review of it, in consultation with the clerk, is that the motion is very much on the very edge of being admissible, on the grounds that Standing Order 108(2) does not actually apply to the ethics committee mandate, so in order for this to continue before the committee, I need an amendment to the motion that would make the motion more admissible.
Mr. Kelly, is that what you are...?
The motion was likely not going to be in order until I acknowledged Mr. Kelly, who moved an amendment to your motion, which moved the motion more closely back in order. As a matter of courtesy, I checked with you to make sure that the changes Mr. Kelly was making would not substantially change the intention of your motion. We are now discussing the amendment to the motion, so we are no longer actually talking about your motion. Had I ruled, there would have been no opportunity for you to even address the motion, because I would have had to rule it out of order.
Then, on the speakers list, I had Mr. Lightbound, who is now asking for the debate to be adjourned. This is a dilatory motion. There is no debate on this.
As the chair, if I have failed in some way, Mr. Blaikie, I apologize, but as we have a dilatory motion and I've acknowledged Mr. Lightbound, I have to accept.... It's a non-debatable motion, and it has to be dealt with accordingly. I have to take the recording of this at this particular point in time.
My remarks are very brief. In fact, my colleague is handing out a deck that I'll be referring to as my opening remarks.
Good afternoon everyone.
Thank you for asking me to appear today. I'm here with Layla Michaud, my acting assistant commissioner and chief financial officer.
Mr. Chair, I'm here to ask you to approve a request for additional funding, which was included in supplementary estimates (B) tabled on November 3.
To assist the committee in makings its decision this afternoon, I've prepared a series of slides on the Office of the Information Commissioner’s complaint inventory reduction strategy. These slides explain the objective of the strategy, the purpose of requesting additional funding, how this strategy will be implemented, and the intended results.
If you would be so kind as to turn to the first slide in the short deck that I've provided you, essentially you'll see that the request for additional funding was made to the Treasury Board, and the purpose is strictly to reduce the inventory of complaints at the OIC. The Treasury Board supported the request for additional funds for one year. The funding that is being requested is for fiscal year 2016-17, and it is really a fit-gap measure that was put in place pending the possible introduction and passage of amendments to the Access to Information Act.
The funding that has been awarded, or that is subject to approval today, is strictly to be allocated to investigations. The objective is very specific: we have been required to complete 2,361 complaints. This is a very precise number, and the number is really based on our historical performance in terms of how many complaints we handle per individual, per investigator, and so on. That's why the number is very specific.
We started the inventory with 3,000 complaints, just slightly over that. We are expecting to receive close to 2,000 new complaints this year, based on our current projections, and we have three-quarters of the year done. With the augmented investigative capacity with the additional funding, we would close over 2,000 files, and that would leave a remainder of about 2,600, so that's essentially a reduction of about 500 complaints. If the funding is not approved, then the inventory will increase to over 3,600 complaints.
What we have done so far, Mr. Chair, is cash-manage, essentially, pending the decision of this committee. We have hired a mix of full-time employees and consultants, and we have provided comprehensive training to these FTEs. We have managed to secure some additional space for these additional people with the goodwill of Elections Canada, which is housed in the same office as we are. That's also a temporary measure, but we're not paying for this office space at this time, thanks to Elections Canada. Part of the funding was to upgrade the IT network to service the additional people.
As for what we are doing in terms of monitoring the results, we have very fixed closure targets every month, which we follow. I meet with my senior team basically every week. We also review the results on a monthly basis at the executive committee, which is composed mostly of our directors of investigations. We also submit the results of our progress to our audit and evaluation committee. By the way, a representative of the Auditor General also sits on our audit committee on a regular basis, so they're also apprised of this. That's relevant because, should the funding be approved, the Auditor General will also review how the money has been spent and allocated.
If you look to the last slide with a graphic, I included the graph because, as you can see, in red, it basically shows the performance we've managed to achieve so far in anticipation of this funding's being rolled out for the entire fiscal year. You can see the difference that a few additional people have made in our closure rate.
The next steps, really, are the approval or not by this committee of the supplementary (B)s. We will be reporting on the results of this initiative to this committee and to Parliament via our annual report or, obviously, at any time that this committee would like us to report.
Thank you again, Mr. Chair, for the opportunity to explain what is happening in terms of the funding requested in the supplementary estimates (B), which must be voted on.
We're ready to answer your questions.
Ms. Legault, thank you for participating again in the work of the Standing Committee on Access to Information, Privacy and Ethics. It's very much appreciated.
I'll start by asking you a more general series of questions.
Obviously, it's my first opportunity to look at these numbers. I understand that, in the supplementary estimates (B), you want an additional $3.3 million, which represents an increase of about 30% of your current budget.
Can you provide more details on staff distribution? How many additional human resources do you plan to hire? Have you already hired additional staff? If so, are they casual employees or consultants?
I can certainly provide more details.
It was a bit complicated because the budget hadn't been approved yet. It's almost December and the situation is somewhat complex.
When determining the amount needed during the year, we calculated the cost of hiring 20 investigator employees. These employees would be permanent, temporary or contract. Eight consultants were also included in the plan. Amounts were allocated to supplementary legal aid services for investigations. An amount was also allocated to the computer network. As a result of the extra staff, we had to increase our network's computing capacity. Lastly, the $220,000 represents the additional benefits. This money doesn't come back to us.
To date, I think we've hired 16 people, including permanent, term and contract employees. Moreover, 17 consultants were incorporated into the Office of the Commissioner. We remained within the available budget. However, since we couldn't hire as many permanent employees as we had wanted as a result of the annual funding, we managed the situation this way.
Not all the employees started working at the same time. They needed training so that they could conduct investigations. We have a case management computer system. Everything is computerized, and the employees need training. That's why we brought them in gradually, in groups. We just hired one final group last week. We currently have stable staff. If the requested budget isn't approved today, we'll need to start reducing our staff.
It's great to see you again, Commissioner.
In my previous life, when I was with the Saint John Sea Dogs, a hockey team, and before that in different businesses, we had quite an extensive budget process. If somebody came to me and said they needed an amendment or supplemental budget money to the tune of 30%, I'd be very concerned and we would look at that.
That said, from a business perspective, I think the first thing I would ask is, have you have looked at the process internally? Did you do everything you possibly could do internally to alleviate this problem? Could you share with us some of the initiatives you took before you came here to drive down that number of complaints?
I am in the last year of my mandate. I have been doing this work for a very long time now. As I said, when I first started, we started making a lot of changes in order to become more efficient. That really bore fruit for the first several years until our actual complement was cut significantly over the following years.
This year in particular, we have taken two main initiatives that are really bearing fruit in terms of efficiencies. In the first one, we implemented the Federal Court of Appeal decision of last year, which was a seminal decision in terms of administrative files. What the Federal Court of Appeal decided was that there had to be much more rigour in terms of institutions asking for long extensions. We developed a simplified process. We have developed some forms.
That's been extremely efficient in terms of changes to our results. I actually have these results with me here, so I can share that with you. In terms of where we were last year versus this year for these administrative files, last year at this time we had closed 293 files, and this year we closed 461 files. That's in part as a result of extra people, but it's also a result of what we've implemented with the federal government institutions. We have been using interest-based mediation very significantly this year. Again, last year at this time, we had closed 328 files, and this year we closed 708 files using this process.
We are actually making a significant difference, both on processes and with the additional people. That is what we're doing.
I've personally gone through all the old inventories in terms of our national security files and special delegation files. That's over 400 files.
Over the summer, we went through all these files to identify portfolio approaches and identify clusters of issues and clusters of complainants. We're working on that now. Two of my directors actually went through the rest of the inventory, and we did the same. We looked at all of the files that could be closed quickly. We are also reviewing all the files when they come in to identify the ones that we can quickly resolve because the issue is simpler. We go through all of those as well.
At this time, frankly, we monitor all the files. We monitor what's being done. I think we've done everything we could in terms of trying to sort out these files as quickly as we can. Some files do take a very long time. There's no question about that. Some files are 100,000 pages thick and, in some instances, there is no way to reduce them, so those take a very long time.
I have two from 2007-08. Those are special delegation funds. They have a national security issue. We were waiting for a Federal Court of Appeal decision on the interpretation of a specific section of the CSIS act. That just came down a few weeks ago. Those two files will be completed.
From 2008-09, I have 22. I have 13 with the CBC. Those are legacy files. From 2009-2010, I have 27.
It goes on, but the bulk is really in 2015-16, in which I have 1,000, and 2016-2017, in which I have 737.
I can provide this to the committee if you wish.
Mr. Wayne Long: Yes, if you could.
Ms. Suzanne Legault: We have it all in terms of what's there. I know what these files are. I know where they're at in terms of their resolution.
Well, those complaints we deal with fairly quickly. We don't have a lot of those in the inventory. It's very minimal, but it really does take a lot of resources in the office.
When people argue about what should be disclosed under an exemption of national security, I've always thought that it's a fair issue in the sense that a lot of these files are complex. To me, that's where the bulk of the office's work should always be. To have always 35% or so of our investigators dedicated to these delay files is a real waste. It's a waste in institutions as well, because their offices also have to deal with those once there is a complaint.
That would be the main game, if we had amendments dealing with timeliness, for instance. If we have order-making power, I don't anticipate that the delay complaints will be an issue at all. We obviously will be able to resolve these files very quickly. To me, that's the main issue.
In terms of the refusal files and exemption files, if we reduce it to just that in terms of what's coming in, then that would probably be a lot smaller.
I'll get back to the math. As I understand it, you are requesting roughly $3.3 million. You're suggesting that with that you'll be able to close an additional 1,061 files, which by my calculation works out to, on average, $3,160 per file. You say that you are able to close 1,300 files a year, and if we use that same math of $3,160 per complaint, that works out to $4.1 million or so in dealing with complaints, but your total budget is roughly $11.8 million. There's $4.1 million to resolve complaints, so what is the additional money being used for, and is there any sense of reallocating, then, just to clear up the backlog?
Is the committee okay with Mr. Kelly's tabling the report on my behalf tomorrow?
Some hon. members: Agreed.
The Chair: Colleagues, according to what we need to do here to appropriate these funds for the Office of the Information Commissioner, shall vote 1b carry?
OFFICES OF THE INFORMATION AND PRIVACY COMMISSIONERS OF CANADA
Vote 1b—Office of the Information Commissioner of Canada—Program expenditures..........$3,131,113
(Vote 1b agreed to)
The Chair: Shall I report the votes on the supplementary estimates (B) to the House?
Some hon. members: Agreed.
The Chair: Thank you very much, colleagues.
We'll see you again next week. Keep in mind that we are going to be reviewing the report, as I mentioned earlier.
The meeting is adjourned.