Questions and responses 45th Parliament, 1st session May 26, 2025, to present

With regard to the Personal Information Protection and Electronic Documents Act and the Privacy Commissioner of Canada: (a) is the government planning any changes to strengthen the Personal Information Protection and Electronic Documents Act following Aylo’s refusal to abide by the recommendations in the February 29, 2024 report from the Privacy Commissioner of Canada; and (b) is the government planning any other action to ensure future compliance with the recommendations of the Privacy Commissioner of Canada, and, if so, what are the details, including the timeline, of any such action?

With regard to Farm Credit Canada's policies on privacy and information sharing: (a) what personal or loan information can Farm Credit Canada disclose to guarantors, related parties, shareholders or third parties, and under what legal authority is this disclosed; (b) what safeguards does Farm Credit Canada use to ensure that borrower information is not shared beyond what is strictly authorized or required; and (c) what investigation and remedy processes exist when a borrower believes their information was accessed or shared improperly?

With regard to Farm Credit Canada's policies on a borrower's access to, and the corporation's internal controls over, personal accounts: (a) what is Farm Credit Canada's internal process for removing a borrower's access to their own loan account or online borrower portal; (b) under what circumstances would Farm Credit Canada be permitted to remove a borrower's access to their own account; (c) how does Farm Credit Canada verify borrower authority before changing, restricting or removing account access; (d) can a third party request that a borrower's access be removed, and, if so, under what authority and with what documentation; (e) what audit trail is created when borrower access changes occur, including the date, originating request, approving authority, employee action and system action, and how is this information made available to the borrower; (f) what recourse does a borrower have if access is removed incorrectly or without authorization; (g) what internal communications are created within Farm Credit Canada when concerns arise about a borrower account, including emails, notes, system narratives and any other type of communication; (h) when employees internally discuss a borrower account, what requirements are in place to document the (i) issue being considered, (ii) rationale for decision-making, (iii) individuals involved in those decisions; (i) what policies exist to ensure that any internal discussions about a borrower are disclosed or communicated to that borrower; (j) under what circumstances is Farm Credit Canada permitted to make decisions affecting a borrower's account without contacting the borrower; (k) what internal criteria or thresholds must be met before Farm Credit Canada can (i) delay communication with a borrower, (ii) avoid contacting a borrower, (iii) proceed with decisions without a borrower's input; (I) are employees required to document why a borrower was not contacted before or after decisions affecting their account were made; (m) what oversight exists to ensure that communication with the borrower is not intentionally avoided or delayed; (n) when internal records indicate that decisions were made without contacting the borrower, how is that reviewed or audited; (o) are there internal escalation requirements when (i) a borrower is excluded from discussions about their own account, (ii) decisions are made without a borrower's awareness, and, if so, what are the requirements; (p) what policies ensure that all material decisions and communications regarding a borrower's account are fully documented in Farm Credit Canada's system records; and (q) what internal review process is triggered when Farm Credit Canada records later show no explanation or incomplete documentation for a decision affecting a borrower?

With regard to Veterans Affairs Canada's disclosure of veterans' personal information to Partners in Canadian Veterans Rehabilitation Services under the Rehabilitation Services and Vocational Assistance Program: (a) how many veterans' complete personal files have been transferred to Canadian Veterans Rehabilitation Services since the commencement of the current contract in November 2022, broken down by year; (b) what is the legal basis for each transfer and does Veterans Affairs Canada rely on consent under section 8(1) of the Privacy Act, the consistent use exception under paragraph 8(2)(a), or both, and how was that legal basis determined; (c) what categories of personal information are included in each transfer and do any limitations exist on the scope of information transmitted, and, if so, what are they; (d) are records originating from National Defence such as the Member Personnel Record Resume and military medical and psychological records included in the transfer; (e) what is the summary of the Information Sharing Agreement governing Canadian Veterans Rehabilitation Services handling of veterans' personal information that exists as required by sections 4.2.33 to 4.2.37 of the Treasury Board Directive on Privacy Practices; (f) has Veterans Affairs Canada assessed whether Canadian Veterans Rehabilitation Services maintains audit logs sufficient to demonstrate compliance with Privacy Act obligations, and, if so, what are the details, including the findings of the assessment; and (g) has Veterans Affairs Canada assessed whether the privacy notice contained in form VAC 2501, Section F, constitutes meaningful, informed, specific, and documented consent as required by section 4.2.23 of the Directive on Privacy Practices, and, if so, what are the details, including the findings of the assessment?

With regard to the consistent use exception under paragraph 8(2)(a) of the Privacy Act and the government-wide enforcement of the Treasury Board Directive on Privacy Practices: (a) which authority is responsible for independently validating departmental consistent use determinations, and what process governs that validation; (b) what are the details of any internal guidance, criteria, or decision framework the Treasury Board Secretariat maintains for assessing whether a departmental disclosure qualifies as consistent use under paragraph 8(2)(a), and how is that framework publicly available; (c) does the Treasury Board Secretariat's position that section 4.2.23 of the Directive on Privacy Practices does not apply where paragraph 8(2)(a) is invoked reflecting an official institutional position, and, if so, under what delegated authority was that interpretation made and by whom; and (d) what mechanism exists to ensure compliance with the Directive on Privacy Practices when a department invokes paragraph 8(2)(a) to authorize disclosure of sensitive personal information to a third-party contractor, and has that mechanism been applied to Veterans Affairs Canada's disclosure practices under the Rehabilitation Services and Vocational Assistance Program?

With regard to election security and the amendments made to the Canadian Elections Act, as proposed in Part 4 of Bill C-4, An Act respecting certain affordability measures for Canadians and another measure: (a) was the initial decision to pursue the amendments made in response to (i) the ongoing litigation proceeding in British Columbia regarding whether federal political parties are subject to provincial privacy legislation, (ii) the decision of Delegate Loukidelis dated March 1, 2022, (iii) the decision of Justice Weatherill of the British Columbia Supreme Court dated May 14, 2014, (iv) the British Columbia Office of the Information and Privacy Commissioner's pending investigation of the federal political parties; (b) what are the details of how the initial decision to pursue the amendments to the Canadian Elections Act was made, including (i) the date on which the policy direction to pursue these amendments was first approved, (ii) the ministers, ministerial offices, departments or central agencies that authorized proceeding, (iii) whether the amendments were developed in response to concerns related to election integrity, foreign interference, or data-driven campaign practices, (iv) why the similar amendments already made to the Canadian Elections Act via Bill C-47, from the first session of the 44th Parliament, were considered inadequate; (c) what are the details of the policy development pathway, including (i) summaries of any briefing notes, options analyses, or interdepartmental memoranda, (ii) identification of any alternative approaches that were considered and rejected, (iii) any consideration of options that would have subjected political parties to independent privacy oversight or enforceable data-protection standards; (d) which actors influenced the final approach adopted and how, including (i) the names of any political parties, campaign organizations, data-analytics firms, or other external advisors, that provided input, (ii) the nature of each actor’s input, (iii) which, if any, of these actors raised concerns regarding data access, targeting capabilities, or regulatory constraints; (e) was the lack of independent cybersecurity oversight identified as a potential national security risk; (f) were any independent officers of Parliament or oversight bodies, including the Privacy Commissioner of Canada, the Chief Electoral Officer, or officials responsible for election-security and foreign-interference mitigation, consulted, and if not, why; and (g) is the government doing anything to address the concerns raised by the Commissioner of Canada Elections, in their brief submitted to the Standing Committee on Finance on October 20th, 2025, including concerns about (i) lack of enforcement powers, (ii) lack of resources to enforce the provisions, (iii) lack of clarity regarding the provisions’ scope?