The Standing Committee on Access to Information, Privacy and Ethics recently released a report to the House of Commons about suggested amendments to the Privacy Act. The report outlined and gave opinions on twelve quick-fix proposals put forth by the Privacy Commissioner of Canada. The Privacy Act was enacted in 1983 and serves the purpose of protecting personal information that the government collects from citizens, whereas its younger counterpart, PIPEDA, was enacted in 2000 to serve the same purpose in the private sector. The report stated that the Privacy Act “has largely remained unaltered since [its inception]” and is a “first generation approach to privacy protection”, therefore, the Committee emphasized that a major overhaul of the legislation is required. However, it also believed that the quick fixes that it recommended could serve as helpful major steps to modernize the Act in the mean time.
The Committee agreed with amendments for: providing the Office of the Privacy Commissioner of Canada with a clear mandate to educate the public about privacy issues; eliminating the requirement that the Act only apply to recorded information; requiring government agencies to report to Parliament on a broader spectrum of privacy-related activities than they already do; requiring that Parliament review the Act every five years, and placing set minimum requirements for security safeguards protecting personal information. It is almost surprising that the Act has some of these shortcomings in the first place. For example, because only recordable information is covered, technology such as live surveillance cameras and DNA swab information would not fall within protection of the Act. At the same time, it should be noted that many government agencies may already be practicing policies that go above and beyond the statutory requirements; a Treasury Board directive on the security of information is such an example, though its effectiveness was questioned by the Commissioner.
The Committee was also generally supportive of the recommendation to strengthen the provisions governing the disclosure of personal information by the Canadian government to foreign states such as by having particular requirements in written information-sharing agreements, which apparently was the quick fix that was the subject of the most discussion amongst the various parties at the hearings. The Commissioner specifically proposed that information given out to foreign governments have “a reasonable and direct connection to the original purpose for which the information was obtained” in addition to the requirement that the information also be for the purpose of administering or enforcing the law, as found in section 8(2)(f) of the Privacy Act. Notably, CSIS and the RCMP did not endorse this quick fix. CSIS believed that it could not have written information-sharing agreements with other countries because a lot of them would not agree to this, and moreover, their internal policies already dictate that they consider the records of countries requesting information and scrutinize the reasons for requests. The RCMP also argued that its current practices were sufficient with dealing with information requests on a case-by-case basis, and that legislating specific requirements would not allow for flexibility to deal with potential circumstances where information ought to be shared.
Other potential quick fixes discussed include: broadening the grounds for which citizens can seek review by the courts of agency decisions denying access to their information and to allow for remedies as well; allowing the Office of the Privacy Commissioner to more freely speak to the public about privacy management practices of government agencies, especially in cases of public interest; and giving the Commissioner more discretion to prioritize the privacy complaints it hears. By allowing citizens to more easily bring issues to court, it was argued that further judicial interpretation could clarify aspects of the Act and that this would be a more meaningful way of keeping the government accountable. Due to current confidentiality constraints, the Office of the Privacy Commissioner cannot be as forthcoming as it would like about the matters it deals with; it was argued that allowing more freedom would better serve the public interest, uphold confidence in the Office, and even encourage stricter compliance within government agencies. Under the current Act, the Commissioner must hear all privacy complaints brought forward, and cannot distinguish between serious and frivolous ones, so this has resulted in a backlog. The Commissioner felt that it would be more efficient if the Office had the ability to prioritize and even throw out cases that it deemed were a waste of resources. The Committee recommended that these potential quick fixes be given further study and consideration.
In its report, the House of Commons Committee mentioned that privacy rights are quasi-Constitutional in nature, and so it is important that they be protected. It was noted that the Privacy Act should at least meet the same minimum standards as PIPEDA, since citizens usually have less of a choice when divulging personal information to the state as opposed to other private parties. Considering only the changes in technology over the past quarter of a century, it does in fact seem like a major overhaul of the Act is warranted. Whether some of these recommended quick fixes will be effective without being too much of a hindrance on government agencies, and whether they can even be put into law in a timely fashion, is anyone’s guess.