ETHI Committee Meeting

     Good afternoon, colleagues.

    Pursuant to Standing Order 108(2), on our study of the Privacy Act reform, today we have two witnesses. Our first witness, from the Canadian Internet Policy and Public Interest Clinic, is Philippa Lawson, director.

    Welcome, Philippa. You have a good reputation before this committee. As you know, the committee is addressing the Privacy Act, not in terms of a comprehensive review but at this point in consideration of certain recommendations posed to us by the commissioner herself and any other observations or recommendations for amendments that are significant and vital to ensure that we have the best possible situation within the existing framework of the act. As I indicated to you, a more comprehensive review would take much more time than we have before we break for the summer, but the committee is quite interested in following up on this. This is maybe our interim attempt to identify some possible amendments on a discrete basis throughout the act, and we do have a number.

    I understand you do have an opening statement for us. I can assure you that the members have lots of very good questions. This is a very important aspect of the Privacy Act.

    Welcome, and I invite you to make your opening comments now.

    Thank you, Mr. Chair.

    Bonjour, honourable members, and thank you for the invitation to appear.

    I'm pleased to hear that it is the intention of this committee to undertake a full and thorough review of the Privacy Act. That was to be my first and main submission today, that you should not leave this matter at just a few quick fixes that you're able to get in before the summer break.

    Government has a special trust relationship with the citizenry. The federal government in particular collects, uses, and discloses often highly sensitive personal information about individuals, who for the most part have no choice in the matter. They are required to hand over the information and must trust the government to protect it from abuse.

    In the context of the ever-increasing threats to privacy from new technologies, we feel it's critical that the federal government has a strong legislative framework governing its use and disclosure of personal data. In our view, the Privacy Act fails to do this job.

    You recently undertook a thorough review of the private sector data protection legislation, in which I participated. I think you are very well placed to now do the same with the public sector legislation, which as you know is much, much older and in more need of review, quite frankly. We would therefore urge you to undertake a full review of the Privacy Act this fall, with a view to recommending amendments by the end of 2008 if possible.

    I have reviewed the Privacy Commissioner's submissions, both the June 2006 report and the more recent addendum and submission to this committee. I think you have a very nice road map there to the reforms needed in order to bring the Privacy Act into the 21st century. We agree with most of the Privacy Commissioner's recommendations for reform.

    We have not undertaken a thorough review of the Privacy Act, and we're not in a position to provide you with a thorough set of recommendations. In any case, I understand that's not your intention at this point in time. We have instead focused on some of the deficiencies of the act that have come to the attention of the clinic in our work, either on behalf of individual Canadians with particular complaints, or in our research on issues such as identity theft, security breaches, the practices of federal administrative tribunals and agencies in posting personal information online, and many other issues.

    I have submitted a written brief, which I just completed this morning. And I apologize; it is in English only. I have provided copies in English only--again my apologies, particularly to the French-speaking members of this committee. I understand it will be translated and circulated to all of you.

    We've made a number of specific recommendations for legislative reform in that brief submission, and I'll touch on a few of them now.

    We've divided the recommendations into categories. The first area in great need of reform is transparency and accountability. The act is clearly designed to achieve a certain level of transparency and accountability, but we found in our research, for example, that we're simply unable to determine the extent to which the federal government is collecting, using, and disclosing personal information, particularly in the context of national security and transborder data sharing. The Privacy Act allows government bodies to share personal information about Canadians with foreign states for purposes that could be at odds with fundamental purposes of democracy and justice, without even the limited transparency that would be achieved, for example, through requirements that such agreements with foreign states be in writing, be authorized by legislation.

     So one of our first points under transparency is that subsection 8(2) of the act be amended to require that information sharing agreements and arrangements with foreign states or entities be in writing, be authorized by an act of Parliament, and be listed in a regulation under the Privacy Act.

    We are also suggesting that subsection 8(2) be amended to require the government to notify citizens of new uses and disclosures not originally contemplated when the information was originally collected—except, obviously, in appropriate cases.

    We agree entirely with the Privacy Commissioner that the annual reporting requirements of government agencies under section 72 need to be strengthened and expanded so that Canadians and organizations such as mine, which represent Canadians, can find out what is going on behind the scenes and hold the government accountable for its obligations under this act.

    Finally, we agree that section 63 of the act should be amended to permit the Privacy Commissioner to disclose information about government information handling practices in the public interest—and not just do so in her annual report.

    Another category related to this issue of transparency is protecting Canadians from abusive treatment by foreign entities, and foreign governments in particular. We've had a number of complaints and concerns raised with us at the clinic, particularly about the USA Patriot Act and the right of U.S. government law enforcement agencies under that act to secretly access data about anyone held by private corporations in their customer databases, for example.

    So we believe the federal government should be looking at standards, first of all, the kinds of standards Europe and Quebec have adopted, which require adequacy, or at least comparable protection, of foreign laws before the government will allow the transfer of data to those foreign jurisdictions.

    Another approach is simply to require that the government institutions disclosing personal data to foreign entities take measures to identify the purpose for which the data are being disclosed, and limiting, by way of contract or otherwise, the subsequent use of the data by the foreign entity to that particular purpose.

    We are also recommending that the government consider legislating additional protections, such as those adopted by the British Columbia government, to specifically block direct access by the FBI, for example, in the United States, or by other foreign government agencies, to the personal data about Canadians that this government has outsourced to private corporations.

    In this area we're also recommending that paragraph 8(2)(c) be amended to clarify that it applies only to Canadian courts. This paragraph is an exception to the rule of disclosure with consent, and it allows for disclosure

    It doesn't say, “Canadian court, person or body”, but just “court, person or body with jurisdiction”. So it's unclear whether it means just Canadian courts or foreign courts. We believe it should be limited to Canadian courts.

    We are also proposing that paragraph 8(2)(f) be limited to allowing disclosure and subsequent use of information to the precise purpose identified by the disclosing agency.

    There is another really important reform that we believe is needed. We find it astonishing, quite frankly, that the Privacy Act does not allow the Privacy Commissioner or Canadians to enforce their rights under it, other than through their right to access to information. It sets out all of these rights and obligations, but it has no mechanism for enforcing them. We believe the act needs an enforcement mechanism for all of the rights contained in it, not just access to information rights. We agree with the Privacy Commissioner that she and individual Canadians should have the right to go to court to enforce these rights.

    We also think, however, that the Privacy Commissioner should have order-making powers. We believe not only would that increase her clout when she's dealing with federal government agencies, but it would provide a much more accessible enforcement mechanism to individual Canadians.

    We also strongly support her quick-fix recommendations--for example, preventing overcollection of personal information by the government, and that is including a necessity criterion to the current clause, section 4, requiring that information collected by the government be related directly to an operating programmer activity. That clause should be amended to say “no personal information should be collected by a government institution unless it relates directly to and is necessary for an operating program or activity”.

    We also believe the definition of information is outdated and should be applied to any information, whether it's recorded or unrecorded. In particular, we would point to the expansion of private and public video surveillance in Canada, much of which involves ongoing monitoring. The information is not necessarily recorded for future reference, and that information, the monitoring activity itself, is potentially privacy invasive and should be covered by this legislation.

    We also strongly agree that privacy impact assessments, currently a requirement of Treasury Board policy, should be made a legislative requirement. They are, in my view, at the heart of the data protection regime in the public sector. In the private sector we rely more on individual consent; private corporations are required to get individual consent before they can use or disclose personal information.

    We don't have the consent rule in the public sector. Instead we rely on the federal government to undertake analysis of privacy impacts in the public interest and to ultimately make decisions in the public interest. Of course, we rely on transparency and accountability mechanisms as well to back that up. But privacy impact assessments are critical; they are, in effect, replacing the consent requirement we have in the private sphere and they should be legislated. They should not be left to a matter of policy.

    Finally, one of the areas we've spent a lot of time on at CIPPIC is looking at identity theft and ways in which to prevent and address that problem. We have been advocating for stronger incentives in the private sector for effective security measures and for notification to individuals whose information has been negligently or inadvertently disclosed or made accessible to unauthorized access and potentially criminal use.

    We think the same kind of rule should apply to the public sector, that is, there should be a provision in this act--as there is, for example, in some of the provincial acts we've looked at--requiring the federal government to take reasonable security measures to protect personal data from unauthorized access, use, or disclosure. We believe the breach notification requirements that are being considered now--that you recommended for PIPEDA and that Industry Canada is now consulting with the public on--should also be included in this legislation.

    Thank you, Mr. Chairman. I would be happy to take questions.

    Thank you very much. It's a very good start.

    We're going to start with Mr. Pearson.

    Thank you, Mr. Chair. I didn't know I was starting.

    As far as the crossing the border data flows that happened, I appreciate what you just mentioned about that.

    We have formalized arrangements, but a lot of these aren't written. Is that correct?

    That's my understanding.

    We have had real difficulty trying to find out just how many arrangements there are and what they are.

    Yes.

    It seems to me that's a big part of the problem. Correct? You have these arrangements, and they're not necessarily laws or whatever it is; they are just these quiet arrangements that have happened behind the scenes. I think the Privacy Commissioner was also hinting that there needs to be a way to regulate those a lot more so that we know what is being shared. You would agree with that?

    Absolutely.

    As far as some of the other recommendations the Privacy Commissioner gave about the data flow across borders, did you agree with what she said? She had a number of different issues. Did you have any that you would draw exception to?

     On the transborder data flows, I believe we agree with everything she has proposed, and I'll just take a quick look again. We support her recommendations. In particular, I think it was the tenth recommendation of hers that addressed this, strengthening provisions governing disclosure. Yes, absolutely, we agree with all of that.

     How would we build a base, a framework, for not just having these verbal kinds of recommendations? What kind of framework would we use to formalize these relationships more?

    As I've said, I think the first step is transparency, getting them out in the open, and that would start by possibly a recommendation that they at least be authorized by legislation, and then listed, perhaps, in a regulation to the act. We do that for investigative bodies. It allows a certain level of transparency. It allows the public, and organizations representing the public, to at least go somewhere and see what these arrangements and agreements are.

    So far we've found it impossible to gather. We've been trying to figure out to what extent Canadians' data, when they're held by, say, a foreign company in the States, are protected against privacy invasions, as compared to when they're held in Canada by a Canadian corporation. It has been extremely difficult to do that analysis.

     It would seem to me we can't really update this whole arrangement at all if we aren't able to do that and get hold of that information.

    Are you aware of how departments energize their compliance with the Treasury Board guidelines on this--exactly how they do that?

    No, I am not.

    Okay.

    What internal mechanisms are in place to ensure the protection of personal information that's transferred across national borders?

    Again, I can't speak to that. You'd have to ask the Treasury Board officials.

    Okay.

    I'm a bit worried--well, I think we're all somewhat worried. I met somebody this afternoon; for instance, I think many of us did. The real estate agents and others from across the country were in town today, and they were talking about how you buy a house. In order to be able to purchase that house, that information had to be shared with somebody else who lived, let's say, in the United States. You never thought your information was being shared in this way, but this was a particular thing that happened in the legislation, with something that we have right now.

    So it's more about partly my right as a purchaser. If I buy a particular property in Canada, the information is being shared by somebody else who happens to be in on that arrangement in the United States. I did not know this was part of it. This is part of what is going on. All this information is going back and forth across the borders. It's not just security things, but it's a whole bunch of purchasing things, merchandise, and so on and so forth.

    I'm not trying to kill time here. People have other and probably better questions, but it seems to me, from what the Privacy Commissioner felt, that she cannot really get a handle on this, even if we gave her resources and other things, unless this ability to be able to harness this information comes into place.

    Do you think a law is the thing that's required, as opposed to some kind of informal arrangement or some kind of written arrangement? Do you think a law would be better?

    I think you need to mandate the reporting of this information. It's not happening, otherwise. Whether it's private sector or public sector, in order to know what's going on, it needs to be mandated. One of the things we've been considering for the private sector is a requirement to notify individuals of the fact that their data are being shared with a foreign entity. In fact, it's certainly arguable that this is already a requirement under the private sector law, but I don't believe it's being fully complied with.

    As I say, I think the first step is transparency and just getting all of this out in the open, and that needs to be mandated.

    Thank you, Mr. Chair.

    Madam Lavallée, go ahead, please.

    Thank you.

    Good afternoon, Ms. Lawson, and welcome, once again, to our Committee. This is not your first appearance before us and it is always a pleasure to see you.

    I wish to apologize for having arrived late. I therefore missed the beginning of your presentation, and I am sorry about that.

    You listed several changes that you would like to see us make to the act as it now stands. What would your priority be? If only a few changes could be made, which are the most important elements of this act that should be modernized?

    Please forgive me, but I will answer in English.

    That is not a problem: I get along very well with my friends, the interpreters.

    I was worried about getting that question, because it's very difficult to prioritize here. Enforcement, I think, is a priority area. As I say, I find it astonishing that we have no mechanism to enforce our rights as citizens under this act, other than the access to information rights. I think that needs to be made a priority.

    I also feel, in part in response to the inquiries and complaints and concerns that have been raised with the clinic, that the transborder data flow issues should be made a high priority.

    I understand that you are trying to come up with--

    Allow me to stop you for a couple of seconds. You stated that the big priority was one of enforcement, but I do not know to what you are referring. I do not understand.

    Okay.

    Right now the Privacy Act sets out a number of rights and obligations of government and rights of individuals, but it only allows the Privacy Commissioner and the individuals to go to court to enforce their rights in respect of the access to information rights. The requirement is that government only collect information if it relates directly to an operating program and only disclose for consistent purposes; there's no way of enforcing that right, so when the government violates the act, there's no way of holding it accountable, other than reporting publicly on it.

    One of the Privacy Commissioner's recommendations, recommendation number 2, is to broaden the grounds for which an application for court review can be made to the full array of privacy rights and protections. That's the same recommendation we are making, except that we are also suggesting that the Privacy Commissioner could be more effective if she had order-making powers herself.

    I am trying to find what you are talking about in the ten recommendations the commissioner made, but I do not believe it is included there. Have you seen the Commissioner's ten recommendations?

    Yes, I have her report with me. I think there's someone here from the Privacy Commissioner's office who may have extra copies.

    As I say, she is recommending as her number two recommendation that section 41 of the Privacy Act be amended to allow the commissioner and Canadians to go to court in order to enforce their rights under the Privacy Act and to give the Federal Court the power to award damages against institutions that fail to comply with the legislation.

    The second element you talked about is transborder information-sharing. This is, indeed, the major challenge with regard to reforming this legislation. Everyone would agree on that. Earlier, you stated that you would like to see people receive a notice at home telling them that their personal data has been forwarded to Aeroplan, in New York, for example.

    Once you have this knowledge, what more can a citizen do? I agree that citizens should be informed; it is always better to be informed. But afterwards, one has no control whatsoever over this information... Would it not be preferable to ask people if they agree to having their personal information sent to New York?

    Absolutely.

    The theory in the private sector, at least where there's competition, is that this would create a market for Canadian companies to restrict their data sharing to sharing within Canada, and to advertise that and attract customers that way. Of course, that argument does not apply in the public sector, which is why we need stricter regulation in this area, and possibly blocking--statutes that block the Canadian government institutions from transferring data to foreign entities, at least when it's not adequately protected.

    British Columbia has been through this entire exercise. There's no need to repeat it. You can look at the amendments they made to their public sector privacy laws in order to deal with this and find out how those are working.

    As with so many issues under the Privacy Act, Treasury Board has adopted a policy. They've educated all the federal government institutions about this issue, they have done a review of all the contracts, they have identified risk areas, and all this kind of thing. Our view is that this is an area in which that policy is not good enough, an area in which we can and should look at legislating further protections for Canadians.

    You are talking about Treasury Board. Have you ever had access to the Coordination of Access to Information Request System? Are you in agreement with the decision...

     Absolutely. We are extremely concerned about the recent actions by this government to block access to the CAIRS database. That is, in our view, a critical component of the current--now we're onto a different topic--access to information.

    Your time has expired, unfortunately.

    I would like to say that this is of great concern.

    Okay, on the access side, but we'll get back to privacy now.

    Mr. Masse, please.

    Thank you, Mr. Chair.

    My understanding of the way it works with the United States is that we actually have to have a separate treaty to have that in place for privacy. In fact, the B.C. model doesn't really cover that off. The federal government requires a treaty.

     Have you heard of that before? I mean, I've done past work with the Privacy Commissioner on this and raised it. There are certain elements of the Quebec and the B.C. model that are of concern because it's supposed to be a privacy treaty, because no law in Canada can tell the United States what to do.

    That's right.

    The Privacy Act issue really comes down, in my view, to a practical concern. When a private entity receives an order from the FBI, they have to figure out whether they need to comply or not and what are the consequences of not complying with that order. The idea is to have greater consequences based on Canadian law for those entities to comply--greater consequences for complying with the FBI order than for not complying with the FBI order. That is what it comes down to. We're talking about the private sector here, and the same applies whether it's private or public sector outsourcing.

    I'm fairly certain, and I'll double-check on my stuff for Mr. Martin when he comes back, but one of the things that exposed this was.... I did a campaign back in 2003 with regard to the Canada census. That was outsourced to Lockheed Martin, and what came about, because of the Patriot Act, is that all the Canadian information on our census data was vulnerable.

     As you know, with the Patriot Act, once it goes over to the United States, where they were going to bring that information for correlation and data summary to package it for us.... It's against the law for Lockheed Martin, if that information is actually accessed, to even disclose that back to Canada. It's against the law for them to tell, even if it's a subsidiary.... For example, CIBC was another campaign I was on. CIBC outsourced its information to an American company; that company cannot even inform CIBC when its data is accessed by the FBI and CIA under that system.

    What ended up happening with the Lockheed Martin and Census Canada case is that Census Canada made them undertake certain measures in Canada and keep that information there, costing the government of the day millions of dollars or more, which probably defeated the whole point of outsourcing this in the first place. At any rate, that could be a potential model, to require Canadian companies to abide by privacy information.

    Do you have any comments on that? I think that's a model that should be enforced in the private sector here in Canada. Then you would never have the leakage, because we can't control it once it leaves the country unless we actually have an information treaty.

    My understanding is that that was, at least in part, what the B.C. government legislated; that is, the data has to remain in Canada and all the processing has to be done in Canada.

     I think Statistics Canada learned a lesson the hard way with the Lockheed Martin outsourcing. To my recollection, the result is that they allowed the foreign company to engage in consulting with respect to the software but not to actually handle the census information.

     I agree with you. I think those are ways to deal with the problem.

    I think the problem with the B.C. legislation--and I'm only going by memory on this file for this particular part--was that it applied to government contracts, not for private sector contracts. That's the hole that I think British Columbia still has to fill. That would require a response from the national government, to enforce that type of a model on the private sector.

    When you're doing some of your work in the United States, can you describe a little bit more about what kinds of roadblocks you run into? It's a very difficult path to try to uncover in terms of data management over there.

    Did you contact any agencies, or did you contact departments? Have you had the opportunity to do that yet? And what was the response?

     No, our research actually has been limited to Canada, to trying to understand from the Canadian perspective what the information-sharing mechanisms and avenues currently in place are. I can give you an example.

    We've had people complain to us and to the Privacy Commissioner about Canadian e-mail providers outsourcing to American e-mail providers. This was done by canada.com. Under the private sector law, you will recall that organizations, when they outsource, are required to ensure that the data they are outsourcing is subject to a comparable level of protection.

    The question is, when you outsource to an American company, is that data still subject to a comparable level of protection, or is it, by virtue of the Patriot Act, automatically given a lower level of protection? The Privacy Commissioner, in a couple of initial findings on this, one in relation to CIBC, found that it was comparable, because of all the information-sharing arrangements in place.

    We're not ready to accept that conclusion. We believe there are a number of reasons why it probably is easier for the FBI to access the information when it's in the United States than when it is in Canada and held by Canadian companies. We were trying to do the research to prove our point. We found it extremely difficult to uncover the apparently hundreds of information-sharing agreements and arrangements out there.

    That's interesting. When you look at what is happening over here, incredibly the government is now moving on requiring real estate agents to collect, even from those who are not clients who sign off with them on a housing deal, when they enter into negotiations and do searches and so forth, everything from the social insurance numbers to mortgage information, telephone numbers, and a whole bunch of information. I'm not sure whether you're familiar with this. I can forward it to you. The government is proposing that those real estate agents collect that information and contain it themselves.

    I wonder what you think about that element. The association is fighting it. They believe it's going to create an unnecessary amount of work. Second to that, you'll have a whole bunch of real estate agents who have information, which could be used for identity theft, because it is very sensitive personal and financial information and government-numbered information that they use to access a mortgage before they actually make a claim on a house or a piece of property.

    This is happening right now. I wonder what you think about that issue.

    It is a great example of why privacy impact assessments are so important. I would love to see the privacy impact assessment that was done on that particular government initiative.

    It also points out the need for really strong private sector data protection legislation so that those real estate agents have the guidance they need as well as the requirements to ensure that the information is protected.

    But I think your point is good. Every time we create another database of sensitive personal information, it is vulnerable to abuse and access. That privacy impact assessment should have done a really thorough job of weighing those risks: the need to collect that information and the benefits of collecting the information against the cost.

    I'm sorry, but we have to go on.

    I'm sure this is going to come up again, because this happens to be an issue where the money-laundering provisions in the regulations under the Department of Finance and FINTRAC basically supercede the Privacy Act obligation. It's a different situation.

    Mr. Van Kesteren, please, you have seven minutes.

     Thank you, Mr. Chair.

    Thank you for appearing.

    Ms. Lawson, I want to ask you a question with regard to the Internet. I know we've moved on, but I want to digress and follow up on what we had been talking about.

    Usually when we change laws or make laws, we do so because there's a problem. We have new legislation or whatever, and we find out that it's infringing or there's some other problem, so we want to change it. We've heard a lot today about especially the sharing of information with foreign countries, especially with the United States, and there's something that I don't quite understand.

    Do you have examples of why we need stricter disclosure? The only time I hear about an infringement where somebody's rights are violated is when someone has possibly been a member of an organization that blows up buildings. Why wouldn't a foreign country want to have some type of disclosure?

    I hear the other side talking, but we've corrected it. And that was not an example of disclosure, that was an example of abuse of disclosure.

     Why are we doing this? Do we have examples of where...? Quite frankly, if the Americans want to know about me, I have nothing to hide. I have no problem at all.

    What's the big deal?

    A number of Canadians, innocent, ordinary Canadians, have come to me and told me--I've read about many more in the news--that they have been denied the ability to board a plane, that they have encountered pretty extreme harassment and inconvenience in their efforts to move across the border in particular. They've been denied the right to cross the border, even, and enter the United States, or have been taken in and interrogated at length because 20 years ago they were part of some demonstration or engaged in some civil disobedience or something like that.

    There are many examples out there, I think, of individuals who have suffered because of foreign state collection of their information and use of it in a way that we would not consider appropriate in Canada. We've been seeing a recent trend toward more of that in the United States.

    So that's one concern, just on the law enforcement side. I think there is evidence.

    But isn't it incumbent upon us, if we have a citizen who has broken the law or something, to share that information with another government? Isn't it part of being a good neighbour? Don't they have the right to that information?

    We're talking about rights--you've given me some examples, and I think it would be interesting to follow up on those--but isn't there a balance there somewhere?

    Absolutely, which is why my first point is that we need transparency here. We need to know what's going on.

    We have seen examples of where states have gone too far. You don't need to go too far back in history to see pretty extreme examples. I don't think we should be complacent about governments even when they appear to be acting appropriately now. We should have legislated limits on state activities.

    When it comes to foreign states, we should be very careful about the extent to which we trust foreign states to handle the information of Canadian citizens appropriately.

    You still haven't answered my question. We've read just recently in the paper about the person who belonged to a terrorist organization. Isn't it incumbent upon us to share that information? You can say you don't trust a certain country, but if the acts of violence and terrorism are going to be played out in that particular country and he or she wants to travel there, don't we have a right to share that information?

    I'm not proposing that we get rid of all of these information-sharing arrangements. I believe this is an issue that Mr. Justice O'Connor really thoroughly reviewed in the Arar inquiry. I would just refer you to that report.

    I'm not suggesting that we don't share information. First and foremost, I'm suggesting that the Privacy Act right now is inadequate in terms of holding the government to an appropriate level of transparency regarding such agreements.

    Well, I'm glad you brought that up, because I was kind of getting the message that we ought not to share those things.

    Anyway, you're here as the director of the Canadian Internet Policy and Public Interest Clinic. I get calls from a policeman who works in child pornography. I want to get your take on this. What about the sharing of information with the police, or access to Internet providers? I want your feeling on that, specifically in an area like child pornography, where the police are handcuffed when they want to investigate and try to break up these rings.

    What's your take? How far should we be going?

     We need to be very careful before expanding police powers. We have over the years, and child pornography is just the latest thing the police are going after. But the police have the same kind of technology available to them as the criminals do, and they are using it and successfully prosecuting right now.

    I'm not sure that the police need any greater powers to do their job in this area or any other area. Due process is absolutely essential. We have due process in the Criminal Code right now to ensure that the police have the powers they need but are not allowed to go any further. In the interest of civil liberties, and the innocent people and everyone using the Internet, we need to be extremely careful before we give the police expanded powers because we want to shut down this horrible crime.

    I'm not suggesting expanding powers right across the spectrum. In an area like child pornography, can you see where we could possibly make some amendments so police have better access to those who are using these avenues to propagate this?

    As I said, I'm not convinced. This is a live issue that we've looked at a bit at the clinic. I'm not convinced that the police need greater powers to do that job, if that's what you're suggesting. The current legislation allows Internet service providers to hand over information about you, me, and anyone to the police upon request without a warrant. I think we need to be careful before we require them to do so.

     They're being told by their own lawyers that if they do this they might be infringing on people's rights--with the Internet providers.

    Right. This is not a Privacy Act issue. As I say, I think that's about as far as we should go in assisting the police in their investigations in this area.

    Colleagues, we have another witness. There is also a notice of motion that's in order. I haven't had a chance to talk with Madame Lavallée. Maybe we can use the last 10 minutes, if everybody wants to cooperate.

     Mr. Hubbard and Mr. Wilson, why don't you carry on? Then we'll have Madame Lavallée and Mr. Nadeau.

    In our discussions today we're covering a very broad range on privacy. If we are just dealing with our federal government in terms of privacy--the agencies and departments of the federal government--and the title of your group is the Canadian Internet Policy and Public Interest Clinic, is there sufficient security? Several dozen departments and government agencies out there have computer banks that contain information. From your study of this, is there sufficient security of that information to protect the privacy of individuals?

    Of course, my small clinic has not done, and doesn't have the resources to do, any kind of audit of government agencies. That's a job for the Auditor General and the Privacy Commissioner. We have reviewed the news reports and Privacy Commissioner reports to try to get a sense of how many breaches there have been. For example, in the past year, how often have government agencies unwittingly released information or suffered a hack or a security breach? We're seeing them fairly regularly.

    There were a few in the past year. Canada Post suffered one, and a few federal agencies. There is human error and these things happen. That is why I think the earlier point is a good one, that the more information you have stored in these data banks and the more data banks you have, it's almost inevitable that there will be some level of breach.

    I guess in response to the question, it's hard to know. I can't say how adequate the levels of security are right now. I would rely on the Privacy Commissioner to assess that. But I think it would help to have legislated requirements so that there's a stronger incentive for government institutions to take those security measures.

     With the departments, I'm often amazed to find sometimes--when we do get waivers on privacy--how much information departments have on individuals. For example, some departments would say, “That particular person has called our office 17 times in the last three years.” And they have a list of the dates, the hour, and the subject that was discussed, and often the answer that some public servant would offer to that person.

    Are you aware of that type of information being available? We might comment on Madam Lawson and say, “What has her connection been with Human Resources and Social Development Canada or Service Canada?” And some bureaucrat can say, “Well, she's been calling and....”

    No, I'm not aware of the extent--

    You're not aware of the stories.

    --of that, but I think it is an example of why it's so important that we limit data matching among government institutions and that we don't allow for these monster databases that combine all of this information so that a civil servant in one department is able to access information he or she doesn't need.

    In your review--for example, in dealing with the RCMP--have you ever had occasion to request the information that the RCMP or CSIS have on you, or some individual in your organization, to see what they have?

    I have not done that, and I'm not aware of anyone in CIPPIC having made an access to information request for personal information about me or them as individuals. We have made other requests, but not for that kind of information.

    It appears, in some of these more serious cases, that either CSIS or the RCMP have had data files on people that they were not aware of. Later on, in terms of investigating by Mr. O'Connor, or in terms of a court, they can suddenly bring forward information. And even then CSIS can say, “Well, that's against the best interest of the public safety of our country; we therefore can't....”

    Should there be availability to people to access their files?

    Yes, absolutely. And I note that the Privacy Commissioner did an audit, or reviewed the RCMP's exempt databases, and I think she found that more than half of the information in those so-called exempt databases should not have been in there, should not have been exempt from access to information requests.

    So I think we do have a problem there. It's a transparency problem again, and it shows that we need a Privacy Commissioner with enough resources and powers to call the government to account on these types of things.

    Mr. Tilson.

    On the issue of the public not wanting to provide information and the issue of the government needing information.... I don't know how often it happens, but I had a constituent call me at my office and he said--and you know this issue--Statistics Canada wants to know how much he makes and all the financial information about him, for labour purposes, and he doesn't want to give it. Statistics Canada says, “Well, if you don't give it, we're going to come and get you.” They don't say that, of course, but there are charges that can be laid.

    Statistics Canada says for them to properly advise the government of the day, to provide information for economic purposes and for labour purposes, and I suppose for other purposes I can't think of right now, they need to have that information to properly advise whoever is in office. Otherwise, the government can't develop policy. They can't develop labour policy; they can't develop economic policy.

    Has your clinic got into the philosophy of that? I can understand the guy saying, “I don't want you to know how much I make.” I suppose if they got his income tax they could look that up, but they want to know all kinds of other things.

     CIPPIC has not looked at that information, but it has come to me. I can think of a couple of cases in which people have complained about exactly that issue, about providing detailed, sensitive, personal information to Statistics Canada, people who didn't want to. I believe there are a number of people who have filed formal complaints with the Privacy Commissioner about that, but as you say, there is a law requiring them to provide the information. It would be interesting to hear from Statistics Canada and the Privacy Commissioner on this issue. I've not looked at it in any depth, other than what the law requires right now.

    The way it is at least theoretically resolved now is that there are theoretically constraints on Statistics Canada, so it does not allow that information to be used or abused in other ways. In the end, Statistics Canada produces very valuable information for Canadians and the government on the basis of the census and labour force surveys. There is a rationale for that, which I think has some merit, but the short answer to your question is that neither the clinic nor I have looked at it in any greater depth.

    Mr. Chairman, am I finished? Can I ask another question?

    Absolutely. You actually have two minutes left.

    I have one other question, then. It has to do with recommending the order-making powers that you suggested for the commissioner. I think the commissioner has in the past agreed with that. She said she wants that. The former Information Commissioner, Mr. Reid, said he didn't want that.

    We start looking at powers, and you mentioned the nervousness about giving the police too much power. Now we're saying, on the other hand, let's give the commissioner more powers, which I assume are quasi-judicial powers. I don't know what that means. That's like setting up a separate board. It would cost a whole whack of money. Does that mean the courts wouldn't be involved? She would make an order and that's that, without any reference to appeal?

    We've talked about this issue in different areas. I did find interesting your comment that you didn't want to give the police more powers but that you want to give the commissioner more powers.

    There are a few things in there. First of all, on the issue of the police versus the Privacy Commissioner, those are completely different kinds of powers we're talking about. When we're talking about the police, we're talking about investigatory powers. The Privacy Commissioner, under the Privacy Act, already has pretty extensive investigatory powers, and I don't think those are at issue in this context. We're just talking about the ability for her to make more than recommendations, to basically turn her recommendations into binding orders. That does not mean there would be no role for court. It would simply mean two things. The Privacy Commissioner's recommendation--

    Just so I'm clear, you would prefer that there be a quasi-judicial system under the Privacy Commissioner's jurisdiction, as opposed to going directly to the courts?

    I'm saying that it would be in addition to going to them, so you could go to the courts after. You go to the Privacy Commissioner first, and instead of just getting a recommendation--

    What's wrong with going directly to the courts?

    It's expensive, and people can't afford to do it.

    Write that one down, because I'll guarantee you, it will be expensive to go through the Privacy Commissioner's proceedings.

    Mr. Nadeau, please.

    Good afternoon, Ms. Lawson.

    The commissioner is asking for the authority to close down certain inquiries or to refuse them. I would like to know your opinion.

    Furthermore, were the commissioner to be given this authority, what safeguards should be set out?

    Yes, that is the one recommendation from the Privacy Commissioner that I'm not quite ready to endorse. I would like to see more evidence that it's really not possible to handle or deal with all the complaints that come before her in an effective and efficient manner. It would seem to me that a requirement to investigate still leaves a lot of leeway, a lot of discretion, to the commissioner in how she goes about that investigation, and you could do some fairly brief investigations in those cases that don't warrant full-scale investigations. I think obviously the recommendation is worth considering. It's coming from the Privacy Commissioner, but it's not one that I feel I or the clinic can endorse at this time.

    Thank you, Mr. Chairman.

     Mrs. Lawson, thank you for the input and insight. There is much more work to do, but I think you've given us significant assistance in assessing the recommended areas for consideration. I'm sure members will look forward to having your input in the future. It's much appreciated.

    As we have other business to move on to, you are now excused.

    Colleagues, while Mrs. Lawson is leaving, maybe our other witnesses could get themselves organized and come to the table while we deal with another matter of business.

    I understand that there have been some discussions. Would the committee now like to deal with the motion of Madame Lavallée, without debate, and put it to a vote?

    Madame Lavallée, your motion was circulated. There is due notice. It is in order. I believe the members all have it and have read it. Should we read the motion again?

    Madame Lavallée.

    For our purposes here, I will read the motion, but I will not comment upon it.

    Thank you.

    Colleagues, you've heard the motion by Madame Lavallée.

    (Motion agreed to)

    I'm in favour of the motion. It's carried six to five.

    An hon. member: How is that possible, Mr. Chair?

    The Chair: It's because—

    An hon. member: It's five to five. You have to split the vote, but you have to maintain the status quo.

    He forgot that rule.

    There is no rule like that.

    First, Mr. Malhi is not signed in. He does not vote. Mr. Hubbard did not vote. The vote was five to five. The chair breaks the tie, and I voted in favour of Madame Lavallée's motion. It's carried six to five.

    We will now move on.

    Mr. Chair, I have a point of order. Could we get a clarification, through you to the clerk, on what the rule is in the event of a tie? My understanding is that committees follow the conventions of the House. In the House, the convention is that if there is a tie, the Speaker votes in favour of the status quo. If we could have a clarification on that, it would be great.

    Mr. Malhi is not signed in. We have only four Liberals here, one of whom did not vote. Mr. Hubbard did not raise his hand to vote. We have three Liberals.

    Order, please.

    There are many precedents in which the chair is required to break a tie on votes in committees. I've been on both sides of it in the past, and we've done it before in this committee.

     On the same point of order, Mr. Chairman, we need to know this for the future. Are you simply going to vote the way perhaps your colleagues are voting? There's no question that's a policy of the House of Commons. The clerk will confirm that with you--he honestly will--but if you're not going to follow that policy, I'd like to know that. I think the rest of us on this side would like to know this.

    First of all, Mr. Tilson, from the committee's perspective, it is a report or a resolution of this committee for the consideration of the House. It is not binding on the government; it is simply an opinion. It's not a policy issue.

    I understand that. I'm talking about the breaking of ties and what your policy is going to be as chair. If your policy is going to be different from what the policy of this place is—this committee, this House of Commons—we need to know that.

    Yes. I have been involved recently with another case, with Mr. Allison, at his committee—

    I'm talking about this committee, Mr. Chairman. You're the chair of this committee, and we're entitled to know what your policy is going to be in the future.

    My policy always has been the matters that come before this committee.... The Speaker has ruled very recently and reminded us all that the committee is the master of its own agenda. It is the practice that when the committee deals with a committee matter, if it's necessary for the disposition of it for the chair to vote, the chair is going to cast a vote using his best—

    Sir, I don't mean to be debating with you, but I just want it to be final and clear.

    As I understand it, then, the policy of following the status quo will not necessarily go as to how you vote. Is that what your position is going to be?

    An hon. member: That's what his evidence is.

    Mr. David Tilson: Because if it is, we may take action.

    Well, I'm considering each of the matters that come before us on a case-by-case basis. In this particular situation, it is the chair's view that it is a motion that reflects the opinions of the committee, and indeed of some witnesses here, on that specific question.

    Colleagues, I've made a decision to support the motion, to reflect this committee's position so that it can take a position, and that's the decision I've taken.

    Mr. Chair, I have a point of order.

    Perhaps I could have my question, through you, answered by the clerk on what the rules in committee are with respect to tied votes. Perhaps I could hear it directly from the clerk as to what the rules are with respect to a tied vote in committee.

    Maybe the clerk can simply reply. I have no problem if the clerk wants to.

    Thank you.

    Is there a matter in the Standing Orders, in Marleau and Montpetit, and in written documents that we can refer to? And if we don't have it, if we're not sure, we could certainly check it. Are you aware of any that would indicate whether or not the chair can vote on certain issues in a committee?

    Mr. Chair, the chair is at liberty to vote the way he wishes; however, there has been a convention, if I can use that word, that rather than stop debate, the chair usually rules to continue debate.

    Thank you. Yes, I'm aware of that.

    Thank you, Mr. Chair.

     And the committee concurred to deal with this without debate, so I had to bring it to an end. I was aware of that, but that was the decision. It's an unusual circumstance. There was no debate because the members wanted to discharge the....

     So the decision stands then. The motion carried six to five, and it will be reported to the House and it's over with.

    I now want to move on to our next witnesses.

    We have with us, Mr. Paul Colpitts, director of access to information, privacy, and disclosure with the policy division; Janet Rumball, director of outreach and consultation, western hemisphere travel initiative and innovation, science and technology branch; and Caroline Melis, director general, intelligence directorate, enforcement branch. All are from the Canada Border Services Agency. Welcome to all of you.

    I think you have a pretty good idea from the previous witness of the interest in the issues related to transborder information and protection as it relates to the Privacy Act, as well as to the fact that I think we've concluded that it was going to take a long time to review the entire Privacy Act. Our intent is to try to look at certain areas that have been recommended to us for proposed amendments to the Privacy Act, so we could at least get a start on those areas where we felt there was significant opportunity to enhance the effectiveness of the Privacy Act.

    We welcome you before us.

    Mr. Colpitts, do you or your colleagues have an opening statement to make?

    We didn't prepare an opening statement. We thank you very much for the invitation, Mr. Chair.

    We understood the invitation was to come and discuss the framework for disclosure of information within the CBSA. We did take a look at some of the discussion you had with the Privacy Commissioner, and based on that, I asked Caroline Melis, the director general of our intelligence directorate, to address some of the questions you may have arising out of that discussion, and likewise my colleague Janet Rumball. So we're here for you.

    Okay.

    Mr. Hubbard, why don't you start us off.

    Certainly. I'm glad to see you here today, because we do on occasion...only 10 days ago I had somebody stranded in California because they couldn't get back. He apparently left the country in good standing, but when he got down there they found his name when he went to the Air Canada desk in California. They said he was on a no-fly list. This is a list that has been made by the Americans. Are we trying to enforce that too in terms of our own people flying out of Canada and back with airlines that are coming to our country?

    How do we have some sense of security that when Mike Wallace leaves here for wherever it might be, we're going to accept him back? There may be 1,000 Mike Wallaces somewhere in a computer bank.

    You've given me the first question right off the top.

    If he was on the U.S. no-fly list--and he's a Canadian citizen, I understand? Is that correct?

    Yes.

    Did he fly into the United States, if I can ask you that question?

    Apparently, yes.

    So there wasn't any activity on the part of the American authorities to deny him or to have him questioned prior to his departure from Canada, which would be how the no-fly list should be working if an individual is flying into the United States. You shouldn't be able to get there, unless the Americans have granted some dispensation for your inadmissibility for being on their no-fly list.

    I can't speak for the information that's on the U.S. no-fly list.

    Air Canada has written him a letter quoting a lot of different sections of different.... They have more or less apologized to him for being caught there in this particular situation.

    What I'd be concerned with is that there are probably a lot of people with the same names. We're a big continent here with probably 300 million people just in the northern part. How do we know? Are you advising people if they're not on the no-fly list? Is there advice to people, or do you simply buy a ticket and then go somewhere and hope to get on a plane, and then they say they're sorry but...? How does the system work?

     I can't speak in any detail to how the no-fly list works because I simply don't know.

    What I can tell you, though, is that a Canadian citizen is entitled to return to Canada. So the Canadian government would be taking action to assist that person in coming back to Canada, as they have a right to come into Canada. It is enshrined in the Immigration and Refugee Protection Act that a Canadian citizen has the right to enter.

    With regard to multiple persons with the name being out there, there could be many people with that name. I think Senator Kennedy was one of the people in the past who was identified on the American no-fly list, because there is a Ted Kennedy someplace who is an Irish Republican Army terrorist of some kind, and they wanted to be sure they were stopping the right Ted Kennedy.

    The thing about these lists is that sometimes there is only a name. Sometimes there is a name with a date of birth, a country of citizenship, a passport number, a place of birth, the parents' names, and a lot more detail. But between the two there is often a lot of grey area. How much information do we actually have? When the person is encountered is often when you go to verify whether this is the person who should be on the list, and you have to get information and details about that.

    I don't know how many names are on the U.S. no-fly list, and I'm not sure who in the Canadian public service could tell you that.

    You're saying, in terms of Canadians who might be on the list, that there has never been a filing of those names with Canadian authorities.

    I don't know.

    The other factor we sometimes find with border crossings is that people, mainly truck drivers, will come to the border on the American side, and they'll go to their CPIC or to their American system for identifying people who have a criminal background. It could be that they smoked a joint in 1978 and were given a warning. Well, that gets into the American system and they are told, with their rig, an 18-wheeler, which is loaded, “I'm sorry, but you can't get into the United States because you're on the Canadian CPIC as being involved in....”

    I knew a guy who stole a bicycle when he was 17 years old. This was on CPIC, and he was denied going into the States until he got a pardon.

    It's a very complicated process, and it is certainly to the disadvantage of a lot of Canadians. With our border information on our side, if that person had had a pardon, would he still be on CPIC in terms of having a criminal record?

    CPIC is a system owned by the Canadian Police Association, the RCMP, those groups. Questions on the policies with regard to what information is included you would have to address to them.

    In the Canada Border Services Agency you access that information.

    We have access to that information, but not at our primary line. We have access to that information if we're trying to find out about the case of a person who may or may not be admissible.

    Your access would be the same as it is for any policeman who stopped me for speeding on the highway. They could find out if Hubbard has a record. That can come back almost instantaneously through the....

    We don't have access to all the information in CPIC. We have access to certain parts of that information.

    There are various parts. The CPIC database is huge. It has a lot of information about criminal records and so on. But not all that information is provided to the CBSA for border management purposes.

    Thanks, Mr. Chair.

    I think we have to identify that, because often, in the United States, there is a much different impression of what's criminal behaviour. People in our country can eventually get back to being good citizens, whereas in the United States you have some states in which it's three strikes and you're out. That has to be weighed in terms of developing a better border-crossing system so that people aren't caught on either our side or their side with serious problems of movement.

    We're going to move on to Mr. Nadeau, s'il vous plait.

    Thank you, Mr. Chairman.

    Welcome all of you. My question is for Ms. Melis, but perhaps for the others as well.

    When a Quebec or Canadian citizen crosses the border to go into the United States or is returning from another country, does the Canada Border Services Agency have an automatic procedure?

    I'm not 100% clear. An automatic procedure to check the person, or to--

    We talked earlier about the no-fly black list, but this is probably a more specifically Canada-U.S. issue. There is a lot of travel back and forth. Do you have any responsibility vis-à-vis each citizen arriving at the Canadian border?

     I think we do.

    If I were to describe that situation.... Someone is coming to Canada. We have access to the information of all persons travelling to Canada by air. We have that access through the API/PNR information. So there is a system set up to tell us who is on what flight that is coming from where, what documents they have. Some of that information is linked to our databases of persons of concern to us, for whatever reason that might be. They may be on a lookout because they've committed a crime. They may be someone who's wanted by Interpol. They might be someone we want to see because we have some data for them.

    The National Risk Assessment Centre reviews the PAXIS information and provides advice to the port of entry. So if they're arriving at Pearson Airport, there's a passenger unit that would review that information and decide to meet the flight, or ensure that the person of interest was referred when they arrived at the primary line to secondary. Now it could be secondary for immigration purposes or for customs purposes, and it could be secondary for both purposes, depending on the reason.

    We are talking here of persons whose nationality is not Canadian.

     API/PNR information also gives us information on Canadian citizens who are coming into Canada.

    Anyone entering the country, no matter what their nationality.

    Yes.

    For several decades now, there has been talk of amending the Privacy Act, an issue that continues to be current.

    We know that a lot of things are changing with regard to security. The September 11 events had a tremendous impact. What changes should be made to this act in order to improve your work? Is the act sufficient? Do you deal with situations on a case by case basis?

    If I understand the question, you're asking whether the recent changes to the Access to Information Act have improved our access to information?

    We are talking about changing the present act. Should this act be modified in order to improve your work?

    As an institution, we've grown used to the existing act. That's what we work with on a day-to-day basis. We understand that we have to have a justifiable reason to collect information. It has to be for a program purpose. We have to maintain the information in such a way that a person may seek their information and ask for a records correction. And we have to be able to justify it, because the person has a right of complaint.

    Basically we've learned to work with the act. I really haven't turned my mind to the kinds of changes that might be beneficial to the institution or to private citizens.

    Thank you, Mr. Chairman.

    Thank you.

    Mr. Masse.

    Thank you, Mr. Chair.

    I represent Windsor West. Obviously it's a very busy border crossing. When somebody comes across the border to the United States and they are detained, arrested, or sent back to Canada, what information is shared between you and the Department of Homeland Security or other U.S. government officials?

     Canada has an information-sharing agreement with regard to persons who are encountering enforcement action and who are not Canadian or American citizens. If it's a Canadian resident or a third-country national who is stopped on the American side, detained and questioned, then we have an information-sharing agreement that enables us to share information on a personal basis, on an individual basis. We don't have to go and ask what the story is about; they can tell us why they've detained them. On a Canadian citizen, as long as it's for a consistent use, we're able to share that information.

     With regard to CBP telling us about certain circumstances, they have a terrorist database that is the one often in the news about Canadians, terrorists, entering the United States and about Canada being a hotbed for terrorists, etc. They tell us from that database on a monthly basis how many persons are intercepted and where those persons could be intercepted as they have a U.S. preclearance in Canada or in other countries. There could be someone who is intercepted at the land border or it could be someone who flies directly into the United States from a Canadian airport that doesn't have a preclearance facility. They tell us they've encountered this many Canadian citizens this month and have determined they were terrorists. We can then go and ask for more information.

    You assemble statistics on the reasons why people have been turned back. Does the department keep those statistics?

    I think it's a work in progress. One of the things we learned from the Auditor General's audit last year on the lookout monitoring was that we needed to work better to close the loop for persons who are intercepted for those reasons going into the U.S. and for coming back into Canada. We're working on that.

    The reason I asked those background questions is that the U.S. has decided to DNA-sample Canadians. What are you going to do with that information now? Has the department taken a position on that? What are you going to do with that information? Are you going to request that the United States segregate that information and not send it over?

    In Canada we have a different law with DNA sampling. You have to actually have a request for it through the court system. Are you going to ask the United States to segregate and keep that DNA information? Has the minister objected? I've yet to hear anything, and I don't know if the minister has objected. I don't think that's the case. What are you going to do with that information if they send it over to you, and what's the policy of the department on this issue now?

    It's the first time I've heard this would be happening.

    What would we do with it? We wouldn't have any way to do anything with it because we have no way to know what to do with DNA data. It doesn't pop up in any way. We'd have to develop a policy on how to react to that. How to use it, I don't know.

    I'm very surprised to hear that there hasn't been identification of this. It's been in the media. The United States is doing this already to other foreign nationals. It's going to be an issue that obviously contradicts our laws here, with DNA information going to a government department.

    What has been your response to the Auditor General's recommendations of June 2006?

    I'm not a regular member here at the committee. I'm filling in for Pat Martin, and I didn't see the Auditor General's testimony here, but I'm kind of surprised that today you didn't provide a document or update as to the Auditor General's summary of recommendations. There's quite a lengthy set of recommendations. I'm sure some of them you're working on and some of them you're not. I thought perhaps there would have been some of that information.

    I was misinformed as to what the nature of some of the discussion would be today. I didn't appreciate that you wanted to focus or drill into the audit of the Privacy Commissioner. I'm quite happy to speak to it.

    It is a fairly complex document that focused on customs information and the transborder data on which she made 19 recommendations as to what we can do to improve things. Quite a few of them deal with specific system issues, such as making sure we can properly track who has had access to the system. There are three issues that sort of fall within the enforcement area, and some are policy driven issues such as the need to create a privacy management framework. She has provided us with a great deal of good advice. That's my sense.

     I think some of the recommendations will take some time to deal with. For instance, she has suggested we bring up to date the existing Customs Mutual Assistance Agreement with the United States that predates the creation of the CBSA.

     Yes, and that's an important one. I have a couple of examples involving Canadian truck drivers. One was caught with marijuana 25 years ago. He is hired by an automotive company, goes across every single day, and is detained for two hours. We don't have any objection to his being stopped, and neither does he, but he's detained for two hours. And there are other cases with similar circumstances.

    Does your department advocate for those individuals? If the person has a law-abiding history and no problems before that, can you actually then get to the U.S. and try to work something out?

    I think that's something Janet might want to speak to. This speaks to our strategy to deal with the western hemisphere travel initiative and other initiatives from the U.S.

    This is not necessarily directly related, but the United States has a right to determine who is admissible to their country, and not having a criminal record is one of their criteria for admitting somebody into the United States. The age of the offence is not relevant: you have a criminal record. And the United States also does not recognize Canadian pardons. In that situation with a commercial truck driver, he or she is going to be detained.

    Yes. They're just detaining them for two hours, costing Ford and other people money and losing productivity. That's why I was looking at that recommendation and saying that there perhaps would be a vehicle, if it were done, at least to advocate—not to undo the process, understanding that they want to go through vetting and checking this individual and not provide him with NEXUS or FAST and other types of things—or at least be able to make sure there's not going to be a two-hour detention every single time the person crosses.

    We'll have more time to talk about that later.

    Mr. Wallace, please.

    Thank you, Mr. Chairman.

    I'm going to split my time. Let me know when there are five minutes left, to make sure Mr. Hiebert gets his question in.

    First of all, thank you for coming. I don't envy your position in your role as the border service. You get heck if you don't stop people and you get heck for stopping people, so it's a tough situation to be in.

    I am interested a little bit by your comment that you weren't.... I'm not sure what you expect to hear. We're looking at the review of the Privacy Act, and somebody asked you to come here as an organization to see how the act is working for you, what issues might have changed, and so on.

    Mr. Masse indicated, from the 2006 final report—and I have a copy of it, actually.... It was not from the auditor; it was an audit done by the Privacy Commissioner, just as a small clarification, and there were 19 recommendations. I guess I anticipated that you might, based on those recommendations.... You're saying it's taking a while to implement some of them. Well, it's been two years, so I don't know what your definition of “a while” is. To me that's a while.

    Just because there's an audit doesn't mean you can implement everything—I understand that—but of the changes you can make or are in the process of making...does that make the use of the Privacy Act easier for your organization, more cumbersome, or...? Do you have an opinion to that effect?

    There are some acts that fall in place. For example, when we talk about sharing of information with the U.S., we're also dealing with provisions in the Customs Act, first of all. When we look at the legislative framework—and your question is basically whether it is working for us—some of our opinion is informed by what's in the Customs Act.

    There's a very good provision in it that deals with the access, use, and disclosure of information, in section 107. There are some parallels between it and subsection 8(2) of the Privacy Act. It is quite specific about dealing with information that is gathered for a purpose related to customs legislation, and most of the relationship with the U.S. deals with that customs information.

    So it is not in the Privacy Act, but in the Customs Act. Is that correct?

    Yes. Of course, we're also subject to the Privacy Act. We are informed by the recommendations that the Privacy Commissioner made, and we have been trying to digest them. Some of them are very ambitious, such as creating a privacy management framework. In her audit, she offered four or five pages of recommendations on how we might go about that.

    Some of it is very good. Some of it speaks about making sure we have clear roles and responsibilities laid out with respect to privacy-protected information, and we are working on that. We hired a consultant last year to help us work out what we could do. We need to hire a consultant again this year to carry on this work.

    She also provided a great deal of information about what she would expect to see in written collaborative arrangements. We've worked through all of her information or suggestions, and we've created guidelines to help operational areas in the organization to update or create new written collaborative arrangements with partners.

    Going back and reviewing and changing each one of the existing arrangements or agreements is a very large undertaking, if we were to go broad scale.

    The Privacy Commissioner has 10 recommendations, which she calls quick fixes. Her organization would like to see a full review. It would probably take six or seven months to go through and make changes, updating the Privacy Act. She might be right—it hasn't been updated in 25 years or so.

    The Privacy Commissioner mentioned that she'd like to enshrine in law that deputy heads do privacy impact assessments. I know you're not at that level, but as an organization, do you do them now? What do you do with them, and where do they go once you perform them? I need to know whether this actually happens now. Is it a Treasury Board recommendation? What actually happens?

    The privacy impact assessment is Treasury Board policy, so we respect the policy. If it's a large project, if it involves privacy-protected information, or if there are potential privacy risks, there's basically a two-step process. The first is to create a PPIA, a preliminary privacy impact assessment. It's a tool that allows us to figure out whether we really need to do a privacy impact assessment.

    If we determine that one is required, the policy sets out a process. We look at it and map out all the changes—what the potential impacts are going to be. We work with legal services, and we go to senior management. We have to present a reasonable case that we are properly mitigating privacy risks.

    Once we've done our homework, we take it to the Privacy Commissioner. This is where I think the relationship is good. Her staff, her office, will make recommendations and engage us. In the past, that meant some changes to what was proposed for the advance passenger information or PNR records.

    Passenger name records.

    More recently, the discussion that has been going on with her....

    I'll pass. In the next round, we'll have to share again, likely.

    Thank you, Mr. Chair.

    In my constituency in British Columbia, I have the largest border crossing in western Canada. I often hear from constituents that when they're returning from visits to the United States, customs officers ask them a number of questions of a personal nature—where they were travelling, what they were doing, the nature of their employment, where they live, and other such questions.

    What specific powers do CBSA officers have? From which act or regulations are their powers derived? What level of privacy can Canadians expect? Is there a limit to the kinds of questions that can be asked by the CBSA officers?

    That's a very complex question, and it requires me to parse it out a little bit. Basically, our powers at the border are derived from the Immigration and Refugee Protection Act together with the Customs Act. When you arrive at the border, you can anticipate questions. We have to establish who you are and what your purpose is in coming into the country, even if it is to return home. We also have to establish whether you have any regulatory responsibilities, whether you are carrying any goods that might be subject to some act or legislation.

    In doing this, we have to process a great number of people. There are about 300,000 travellers who come through every day. What we have out of jurisprudence, through the Supreme Court of Canada, is that your expectation of privacy at the border is diminished, because we have to figure out who you are and what your purpose is in coming to Canada.

    Our institution has a responsibility to be careful about the information they gather from you. We have a great deal of latitude. We can ask questions for a business purpose, a customs purpose, or an immigration purpose. We have to be careful about how we treat your information.

    Do Canadians have an obligation to respond to any of these questions? Can they just decline to answer?

    I don't know who would like to answer that one.

    We would expect they would answer the questions. It helps us to establish whether they have the right to enter, whether the goods or personal possessions, or the plants or animals or whatever they might be bringing with them, are being lawfully imported, etc.

    I've heard that CBSA administers almost 90 acts on behalf of various departments--health acts, food acts, acts for species that are threatened, all kinds of different acts.

    I understand that. But my question to you is whether they are free to decline to respond.

    That relates to sections 11 and 12 of the Customs Act. Basically, you have to answer truthfully all the questions asked of you. The dynamic you would create by not voluntarily responding to those questions that are asked in that few minutes that a border services officer has to figure out who you are and what kind of risk you may pose would probably trigger a process in his mind that would result in your needing to go to a secondary line, so that someone else can spend a little more time with you.

    Mr. Pearson, please.

    Mr. Colpitts, I understand that 300,000 people every day is a lot. I don't envy you. As Mr. Wallace said, that's a fair number. But as a committee, we have been learning that the Privacy Act as it's presently constituted seems to be woefully inadequate, so we have a responsibility to try to strengthen it.

    When the Privacy Commissioner did her audit she acknowledged that there were management systems in place to be able to take in this information and share it. But she also said, as part of the conclusion, that much of the information was based on verbal exchanges instead of written requests. You've already referred to this, and I appreciate that. I went over this with a previous witness. But the Privacy Commissioner implied that that was contrary to your own policy. Is that correct?

    Yes, it is contrary to our own policy.

    So you're being put in a position in which, because of such demand, or whatever it all is, you can't even respect your own policy. There's just too much to do.

    Our policy direction is quite clear. We expect those exchanges to be documented, so we can figure out if the person did the right thing at the right time and can be accountable for that exchange.

    It was her conclusion that they weren't being documented.

    Yes, we're aware of the problem. We're rebuilding those policies, and we're going to go out with a robust training program for our folks.

    Since the Privacy Commissioner's audit has taken place, forms have been developed to put out in the field for officers to record what information they have shared. Those forms are provided to the regional offices, which can then choose to go out and audit particular ships or ports, etc., on how they're sharing information. Eventually, the agency would like to see this automated so that it's not done on a paper form, but I think that's probably a system development for some time in the future.

    When the audit was done it was at a relatively early stage in the creation of the agency. While the audit was focused on customs information specifically, the agency took the view of taking the lesson that we can learn from this to better protect all the information we have. One of the things we've been working on is a new information-sharing policy for within the agency, particularly for sharing intelligence information and the documentation of that--the training of staff on when they can provide information outside of the immediate area of work within the agency, to other parts of the agency, to other departments, and to other governments, and how to go about recording what you've shared, why you've shared it, and with whom, those sorts of things. So those practices have more rigour around them than they did at the time of the audit.

    That's all I'm trying to figure out. I realize that she was trying to give helpful suggestions, and I'm just trying to figure out if those in fact are being followed up.

     She also suggested that the organization could not guarantee with any real certainty or understand the extent of the information you had shared or how often you were sharing it. Do you remember her saying that? What remedial things are you putting in place to deal with that?

     Those comments are in the context of the verbal exchanges. At the same time, she did not find any wrongful or wilful problems with that information sharing.

    We recognize that's an issue for us, and we are reworking the policies. In the past year, for instance, we have provided privacy- and access-related training to about 832 of our folks. So we're ramping up to deal with it.

    I appreciate that. When she was here, she was talking about this being a serious issue, which I know you take it as. All I'm trying to figure out is how far you've gotten along with that.

    The Canadian Internet Policy and Public Interest Clinic was just here. They made a few recommendations, but can I ask you about one or two?

    She said we should put agreements into writing and that they must be authorized by legislation to guarantee transparency. Do you have a comment on that?

    Yes. We have 277 written agreements now with foreign governments, provinces, and other government departments. If you look at some of our specific authorities to disclose information, they require a written collaborative arrangement or an agreement to be in place.

    An agreement, but legislation?

    The requirement is embodied in legislation. Subsection 107(8), for instance, deals with our ability to share customs information with a foreign government. The terms and conditions include a requirement to have an agreement or an arrangement in place.

    Under the Immigration and Refugee Protection Act, within the regulations at subsections 150.1(1) and 150.1(2), there are requirements there also that Parliament review some of those arrangements and agreements that we enter into.

    Thank you.

    And there are similar requirements in subsection 8(2) of the Privacy Act, which is an authority to disclose information. So it becomes a term and condition of sharing that information abroad.

    Thank you very much.

    Thank you, Mr. Chair.

    Mr. Tilson, please.

    Ms. Melis, you gave the Ted Kennedy example for a no-fly list. I guess the issue is that there are all kinds of people who have similar names. When Mr. Hubbard was a little boy, there was a famous hockey player named Ted Kennedy, for the Toronto Maple Leafs. Remember him? Teeder Kennedy? I know an individual in my riding whose name is Ted Kennedy. It sounds hard to believe, and I'm sure we could give all kinds of examples.

    If you suddenly discover, for whatever reason, that you're on a no-fly list, either Canadian or some other nation's, how do you get off that list? How quick will it be?

    Take Ted Kennedy, the hockey player. If he arrives and wants to fly somewhere, all of a sudden he's a terrorist.

    I have to say that is an American issue, who is on their no-fly list and how they can get off their no-fly list. I don't know what procedures the Americans have in place for getting your name removed. Ted Kennedy did get his removed, so there must be some way to do it.

    Do we have a no-fly list?

    Doesn't Canada have a no-fly list?

    I believe the existing air security list, or whatever they call it, belongs to Transport Canada. We really don't—

    So that's not part of your—

    We don't administer that list.

     I believe there is a process to get off the list, but you'd have to go to Transport Canada.

    All right. I'm going to give Mr. Wallace 30 seconds to comment.

    I don't know whether you've sat around and thought about how this legislation could be improved. When you leave this place, if you think of any recommendations, we would appreciate your writing a letter to the clerk of the committee with any that you may have, in your experiences, in your way of life. That would be most helpful. We would appreciate that.

    Mr. Wallace.

    Thank you, Mr. Tilson. I was going to say the same thing.

    Let's be honest, the Privacy Commissioner has come here with 10 recommendations for easy, quick fixes. Without any feedback from anybody else, I think we could do them all. We need to hear whether they're accurate or not. She may or may not be right. She has a responsibility for the Privacy Act and not much further.

    As a committee member, I'd like to hear, where the rubber hits the road, what the effect might be. So if you agree with those recommendations, that's great, and if not....

     I agree with Mr. Tilson; if you could provide it in writing, that would be excellent.

    That's all I wanted to ask.

     Did you want to respond? You've heard the comment. Is that the idea?

    I welcome the opportunity. I think we need to digest them. In our world there are basically four main acts that deal with exchange of information. The CBSA Act, in the mandate, speaks about implementing agreements with foreign governments. We have the provisions in the Customs Act. We have the ability to make regulations in the IRP Act, and we have the Privacy Act, of course. We also participate in a working group that's led by Treasury Board. So whatever we would recommend needs to resonate with other departments as well.

     Mr. Colpitts, this recommendation is number 10 of the Privacy Commissioner's points for consideration. In addition, she has provided some other.... I'm not going to go into it, but I would hope you would take the opportunity to examine the commentary. There are a couple of concerns, one about the existence of agreements and being in writing. I'm not sure whether there are examples of where that may not be the case in terms of the information, and also there is a question about whether the personal information is used for administering or enforcing law or conducting an investigation.

     The act doesn't impose any duty to disclose on the disclosing institution to identify the precise purpose, so she has a problem with the Privacy Act requirements in terms of the disclosure. I'm not sure whether or not that really impacts on the discharging of your responsibilities, but your commentary would be appreciated on whether or not this is a matter in which the effectiveness of the Privacy Act is being mitigated by the absence of some technique or something that can be done to remediate the situation.

    I commend the commentary. It's only two pages long. You could have a look at this and the committee would appreciate your specific feedback on recommendation number 10.

    Madame Lavallée, for a final intervention.

    Thank you, Mr. Chairman.

    I as a matter of fact wanted to begin with recommendation 10. I will summarize the recommendation in one sentence: reinforce the provisions concerning the disclosure by the Canadian government to foreign States of personal information.

    Were you consulted by the Commissioner before she drafted this recommendation?

    No. I think her recommendation may be informed by the audit that she performed on the CBSA, but I really haven't had a chance to study her documents and appreciate what she has to say.

    Were you aware that she would be making such a recommendation? It impacts upon you directly.

    I only got a chance to look at her comments that were in relation to this committee meeting on April 29, on Friday, so I haven't had a chance to talk to staff and to counsel and other people in the organization as to what these recommendations would mean to us and whether we would be in a position to signal support.

    We want to make sure that whatever we would signal would resonate with our partners in the program.

    In your day to day work, do you feel the need to reinforce the provisions pertaining to the disclosure of information to foreign entities? Is this a recommendation that you would have spontaneously made? If not, does the act as it now stands allow you to do your work properly?

    I think we have learned how to live with the Privacy Act as it's framed right now. Within our own program legislation there are often suggestions that we could change it, either to tighten or to relax certain terms and conditions to clarify our ability to share information, but I have not heard that kind of discussion in the context of the Privacy Act. The Privacy Act provisions for disclosure are important to the administration of the Immigration and Refugee Protection Act.

    Very well. Thank you.

    What information do you possess and in what format?

     Do you mean what I brought with me today, or that the agency has?

    What kind of information do you have? You talked earlier about airplane passenger lists. What other information do you have? You have negotiated 277 agreements with the rest of the world. I imagine that you exchange a good deal of information.

    I deal primarily with disclosure policy, so the larger issues. And dealing with the day-to-day transaction kinds of issues, managing the 300,000 travellers who cross the border or arrive every day, is for folks in the regional offices and in operations.

    In the context of our enforcement-related work in the immigration world, we would certainly work files on individuals.

    Maybe Caroline could....

    I will just pick up on that. The kind of information we would be containing depends on the type of agreement you have. For example, you might have information that a particular container is carrying some prohibited good of some kind. Maybe there is going to be a lot of false tobacco or something, or there might be a bunch of illegal migrants in a container. So you would have that information about the container and the shipping company and the boat that it's coming on, etc.

    In the arrangement we have with the United States to share information on third-country nationals for purposes consistent with the enforcement of the immigration act, we can share a whole range of information. I'll just give you some examples of the kind of information it would be: the name of the person, the aliases, the gender, the physical description--that is, 5 feet 7 inches, 180 pounds, or whatever--the date of birth, the country of birth, their work history, the travel carrier they might be on, their address--there is a whole range of information. You might not have it all for everyone, but we've agreed that these are the kinds of things that would be consistent for the purposes of enforcing the immigration acts in both countries. And we have agreed to share that information when it is relevant to the other party, when there is a request being made by one party to the other, or if it's in our interests to tell you about it.

    Thank you.

    Ms. Melis, Mr. Colpitts, Ms. Rumball, thank you kindly.

    We have asked you for some feedback with regard to recommendation 10. These are not all-inclusive. If you have any other observations or suggestions to make to us with regard to matters to be considered, we would certainly welcome those too.

    You did talk briefly about training. I don't know if training is an issue. Your annual reports on things.... What's the state of the union, from your perspective? It would be helpful for us to know if there is any way we can help to improve the system.

    Thank you kindly.

    The meeting is adjourned.