[Recorded by Electronic Apparatus]
Tuesday, April 8, 1997
[English]
The Vice-Chairman (Mr. Andy Scott (Fredericton - York-Sunbury, Lib.)): I call to order the meeting of the Standing Committee on Human Rights and the Status of Persons With Disabilities, pursuant to Standing Order 108(3), on a study of new technologies and privacy rights.
I welcome our witnesses. We have with us from the Department of Industry, Michael Binder; from Treasury Board Secretariat, Paul Rummell; and from the Department of Justice, Denis Kratchanov.
Before I call on a representative of each department to introduce the other participants, I would simply like to advise you of what we have done to date. More than a year ago, in considering what challenges face the country in the area of human rights, the committee was struggling with the question of the impact of technologies on human rights in a general sense. To help us decide whether or not to elaborate on our curiosity, we held three round tables in the spring during which we discussed a full range of issues around human rights and technologies. Following those three round tables we decided we would have to narrow our focus. As a consequence, we undertook public consultation here and across the country in three areas dealing with privacy and human rights - that is, data collection and use, video surveillance, and DNA genetic testing.
Coming at this issue from the side of government and liking to think of ourselves as operating at best benevolently and at the very least ambivalently, we considered ourselves to be the great protectors. However, we found ourselves being characterized as the perpetrators. Not to pass along that mantle to any of our witnesses, but to some extent we've been forced to look at this issue not only in the context of legislation we would wish to pursue, or whatever form that protection would take in terms of the private sector and outside agencies, but also as it relates to the work we do. As a result, we've asked the departments before us to perhaps elaborate on some of these issues as they relate to their departments. Then we will put questions to them.
We've pre-arranged that we're going to give each department maybe five minutes to make a presentation and to then be open to questions. I would ask Mr. Binder from the Department of Industry to introduce the people with him.
Mr. Michael Binder (Assistant Deputy Minister, Spectrum, Information Technologies and Telecommunications, Department of Industry): Thank you, Mr. Chairman.
I would like to start by introducing Helen McDonald, who is our director of information policy and planning. We have a deck of about five slides, which we've circulated to everybody, and maybe Helen can take us through this deck in about five minutes or so.
By way of introduction, I would just like to reinforce some of the concerns and issues that are facing us. We in the Department of Industry have been working on this problem and these challenges for a long time. As we move towards the so-called information society, where presumably everybody will go online and do commerce, entertainment, education and various other kinds of transactions, this concern will become more and more visible, and we need to come up with some solutions. Even though many of the problems are new and occur as a result of technology, it is my belief that in fact it will be technology that will find solutions.
So with this kind of introduction, I'd like to pass it over to Helen, who will take us through the deck of slides.
Ms Helen McDonald (Director of Information Policy and Planning, Department of Industry): Thank you.
On the first slide we basically give some of the reasons the Department of Industry has been so concerned about the privacy issue. The 1992 Ekos survey was perhaps our best-known one, but also Equifax or any of the other surveys show a high rate of Canadians concerned about privacy. They feel technologies, in particular computer technologies and networks, have robbed them of a sense of privacy, and they want government to do something about it. They don't trust industry to do it alone, and they feel a partnership would work. But they want someone to look after these concerns for them.
Business, surprisingly enough, is starting to recognize there's a market for them in privacy, that providing privacy protection for their client employee information is good business. One of their concerns is that there be a level playing field - that if the government does act, could we please provide a level playing field that doesn't just hit parts of the industry and leave the rest untouched. Even the Canadian Federation of Independent Business in a recent survey of its members found a bare majority now in favour of legislation because it would provide a clear set of rules for information management and it would provide a level playing field.
We've also had a series of government advisory reports telling us we should be acting on privacy, that voluntary self-regulation by industry is not working or is insufficient in a globally networked environment where many countries are bringing in legislation. Most recently, in the Information Highway Advisory Council report they asked us for a light legislative framework.
Quebec has acted. It's the sole jurisdiction in North America that has provided comprehensive legislation in the private sector, and one would not wish to see data-flow blockages arise. The European Union has passed a directive calling for all their countries to pass legislation by October 1998, and again there is a spectre of data blockages if the recipient countries do not have adequate levels of protection.
So the government in its information highway action plan last year committed itself to bring forward proposals for legislation.
The Department of Industry does not see legislation as the only way of dealing with privacy concerns. We really think there should be a tool-kit approach, a multi-pronged approach: that legislation is complemented with voluntary sectoral codes where industries are allowed to fine-tune a set of standards for their own particular circumstances; that we encourage the use of privacy-enhancing technologies, such as the replacement of paper cash with electronic cash that provides some of the same anonymity in payment systems; and that we use public key technologies to provide confidentiality to messaging and stored data. We also think that consumers ought to be aware of some of the privacy implications of new technologies and to be encouraged to protect their own information. Finally, we believe in a light and flexible regulatory framework.
Where are we today? You've probably already heard of or seen the CSA model code. I have a few extra copies. CSA issued its model code for the protection of personal information in December 1996 to rather widespread acclaim. It's something we're promoting in international standards fora as a possible privacy standard that would have an international presence, and therefore would help Canadian businesses in trying to demonstrate that they are compliant with various privacy legislations in other countries.
We've been promoting the use of privacy-enhancing technologies through various symposia held in Ottawa, to which we invite privacy commissioners, advocates, and businesses because traditionally the opponents of technologies have been privacy advocates who fear that technology invades privacy rather than helping to address privacy concerns. We are funding a web site that tries to provide educational material to children and teachers to make them aware of how they can put their privacy at risk and what they can do to protect it.
In terms of legislation, we have been consulting with various industry groups, consumer groups and privacy commissioners. We are proposing to put out a consultative paper suggesting some legislative options and seeking public comment on them. We are in the midst of drafting that up with our partner, the Department of Justice.
We are also engaged in a federal-provincial working group. It stemmed from the September 30 meeting of federal, provincial, and territorial ministers on the information highway. They decided that privacy was an important thing. They were looking for the possibility of reaching a consensus on a uniform national privacy standard, and we are hoping the CSA code will meet that test. They asked officials to look into various means of implementing such a standard, including legislation. So our intent is to try to encourage provinces to act as well, since jurisdiction over commercial transactions is shared and it only makes sense if everyone acts in a harmonized fashion.
The next federal-provincial meeting of ministers is scheduled for June. If an election is called it's likely to be bumped, but privacy will be one of the items on it.
The last two slides simply summarize the ten CSA principles. They're really a set of fair information management practices. You get the consent of the data subject when you collect information. You allow the data subject to review the information held on him or her and correct it. You don't collect unnecessary information, and you delete out-of-date information. They just make sense. They're not punitive measures. They're good information management practices. Therefore, I think that's why you will see that many firms doing business in Canada will change their information management practices to suit the Quebec legislation, because, again, it often makes sense.
I have additional copies of the code in both French and English if anyone is interested in a copy, or I could leave them here and provide additional ones.
Thank you.
The Vice-Chairman (Mr. Andy Scott): Thank you very much.
Now I will call on the Treasury Board and Mr. Rummell.
Mr. Paul Rummell (Chief Information Officer, Treasury Board Secretariat): Merci, monsieur le président. Mon nom est Paul Rummell. On March 1, 1997, I took the position as the chief information officer for the Treasury Board Secretariat. I have with me today Mr. David Brown, executive director of the information policy division of my branch, and Ms Mary Ann Stevens, a senior policy officer from the same division.
In my capacity as chief information officer, I have begun to familiarize myself with a number of important issues related to the role of information technology and how it can be an effective process in delivering quality services to Canadians. A few issues that fall within the CIO's mandate capture the popular imagination to the extent of those you are discussing with this committee. I appreciate the opportunity to share our approach with you.
The Treasury Board Secretariat, as I'm sure you're aware, supports the President of the Treasury Board in the fulfilment of his responsibilities. Traditionally, these responsibilities have meant establishing and providing information on government-wide approaches to the management of financial and personnel resources. Almost 20 years ago, information was recognized as a resource and a responsibility for government. Information management policy was brought under the purview of the Treasury Board Secretariat.
The government has recognized the potential of information technology to enable profound transformations in the way government works and to support a redefinition of that work. Managing information resources has always been an important part of the business of government, and information technology, or IT, has extended the possibility of new, more effective and efficient ways to fulfil this role.
IT provides us with a means to improve the quality of service to Canadians by delivering more accessible and affordable government by, for instance, providing Canadians with anytime access to government publications to the Government of Canada web site. In its role, the Treasury Board Secretariat provides leadership within government in the use of information technology.
As the chief information officer, it is my role as the chief IT strategist to identify areas in which technology can be used responsibly in order to support the business of government. It is precisely because of such considerations as the need to achieve a balance between efficiency and the rights of the individual that I have been given this combination of responsibilities.
The chief information officer branch oversees the information technology policy, the government security policy, and the policies governing privacy and data protection. In a recent speech, the Secretary of the Treasury Board, Peter Harder, stated that before the government can make any major breakthroughs in exploiting information technology for quality service delivery, the Treasury Board Secretariat must resolve key concerns like privacy of information and client identification.
We are all very much aware of the pressure on government to improve efficiency and to rethink the way it interacts with the Canadian public. We want the government to be able to take full advantage of the opportunities new technologies offer to stream delivery of government services within a framework of respect of the privacy rights of the individuals we are serving.
The Privacy Act, as you know, applies the principles contained in the OECD guidelines to the federal government and all the personal information it collects, uses, and keeps in all formats. The act itself demonstrates a balancing of principles of privacy within the practical aspects of government management. While it does not prohibit sharing of personal information, it sets out the framework within which such sharing may take place. An example of this is the provision of the Privacy Act that removes the presumption of protection from certain information about individuals receiving discretionary financial benefits. The balance in the act reflects Parliament's decision that the need for transparency in the government's financial transactions exceeds the individual's right to privacy within this context.
I should stress that while the President of the Treasury Board is responsible under section 71 of the Privacy Act for issuing directives and guidelines to government institutions in the operation of the act, the head of each department or agency is responsible for the application of the act and Treasury Board policy within his or her institution.
One of the policies I know you have heard about from previous witnesses is the government policy on data matching and control of the use of the social insurance number. This policy was developed in 1988 to address the very concerns you're addressing in this committee. At the same time, the government examined the possibility of restricting the use of the social insurance number through legislation. The decision was that the federal government should address the issue internally, and the policy on restricting the use of the social insurance number was the outcome of that.
A result of the policy was the project to replace the social insurance number with the employee number for the federal public servants. I know the data-matching issue has been garnering a great deal of attention both within the public service and before this committee.
The Treasury Board policy on data matching requires that the departments go beyond verifying the legality of any matching proposal. It requires departments to conduct a feasibility assessment which, among other things, assesses the legality of the proposed match, its likely impact on the privacy of the individuals covered and its relative advantages against alternate control or enforcement mechanisms. Departments must also conduct a cost-benefit analysis of proposed data matches and provide the privacy commissioner and the public with a notice of intended matches.
I think there is agreement that there are times when data matching is an appropriate activity and there are times when it is not. The more difficult question is where and how to draw the line. There are policy guidelines. We assist departments as they work to find that line as it applies to their particular circumstance. In my branch and in the entire Treasury Board Secretariat, we are pursuing the objective of getting government right. With respect to the privacy of Canadians, this is definitely a part of that objective.
I have read your consultation package with interest. I congratulate your researchers on a thought-provoking paper that provides an excellent basis for discussion. We are open to receiving your questions and look forward to receiving your recommendations.
The Vice-Chairman (Mr. Andy Scott): Thank you very much.
Now we will hear from Mr. Kratchanov from the Department of Justice. Maybe you could introduce the others with you.
[Translation]
Mr. Denis Kratchanov (Counsel, Public Law Policy Section, Department of Justice): Thank you, Mr. Chairman. My name is Denis Kratchanov, Counsel in the Public Law Policy Section. I am accompanied by some of my colleagues from the Department of Justice: Michael Peirce, Counsel in the Human Rights Law Section, and Andrea Neill, Senior Counsel and Director of the Information Law and Privacy Section. Some of my colleagues from Criminal Policy will also be joining us a little later on this morning.
As you undoubtedly already know, the issue of privacy is linked to several Department of Justice responsibilities. Under the Act governing the department, the minister is responsible for ensuring that the bills introduced by the government are consistent with the Canadian Charter. As you also know, it is the Charter that offers Canadians a certain amount of privacy protection.
The department also provides federal institutions with advice on interpreting the Privacy Act. The department monitors the evolution of the Act in order to ensure that it continues to adequately deal with privacy issues.
This responsibility for privacy issues takes shape in different ways. First of all, as mentioned, the department works in partnership with the Department of Industry and the Treasury Board Secretariat. It supports the Department of Industry in preparing legislative proposals designed to protect personal information in the private sector and supports the Treasury Board Secretariat in administering the Privacy Act. I will not say anymore about that, because I think that these issues have been covered sufficiently by my colleagues.
One aspect that has not perhaps been covered by other departments is that of criminal law and privacy, which is at the heart of several department initiatives in this area. An example is the Act adopted two years ago that permits a collecting of samples of body substances for genetic testing, and the bill currently under consideration designed to protect the personal file of a complainant or a witness in sexual assault cases.
[English]
The work your committee has done since last fall is of direct interest to the Department of Justice, as it could help us to develop new initiatives to address those privacy issues you will identify as requiring government intervention. You can be assured that we are looking forward to seeing your recommendations.
My colleagues and I would now be pleased to respond to your questions.
The Vice-Chairman (Mr. Andy Scott): Thank you very much.
I'll turn first to Mr. Bernier for his questions for any and all the witnesses.
[Translation]
Mr. Maurice Bernier (Mégantic - Compton - Stanstead, B.Q.): Thank you for making yourselves available to contribute to the work of our committee. I would like to start by apologizing, because I will have to leave at twelve to go to a previously scheduled meeting. Initially, our committee was to meet at 1:00 p.m. Unfortunately, I could not postpone the meeting.
I have several questions for you. They are not trick questions. I do not intend to trap you; I want us to delve into the issue more deeply in light of the report we will have to draft shortly.
In studying the issue of privacy and in holding our consultations, we have focussed on three topics: radio surveillance, genetic testing and personal information.
My question deals with personal information. Despite all the protection that we have equipped ourselves with, especially in Quebec which has privacy legislation that goes farther than what exists elsewhere, we have noted that difficulties in this area arise on a daily basis. The most recent report of the Quebec Auditor General contains evidence of that. The Privacy Commissioner also denounced several situations, as did the ombudsman.
Since you are all experts in your respective fields, I ask you if you think personal information belongs to the person it concerns or to the institution that holds it, be it public or private. In other words, does my personal Revenue Canada file belong to me or to the department? To me, this is the basic issue. It is a fundamental principle that we will use to establish the rest of the legal framework we want to put in place.
We have read the privacy charter adopted in Australia. It is a very important and interesting document. Have you read it and do you believe that we would be better protected if we were to adopt such a charter? If yes, how would we be better protected?
I do not know who wants to answer. This is perhaps the $64,000 question.
Mr. Kratchanov: I can answer part of your question. I admit that I have not read the Australian charter and so it is difficult for me to comment on that.
Is legislation enough to solve privacy-related problems? I think that the answer is clearly no. Our Criminal Code defends against murder, but murders are still committed. We will not be able to prevent these problems from arising by simply enacting legislation.
Certain elements must be added to the legislation, including public education, which is very important, and the appropriate technological measures to ensure, especially in our current environment, that electronic data can be protected. I am thinking namely of methods like encryption. That is my answer to the general part of your question.
At the start, you talked about ownership of the information, and you asked if it belonged to the individual or the institution. I do not think that there is a definite legal answer to that. The spirit of the Act we have at the federal level, the Privacy Act, is that the government or the federal institutions are the guardians of the information they collect and are accountable to individuals for the management of this information. It is not easy to determine who legally owns the information.
Mr. Maurice Bernier: I do not necessarily want to know who the legal owner is in the current context. I want to know your opinion and your colleagues' opinion on this topic.
I will repeat my question. Do you feel that the information concerning me belongs to me and that I should be in a position to use it as I see fit, or at least check the accuracy from time to time, and decide who should obtain this information? Does this information belong to me or the institution? Regardless of which institution takes possession of it at any point in my life? That is the sense of my question. I am not saying that the legislation says that; I am asking you if it is a basic principle we should use to govern ourselves.
Mr. Kratchanov: I think that it is a basic principle that already underlies the entire privacy philosophy as it has developed since the late 1960s. The theory that has been developed and that is contained in several international documents is that individuals should be able to control information on them. Now, I must obviously add that this is not an absolute right. For example, just think about police investigations where police officers collect information; individuals have no control over what police officers do with the information, in accordance with certain clearly identified guidelines.
The principle underlying all privacy philosophy is that individuals should be able to control the information concerning them, subject to some exceptions. That means that when individuals give private information to a business or to another individual, they provide this information for a clearly defined purpose and for this information to be used for another purpose, prior consent must be obtained.
Mr. Maurice Bernier: Could I ask the witnesses from Industry Canada or Treasury Board for their opinion?
[English]
Mr. David Brown (Executive Director, Information and Communications Security Policy, Treasury Board Secretariat): Just to add to what Mr. Kratchanov was saying, speaking from an administrative perspective, the Treasury Board perspective, the Privacy Act talks about information held by a government institution or information under the control of an institution. From our perspective, I think there's an underlying notion of stewardship. This is other people's information. It's personal information that's been provided to government on a certain basis. In many cases, or perhaps in most cases, it's information that people have been obligated to give to government because either there's a statutory requirement or it's in exchange for a service.
In a sense there are two levels. To begin with, our presumption is that we have responsibilities while the information is under our control, although the basic premise is that in the case of personal information the individual also has certain rights, if you like, in order to maintain control of his own. We can only share it with third parties with the agreement of the individual and so forth. There is a whole series of protections under the act.
Other government departments may have talked to you in these terms, but we're very conscious of the fact that there's a basis of voluntary compliance even when you get to something like the census or income tax. We have to rely on people being willing to tell the government the truth about themselves, and if we don't maintain a level of trust on the part of the public as it provides information to government, we'll lose the quality of the information that turns that information into a resource. In other words, we risk doing damage to the goose that's laying the golden eggs, if you want to put it in those terms. We have both an operational and I think a legal requirement to respect the control.
The Vice-Chairman (Mr. Andy Scott): Mr. Binder.
Mr. Binder: Putting aside law for a second, in terms of policy we're learning as we go along. Let me give you an example that you're familiar with. There is the Access to Information Act and there is the Privacy Act. This is about really trying to have a balance between the collective need to know and the private need to protect personal information. You couldn't have had this recent debate about some travel expense accounts without access that presumably talks about the need for the public to know.
You're going to have this in practically every field. In the health field you're going to lean more towards protection of the private information. In the law enforcement field you're going to lean more toward the collective good.
It's in fact who controls the information and to what end you use this information that's important in this debate. It's if I know what my personal data can be used for. It's the authority to give the police or income tax people or my boss access to some information. I can live with that. It's not knowing what it's being used for that is a problem. That's something we're trying to avoid. We're trying to put some transparency and certainty into the system.
The Vice-Chairman (Mr. Andy Scott): Thank you very much.
Because Mr. Bernier has to go, I'll allow him one more brief intervention, and then Ms Hayes.
[Translation]
Mr. Maurice Bernier: I would like to take our discussion a little further. Our witness from the Treasury Board Secretariat alluded to the need for trust between the individuals and the government when the information is passed on. Our taxation system, among others, is based on that fact.
What the Australian charter and our discussions with various witnesses have told us about privacy is that we must not assume that a person has committed fraud if he refuses to provide his boss with information on his tax file, for example.
I will give you a very specific example: CANPASS enables travellers to transit to through Vancouver Airport to the United States more easily. You can obtain a card that you use to travel to the United States that will enable you to cross the border without being checked. But you have to apply for the card to obtain it. The card is issued to holders who are not in trouble with the tax department, the law, etc. Two situations can occur in a case like that. If an employee refuses to apply for a card, his or her boss may think that there is a problem somewhere. The boss may start asking questions. Does the employee have a criminal record? Does he or she owe Revenue Canada money? On the other hand, the employee can apply for a card and be rejected. There again, his or her boss will ask the same type of questions. That is one aspect of the problem.
The other aspect is that there are agreements between the United States and Canada on information exchanges. Even if we are told that our file is well protected and that only the required information is passed on, is there not the risk that individuals' files, criminal records if they have one or taxation files will be in circulation in the United States and even outside the country? That is a major problem. That is why I ask who owns the information.
Of course, I realize that citizens are required to provide organizations like departments with some information when, for example, they fill out forms for old age security, social assistance or unemployment insurance benefits. However, when the department or the private company holding the information decides that it is the owner and that it can use the information as it sees fit, we have a problem. That's why I raised the question.
It goes beyond the issue of trust, because it can be assumed that someone who refuses to provide this information is in trouble with some organization. I do not know if you have any comments; that was not really a question.
[English]
The Vice-Chairman (Mr. Andy Scott): Does anyone feel compelled to respond to his comments?
Ms McDonald: You're bringing up an interlocking series of issues. One of them is, are we collecting too much information? Do you really need your tax records in order to determine whether you should have this CANPASS? That was one of the fair information practices in the CSA standard: you should only collect what you need to make that decision.
Then there was the related issue of, if I collect that information from you, can I sell it, outsource it to a third party, or use it for other reasons that I had never discussed with you when I originally collected it? That goes to the issue or the principle of informed consent: do you know what you're getting into when you ask for this? You individually may decide you're willing to have this information used in this way because you think there's an advantage to you getting that pass.
What we're trying to do with the legislative approach is move that marker, if you like, a little closer to meaning your personal information is your information and you have some control or some ability to determine how it's used. I don't think it's therefore going to flip it from meaning the information was never yours to start with into meaning all your personal information is your right to sell and resell, but I think it's going to move it a little closer so you have more ability to determine what happens to your information.
The Vice-Chairman (Mr. Andy Scott): Mr. Brown.
Mr. Brown: I have two things to add to what Helen McDonald was saying.
We're into situations, and the whole legal and policy framework is set up to ensure that the basic principles in the legislation or in the policy are applied in context. These things have to be worked through and thought through. Looking for an arrangement that does respect the basic principles of privacy and yet at the same time ensures that we get the convenience the technology offers - that's the constant balancing act.
When you look at an example such as CANPASS, from our perspective, one of the key points to remember is this is a facility being offered. It's a voluntary arrangement. For us the important point is that the specific dynamics of privacy protection are addressed and people have an opportunity to recognize what they're getting into when they get involved in that arrangement. Clearly you want to be sure there's not unacceptable damage done to personal privacy, and I guess companies individually will have to think it through. The kind of situation you're describing could arise. Does this become an issue within the company? That's something each company is going to have to address for itself.
The Vice-Chairman (Mr. Andy Scott): Thank you very much, Mr. Bernier. Ms Hayes.
Mrs. Sharon Hayes (Port Moody - Coquitlam, Ref.): Thank you, Mr. Chairman.
I have two levels of questioning. I'll go to the more specific one first, just to make sure the time is there, because in some respects I feel this is the more important question as it applies to something that's happening in my constituency and in all constituencies across Canada.
Specifically it's to do with the census survey that Canadians are facing right now. I've had feedback from individuals who quite literally take offence at having to answer that. They feel it's an infringement on their rights of privacy as individuals in Canada. That's the detailed census survey that does take quite a bit of time as well as going into extreme detail.
Facing such a group of very professional and knowing people in each of these departments, I would be very interested in knowing your opinion on the enforcement of that privacy issue that sits there with the census. I believe it's a fine; I don't know if it includes imprisonment or not, but maybe you would know what the actual enforcement provisions are if they refuse to answer that questionnaire. And do you feel that's appropriate?
I believe in B.C. there's a potential of a charter challenge to that, and I was wondering if you'd know anything about it. In fact that may be in process right now.
More globally, if we're looking at government departments asking individuals to go beyond what they feel is their privacy limit, whether it be in future with a smart card or whatever, what the future potential would be for government to enforce measures that people feel infringe on their privacy rights, is this a shadow of what might come if we go beyond people's comfort level and what you would see as Canadians' rights and responsibilities in this area?
We're on the human rights committee right now, and we talk about the rights and responsibilities of citizenship. I know in the past we've talked about responsibilities of citizenship, and actually there is no charter of responsibilities. It seems to be a responsibility to answer to some of these things if you're a citizen. Is that indeed the case, and if so, should that be maybe part of a charter of responsibilities of Canadian citizenship? So we're into a big thing here, but as to just those specific questions, perhaps the justice department would be the one to answer this.
Mr. Kratchanov: I must say I'm not an expert on the Statistics Act, although on the question of StatsCan conducting the survey that's done every five years, I think, that's a special case where the protection that's in the Privacy Act is not the only protection that exists for the personal information collected for the survey. The Statistics Act contains much more stringent provisions protecting that information.
As to possible infractions, frankly I'm not sure what the Statistics Act says about that. From knowledge, I can't remember any instance that has come to light where the Statistics Act has been violated or there has been a claimed infringement. I'm not saying it can never happen. Certainly it's a possibility.
Whether or not the penalties that are there are sufficient or whether or not the questions that are being asked are the right questions, I think that's something that is always debated at the time of the survey, but ultimately the test is one that Parliament decides. It decides that having a survey is something of value to Canada in order to decide some social policies or other important issues facing Canada and that these concerns are more important than perhaps the privacy intrusion that is felt by the people having to fill out the detailed questionnaire. But that is a balance that Parliament itself is doing.
Mrs. Sharon Hayes: I know of individuals who have refused to fill this out, and I know there is a monetary penalty, in any case.
The other question I would have that maybe you could clarify is, for an actual survey, from StatsCan, for instance, I don't think we would get the survey to review as Parliament to be able to determine if that particular survey infringes on a citizen at that time. So is it sort of a carte blanche to StatsCan to say you can ask whatever you want and they'll just have to do it? Is that what Parliament would end up doing eventually?
Mr. Kratchanov: It's not for me to say what Parliament should put in the Statistics Act. Obviously there is a need for some discretion on the part of those writing the questions. I don't think Parliament would want to start drafting the questions on its own. It certainly can set some guidelines if it feels that those would be appropriate.
In terms of people not being satisfied or having a feeling that their privacy has been infringed by the survey, they can always complain to the privacy commissioner, and the privacy commissioner can have and in fact has had many discussions with the statistician about particular questions and about general questions concerning the surveys. That's one way particular problems can be handled.
Mrs. Sharon Hayes: So generally, with government, if there is a problem a citizen would take it to the privacy commissioner?
Mr. Kratchanov: Yes. Under the Privacy Act the commissioner has the responsibility for handling privacy complaints coming from any government institution listed in the act. That covers all government departments and many crown corporations.
Mr. Binder: But it's only for government institutions. You raise a good philosophical kind of a question. When does the collective societal need to know override private objection to give this information?
I'm sure if we were not able to collect our statistics on how many Canadians there are in this country and whether they leave and migrate, you would be the first to demand such information in order to make public policy. In fact the pressure now in the information society is to collect more information. You saw what just happened on the jobless numbers and the difficulties in collecting accurate information.
I think it's a good debating point as to where the collective good stops and the private need for privacy starts. It would be useful to hear your point of view after you have done this analysis in terms of advice to us.
Mrs. Sharon Hayes: I guess it goes to the enforcement of it, too. How heavy is the hand that asks, in privacy things?
I was going to ask about the smart card, for instance. If someone is totally uncomfortable with that concept, would it be absolutely mandatory for that person to be involved in a national identification program? Would there be some penalty for not participating? If you see it on a small form, as in a detailed census form, then the bigger form is far broader. How does a Canadian opt out, or can a Canadian opt out?
Mr. Brown: I'm wondering, especially on the enforcement issue, if it's useful to think in terms of two levels of protection and two levels at which there is a balance between obligations on the citizen and the protections that are provided in which they operate. The Privacy Act itself, in a way, provides a basic level of protection for all personal information provided to government.
The enforcement mechanism has a number of dimensions to it, but the key part of it is the role played by the privacy commissioner. He or she is an ombudsman who does not have any legal powers to require anything to happen but does have enormous powers of investigation and publicity. I've heard it described as a kind of alternative dispute resolution type of role. That applies to all information held by the government, except where a more stringent regime has been put in place.
The census is an example. One way of looking at it would be that because for business reasons the government attaches particular importance to getting accurate census information, it is therefore imposing a tougher obligation on the public to provide that information. At the same time, on the other side of the coin, it is also providing tighter protection for that information once it's provided to government.
Information that's provided to the Statistics Act has a very strong wall built around it from the point of view of data-matching and data-sharing within government. Essentially, it is not possible - I think we can attest to that as well as the privacy commissioner - for what you tell the census taker to find its way into the hands of another department. If it does, it will be under extraordinary circumstances that would require an extraordinary response.
I guess there's been a judgment made in the past that because of the importance of that information, you need to attach some penalties to it. There have to be some sanctions on the individual for non-conformity that bite a little more than the more normal day-to-day circumstances, where those sorts of penalties don't attach.
On your specific question on the smart card, from a central perspective - the role we have within government - we would say at this stage that's a hypothetical question. We're not aware of any department that has active plans to use smart cards as part of its relationship with the public. There's clearly a lot of interest being taken in the possibilities, but at the moment we're only aware of a couple of active programs within government. Both are pilot projects and both are with respect to employees and especially things like building access to computer machinery and so on.
Our policy has a requirement within it for departments to carry out a business case and a privacy impact kind of analysis, to really work through whether the kind of pressure a smart card puts on personal information is justified by the business return, and whether the requirements for protection of personal information can be adequately met. Departments have to go through that. They have to consult with the privacy commissioner and really arrive at a level of comfort that's doable, while respecting the Privacy Act requirements.
We're still some distance away. I guess there's the one case, with some discussions going on federally and provincially, but there are a number of steps to go through before they might actually turn that into a government program.
The Vice-Chairman (Mr. Andy Scott): Mr. Godfrey.
Mr. John Godfrey (Don Valley West, Lib.): Thanks very much.
I really have two sets of questions. One is directed to Industry Canada and the other to the Treasury Board folks.
By way of a cheap shot off the top, I was interested in your consumer awareness program for school children on the web, but I began wondering about the grown-ups who perhaps also need to know about this stuff in some readily accessible manner.
Most of what you said really made it seem as if the problem was out there - that this wasn't so directly an Industry Canada problem. What sort of information does Industry Canada have that is of a confidential nature, either about corporations or individuals, that might cause problems if a commercial competitor knew about it, or if it were matched up with some other data? Let's say it's information a corporation or an individual is obliged to turn over to Industry Canada, so there's no real way out of it. What would you consider to be the core of sensitive information that you hold?
Secondly, under Treasury Board guidelines, with which departments are you allowed or compelled to share that information and under what conditions? Specifically, I might think of Revenue Canada and the Department of Justice as they look around for things. Could you tell us a little bit about what the existing arrangements are for the allowable data-sharing of sensitive information? What's sensitive information and what are the rules or regulations for sharing it?
Mr. Binder: Speaking for Industry Canada and at least my shop, we have commercial information particularly with respect to licensing applications - spectrum licences, telephone licences, etc. We are very strict. Nobody gets to see this information outside our... In fact, even in Industry Canada we don't share this information. If part of this information is in the public domain, in the call for application we explicitly say which part will become available.
Normally, we tell the companies that we are under the Access to Information Act provision and there are certain things we cannot protect and certain things we can protect. If it's of a commercially competitive nature, we protect it and nobody gets a copy of it.
Mr. John Godfrey: Are you involved in any of the data-matching, data-swapping arrangements that are sanctioned by Treasury Board that - and maybe Treasury Board can come in on this one - if coupled with other information, and I picked Revenue Canada as an example, prove to be more interesting than just single bits of information?
Ms McDonald: I believe that we are involved in the single business number push -
Mr. John Godfrey: Right.
Ms McDonald: - which is also centrally driven. I think it's through our corporations and other areas that are trying to reduce the paper burden, but I'd be hard-pressed to tell you the status of how they see the sharing going on or what kind of safeguards will be built in to ensure that there isn't data matching. I thought it was more one-stop filing in a sense, single changes to go in through one window. This allows you to do a number of things at the same time. I thought that was the purpose of it. I will have to get back with you with more detail.
Mr. John Godfrey: Does anyone from Treasury Board have anything to say on that particular one, the single business number?
Mr. Brown: You used the term ``sanctioned by Treasury Board''. What we sanctioned in that sense is the general guidelines, the procedures that departments are asked to follow. They do not share with us the list of agreements or arrangements that they might have because we operate on the assumptions that they are expected to and will meet the requirements and that their books are open to investigation - to audit, you might say - by the privacy commissioner. So apart from anything else, they would have to keep reminding themselves that they need to answer to the privacy commissioner if a case comes up where this is being looked at. They need to answer to the commissioner about whether the information is being properly shared.
Mr. John Godfrey: Let me then turn to you and talk a little bit about your role, which I'm still a little puzzled by, because I'm still trying to figure out who's in charge here and who is looking out primarily after my interests and has some heft and sanction to do so.
There are a couple of examples that have come before us. One that has achieved the most attention is the situation where Revenue Canada and the unemployment insurance folks were exchanging data on who is leaving the country and coming back in. The data was being put together. In that particular situation, as I recall, the advice of the privacy commissioner was agin it.
Presumably it was - you pick the verb - sanctioned, allowed, tolerated, pooh, you know, whatever...what is the verb? You give me the appropriate verb for you going ahead with your knowledge and not stopping it. Yet in retrospect, there seems to be some feeling that it perhaps wasn't such a hot idea. Even HRDC sort of said something like that, not as bluntly as I put it. So I'm a little curious about that process. That's one example.
The other one, which was brought up earlier, is about CANPASS. In order to get the card, you sign an agreement. There are a whole bunch of government ministries with whom this information can be shared. You voluntarily do it and it's informed consent, but it would seem to violate the CSA standard. First of all, in the CANPASS case, was it Treasury Board who said, yes, this bunch of guys, these people, might have some conceivable interest in the information, so that's all right? And does that meet the CSA test of really needing to know this stuff in order to issue the pass?
That's the second example. In both cases, I'm kind of curious about the role of Treasury Board.
Mr. Brown: I think the place to begin, especially in looking at your issue of who has heft and sanction, is with the role of individual ministers. The way the legislation is structured, the decision in each and every case to apply the Privacy Act is under the authority of the departmental minister, as is the decision to apply it in whatever way the minister chooses to apply it.
Roles for a number of other actors have then been built around that to ensure that ministers and departments are well informed about the requirements of the act, are able to take decisions on an informed basis, and, I guess, it is also a little to anticipate what the likely judgment will be of organizations that have been put in place to review decisions after the fact. And what I have in mind there is the privacy commissioner and ultimately the courts.
That's one thing to keep in mind. There is a process or a place for judicial review in this where we can ask if the legislation has been properly applied. And that's the final arbiter, I think, from our perspective.
The role that Treasury Board plays is, in the first instance, one of taking the legislation... And my predecessors have translated it organizationally in a way. A lot of work was done, especially after the legislation was first passed in the 1980s. It's been transformed into a manual of procedure. I have it right here actually. It's a big, fat document that we'll be leaving with your committee researchers. It tries to take legal requirements and translate them into administrative procedure to operationalize the thing and to get departments to take ownership.
We also provide a network of sharing of best practice - it's a bit of a hackneyed phrase perhaps, but it's very real - among the departments. There is a requirement in the policy for each department to appoint a privacy coordinator who has a role within the department to serve as a voice for the privacy requirements and to work with people in the operational areas and so on.
Another role that we play is the role of ensuring that the departments meet their requirement to provide an annual statistical report to Parliament on the operation of the Privacy Act and the Access to Information Act.
We work very closely with the justice department, for instance, in helping departments stay up to date with jurisprudence. There is now a whole stream of court decisions so there's the whole issue of ensuring that the privacy administration people work with the lawyers in the interpretation.
I come back to my original point though, which is that the way the thing has been set up - and I think this was very deliberate - with regard to the accountability for individual cases, for what happens at the border or especially for the two situations you're describing, from our perspective the ultimate accountability in those cases clearly lies with the individual ministers involved.
There are provisions in the act itself for ongoing parliamentary review of the arrangements and the role played by the courts. If the judgment is that notwithstanding the law, the policy and the role that we play in providing tools to departments, we're not getting the right outcome, then maybe we have to go back and revisit the legislation.
Mr. John Godfrey: I did think I heard the whistling sound of a buck being passed -
Voices: Oh, oh!
Mr. John Godfrey: - because when the folks from HRDC were here and were asked the same question, they said ``Treasury Board said it was okay.'' There was an implicit notion of sanction and of course they were passing the buck back to you. That may be a harsh way of putting it.
So who's in charge?
Mr. Brown: The department is in charge.
Mr. John Godfrey: Their department -
Mr. Brown: Departments do not as a matter of course come to Treasury Board and ask us, ``Is this okay?'' If they're going to go to anybody, it will be to the privacy commissioner to try to get the reaction or the advice of the privacy commissioner. But even in the case of the commissioner, they have to leave themselves a little bit of room to manoeuvre in order to be able to deal with individual complaints as they might arise. The way the thing is structured, the departments are expected to consult with the privacy commissioner, especially at the stage of doing their cost-benefit analysis.
Mr. John Godfrey: I'm really confused now, because I thought that you guys came in somehow or other with regard to these other departments, so when... And I'll just keep going on about Revenue Canada, HRDC and border case. Somehow or other you were players in the situation. You were not just bystanders or observers. You were not told after the fact. Somehow you're involved. So exactly how are you involved in that case?
Mr. Brown: My colleague has a comment, but I'd be happy to answer your question too.
Ms Mary Anne Stevens (Project Officer, Treasury Board Secretariat): I'll try to make this very concise.
Departments are not required to come to Treasury Board Secretariat for any kind of approval of these kinds of data matches. In the cases you're talking about, the departments did not come for approval and they were never given approval. What is happening here is the Treasury Board policy on data matching is the policy we put out, and that's what requires them to consult with the privacy commissioner. But they're not required to come to us for approval. Does that answer your question?
Mr. John Godfrey: It sure does. Thank you.
The Vice-Chairman (Mr. Andy Scott): I can't wait.
Jean, go ahead.
Some hon. members: Oh, oh!
Ms Jean Augustine (Etobicoke - Lakeshore, Lib.): I am going to be brief. I have three questions. One has to do with the federal public service workplace, another has to do with the merging of service delivery, and the third has to do with a common national client identifier or the changes we've heard about in the SIN.
As we consulted across the country, we heard a good deal about surveillance in the workplace, video surveillance especially. Several very concrete things were discussed. My question is, with the advent of this technology, where applicants are submitted to genetic testing or drug and alcohol testing or where an individual's behaviour is monitored via surveillance, etc., how do these issues pertain to the federal workplace?
My second question is on the one-stop shopping that we've heard mentioned this morning by all of you. If we are going to be merging all of the information - and I think I'm hearing that there would be some way to connect it all to provide better service delivery and all of those neat things that can happen - what privacy protection mechanisms would be built into a system, if there were to be such a system? And how can the issue of accuracy and the ability to correct and retrieve, etc., be built into the one-stop apparatus, if there is such a plan afoot?
Third, how can we serve Canadians better with this common client identifier and what are all the upsides and the things we have to look out for in terms of privacy issues around a common identifier?
Mr. Brown: I've been doing a lot of talking, but I can give you answers for your first two and the third one we might share among ourselves.
On the question of the public service workplace, the answer would be that as departments look at the different applications, one of the major requirements will be to take account of the requirements not just of our privacy policies and legislation but also, to start with video surveillance, of our security policy.
Video surveillance is being used by departments, but it's on the basis of an assessment by them that this is a requirement in light of the nature of the government assets being protected - whether they're physical assets, information, or people - and that this is an appropriate response.
Our security policy governs the use of video surveillance. It's been dovetailed with the privacy policy. Essentially we say to departments that they have to establish very clear, understandable procedures, and in particular employees themselves have to be aware of these procedures and of what their rights and obligations are. In fact there's an explicit requirement that any policy or any use of video surveillance must conform with any collective bargaining regime that exists. There are clearly some areas, for instance in prisons, where this is the kind of issue that has to be looked at.
You were talking about genetic testing. I have to say we're not aware of any situation at the moment where genetic testing is being used or is being considered by departments with regard to their employees.
Ms Jean Augustine: What about drug and alcohol testing?
Mr. Brown: As for drug and alcohol testing, where there's an operational concern, departments are entering into arrangements. I'm afraid I can't give you the details off the top of my head, but I know that this is a subject of considerable discussion with the unions where you have operational environments where people are expected to remain alert in their work and so on. But it would be driven by those kinds of considerations on a case-by-case, department-by-department basis.
On your point about the merging of service delivery and the risks to personal information where you have a number of departments getting together, I think what you're raising is a very real issue. The underlying issue is there's a major challenge in terms of information management generally when you get into these single-window situations. There are privacy concerns, and there are security concerns. In the broadest sense there are accountability concerns of a number of different types.
There is work going on right now, which is sponsored by a committee of deputy ministers who are looking at these issues, to try to work through in practical terms what are the kinds of information management issues that arise from these single windows. If we're talking about providing a pooling of information to support exporters, for example, or people who are looking for jobs, there are all manner of issues that come up, such as the appropriate use of technology, privacy and so on. In that context we would be saying to departments, remember that an important part of the whole arrangement is to wire in the adequate privacy safeguards, building on the fair management practices we were talking about earlier.
Ms Jean Augustine: We heard from someone who was very critical of the process because they felt it was going on behind closed doors. I think that was the term they used. Is there some way discussion could be a bit more open and could include a number of the privacy commissioners and others besides deputy ministers?
Mr. Brown: I mentioned that group mainly to make the point that this an issue that's being taken seriously at a senior level of the government. That's not the only place discussion is taking place.
In the final analysis, as we were discussing a little earlier, our view is that the actual decision-making as to whether or not to participate in that kind of single window, how it's designed, what sorts of public access procedures there are, and so forth, has to be taken by each department. Then you're back to the nature of the activity and what is the right kind of public consultation. Certainly as a general principle we do tell departments they should work with their clients in designing these things and should make sure all the various requirements are met.
On your last point, on the common client identifier, this is an issue that is being watched. Just the fact that your committee is taking that kind of interest in it, the advice you provide I think will be an important part of any kind of general discussion.
For us a basic issue becomes whether or not there is a business case and an appropriate balance between the benefits of establishing an identifier and the risks imposed on personal information and whether or not in the final analysis it can be done in a way that sits fully within the requirements of privacy legislation. At the moment we haven't seen that. It's being looked at, but that analysis hasn't been provided.
Mr. Binder: Mr. Chairman, may I jump in here?
The Vice-Chairman (Mr. Andy Scott): I want to say to Mr. Peirce that I recognize he's about eleven questions ago, so as soon as he's done you can start to think about your intervention.
Mr. Binder: I'll be brief.
I think we should really be careful in jumping to a conclusion on the side of privacy. We mention it is a balancing act. I have a lot of difficulties in assuming we are here to hurt everybody or to survey everybody.
One of the most repeated petitions from the business community to us is ``For God's sake, I sent in an application to one department. Why do I have to send an application to another department? Can't you guys talk to each other?'' The small-business community would like one application for one-stop shopping. So you always have to find the right balance that will protect the privacy when it needs protection.
I've no problem with Revenue Canada trying to pick up on cheaters of Revenue Canada. If they decide they can get some help from another department in a law enforcement issue, again, it's not clear cut that Revenue Canada and Human Resources Development coming together... It may even turn out to be a bad lead, but I'm not sure a priori you could tell. The question is, do you want them to be able to catch those people or not?
Again, I don't think Treasury Board has anything to do with the specific running of a program. Treasury Board rules are to set up guidelines, and the operators then manage. What we're talking about here is their framework for recourse. If a particular citizen or a particular corporation doesn't like what's happening, what recourse do they have? I think that's really the debate that's going on here. It's a very complicated field.
You are focusing on the federal government. At least we have some laws in the federal government domain. There's a whole world out there with banking and credit cards that is completely run without any guidelines or laws. We are now trying to bring some sort of coherency into all of this domain and trying to put in some framework that actually will deal with some of those very significant issues.
The Vice-Chairman (Mr. Andy Scott): My colleagues will find it unusual that I would be the one to bring this up, but the difference, of course, is if you don't like the way you're being treated by the Bank of Montreal, you can go to the Bank of Nova Scotia. I'm not certain what happens if you don't like the way you're being treated by the government. I know what happens to us, but I don't know how broadly you can apply that remedy.
Go ahead, Mr. Peirce.
Mr. Michael Peirce (Counsel, Human Rights, Department of Justice): I want to make some comments in regard to Mr. Godfrey's question about the data match.
As I understand it, the privacy commissioner's concern about the data match has to do with whether it is contrary to the Charter of Rights and Freedoms, as opposed to necessarily a policy determination by itself. I don't want to address the charter viability of that, because that would be to provide legal advice, but I can give you some indication that when a program such as a data match is proposed, be it an HRD one or any other, it will generally be reviewed by the Department of Justice for consistency with the charter. In particular, the two provisions of the charter that come up are sections 7 and 8.
Section 8 of the charter is the protection against unreasonable search and seizure. That's the primary privacy protection in the charter. It has been interpreted as a protection for a reasonable expectation of privacy, and what constitutes a reasonable expectation of privacy is context-specific. In the case of a data match, it depends on the purpose of the data match. For a data match that is conducted for the purpose of gathering evidence of a criminal offence, the expectation of privacy in those circumstances, depending on the nature of the information, may be much higher than in a pure administrative or regulatory context.
Normally, in a criminal context the requirements of the charter are to get a warrant. I'm sure you've all heard or seen this on television. If you want to search me, get a warrant. That's true in a criminal context, but generally data matches don't go on in the criminal context - therefore the purpose of regulatory compliance.
For the purposes of regulatory compliance, then, the requirements are less stringent. Again, depending on the nature of the information, because some information may not raise an expectation of privacy, if it does raise an expectation of privacy, the requirements are that the data match be authorized by law and that the law itself be reasonable.
The test for reasonableness is a weighing of the societal interest versus the individual's interest, and there you will have a weighing of the nature of the information and the objective to be achieved by the particular department in gathering the information as a result of the data match.
To give you an idea of information that has not been found to raise an expectation of privacy under the charter, one of the leading cases in the area is a case called R. v. Plant, well named, because it has to do with the cultivation of marijuana plants. In R. v. Plant, the Calgary police department had a video terminal at the police station that provided them access to hydro records. The police could see who was using copious amounts of hydro to run their grow lights day and night.
The Supreme Court of Canada found that hydro records did not raise an expectation of privacy, that they were not the kinds of records that would reveal deeply personal information about a person's character or their being. So that wasn't found to be information that would raise an expectation of privacy. But information such as bank records may raise an expectation of privacy, and of course it escalates from there.
Section 7 of the charter may also apply. Generally section 7 of the charter is the protection for life, liberty, and security of the person and the right not to be deprived of those three interests except in accordance with the principles of fundamental justice. The Supreme Court has recognized that liberty and security of the person are interests that include privacy, and as a result, an incursion into privacy also has to be consistent with the principles of fundamental justice. Essentially the principles of fundamental justice will require the same sort of weighing that I described earlier between the individual interest and the societal interest.
So those are the two privacy protections in the charter. A data match has to be consistent with the charter. The government, both in its regulatory operations and its legislation, must comply with the charter. That is a check placed on those things.
Mr. John Godfrey: Could I ask a follow-up on that?
The Vice-Chairman (Mr. Andy Scott): There will be some time for you to come back.
Mr. Peirce: Could I comment as well on video surveillance, to follow up to this question here?
Just as the charter applies to the legislation to the regulatory efforts of the government, the charter also applies to the government as employer. So in its labour relations, video surveillance in the workplace has to comply with the charter.
We don't know at this time what the full standards are that will be required for video surveillance, because we haven't had that kind of case, in a non-criminal context, come before the courts. Our best advice at this point in time, then, is to make sure any video surveillance that is done is done for an important objective other than gathering of criminal evidence, because that requires a search warrant. Outside of that context, make sure it's done for an important objective.
This goes back to the question of circumstances. It's one thing to do video surveillance at CSIS, where you may have very important information that you need protected. It's another thing to do it in the parking lot at a particular department.
The charter will require you to put limitations on the use that can be made of the information that's garnered from video surveillance, to make sure you provide notice to employees that video surveillance will be conducted, to indicate who can conduct the video surveillance and who can review those tapes, and also as to the destruction of the tapes.
The Vice-Chairman (Mr. Andy Scott): Thank you very much.
I'm going to pose a couple of questions myself.
I think it's fair to say that in the course of our inquiry we were dealing with people who had a level of awareness around these issues above the average, as we went across the country - human rights centres, people in the industry, people in various provincial government departments, and so on. Notwithstanding the fact that the people we were dealing with had an above average awareness of these issues, it was, I think, very clearly put that people were surprised by some of the things that were going on or could go on. To some extent the whole notion of informed consent was challenged by the fact that you cannot protect yourself against activities that you don't even realize are within the realm of possibility. The ``informed'' part was not really felt to be that secure.
On the ``consent'' part, as far as the government is concerned, with many of the things where the public interacts with the government, the public is not in a strong position not to offer consent. Whether it's unemployment insurance or any kind of programs, or social insurance number, or even Stats Canada, how far do you get when you say ``No, I don't want you to have that''? So on the consent side, it's arguable as to whether we can offer up that as a protection.
Ultimately it becomes dependent on the good judgment, the awareness and the understanding of the people with whom you're dealing - their sense of direction, their sense of the balance. Everybody here has referred to that - that there is a balance between the collective good and individual rights and so on, and we all have to find the appropriate place in that balance. That does put an enormous amount of pressure on people like yourselves who are in fact arbitrating that balance all the time.
I put this to the people who are here speaking on behalf of the various departments. Do you feel adequately directed to make that judgment, given the fact that - I think it's safe to say that this committee would believe this - the Canadian public at this moment is not adequately informed or sufficiently independent to look after their own interests in privacy?
Mr. Binder: Let me start by saying that obviously, as you heard from some of our lawyer friends, this is a voyage of discovery. We are getting into some new technology and new situations that didn't exist before.
We spent a lot of time developing the so-called CSA codes with industry, with a lot of those people you visited. A lot of work went into these 10 principles. We believe it's a reasonable approach to moving forward to balance the interests of everybody. We are great fans of explaining these codes, promulgating these codes, and ultimately maybe having legislation based on those codes across the whole country.
We believe this will go a long way to clarifying and at least establishing a framework where some of those issues can be dealt with. In addition, the codes will serve as a recourse - a standard or benchmark against which you can judge a particular behaviour or misbehaviour.
The Vice-Chairman (Mr. Andy Scott): I take it that's a yes.
Mr. Binder: Yes.
Mr. Rummell: Mr. Chairman, just to make a balancing point, we certainly are trying to stay ahead at all points on the policy fronts with the new technologies that are being introduced. We are certainly trying to keep ahead of these policies, and we've I think done a good job at maintaining this balance on behalf of the Treasury Board and on behalf of the chief information officer and chief information officer's branch.
The thing we have to be aware of, and I think this is an important balance we have to be aware of in government, is that there's getting to be a much higher expectation from the Canadian public for integrated service delivery. We have a responsibility, I guess through Parliament and through the civil service, to provide for integrated services to the Canadian public.
I've looked at some recent statistics and recent public opinion polls, and we don't get a very high approval rating in the civil service compared to what you get for hotels and other service establishments.
I think it's part of the work of your committee to make sure we are given the tools we need with these proper balances in order that we can deliver integrated services to Canadians that will meet at least the same level of service they receive from banks, hotels and rental car companies. I think as the recommendations are put forward, we have to keep in mind that we should be given the same tools to facilitate this.
In addition, we've been involved with the Department of Industry in the reduction of paperwork for small businesses. They have high expectations that we will be able to reduce the inordinate amounts of paperwork, to provide for single identifiers, that type of thing. This is what the public expects.
Coming from industry, which I left 40 days ago, the thing we have to keep in mind is that people will accept the use of information and will be very happy to provide the information if they see a benefit to themselves. An example of this is the Revenue Canada tax return, where you don't have to fill out the tombstone or basic information because you receive it on a pre-printed decal you can stick onto the form. That's an example of how we can use information effectively. There will be other opportunities for us to do this in the future. I think we have to think through these things very carefully in order to get government on the right track in the future.
The Vice-Chairman (Mr. Andy Scott): I would like to follow up with a question as to whether or not you feel you're adequately directed. That's what we have to decide here. The people who are appearing before us and to whom we're speaking are asking us to make sure their interests are looked after because they don't feel they're informed enough right now. I think we all share that view. Therefore my question is, are we giving you adequate direction so that you can make those kinds of tough decisions?
Mr. Rummell: Yes, we believe we're getting adequate direction. We feel the great weight of dealing with these balance issues through the current policies and directives from Treasury Board. But we also have to be able to accommodate the new media that are coming into play. There are a lot of new technologies, such as data warehousing, the smart card, video surveillance and the Internet, that have to be explicitly mentioned.
Mr. Kratchanov: With regard to the first comment you made concerning people who came before the committee who were knowledgeable about privacy but were also surprised to hear about things going on they didn't know about, that's a feeling I share. We also find out about new things, maybe not on a daily basis but certainly very regularly, that have the potential for privacy violations.
I'm not sure I'm able to respond to your question about whether or not we have adequate direction. I think it's always going to be a challenge to find the right balance in each particular case when it comes to the issue of privacy, because different people can come to a different conclusion. In that sense, I think even the best instruments won't solve the difficult decision-making that has to be done at the end of the day.
Having said that, obviously instruments such as the Privacy Act are not perfect. Some might say that the day they're passed they become outdated, so there's always room to improve and to build upon them. But that's not to say it's going to solve all our problems tomorrow.
The Vice-Chairman (Mr. Andy Scott): Mr. Godfrey has a question.
Mr. John Godfrey: I have two questions. Following up with Michael Peirce, I just want to understand that in my somewhat obsessive example of the border crossings, we know the Treasury Board wasn't involved directly, so they're off the hook, but you're on the hook.
Now I have four players: the privacy commissioner had a view, and it was a charter view; there was you; and there were the two departments. In that mélange, how did the decision-making process work? Did you have final determination? I'm asking in theoretical terms; I'm not asking for a breakdown of the discussion. Could you say, well, I don't think that's such a good idea, but if you guys in HRDC insist, I guess you go for it? How does that actually work in either a practical or a formal way?
Mr. Peirce: Again, not talking about that specific example, although it does seem to be the common one, when something like this is proposed, the departments will come to us and seek our charter advice as to whether it's constitutional. In the course of our review as to whether it's constitutional, we'll review the case law in the area and give them our best advice as to the requirements to be constitutional. So it's not necessarily a yes or no answer. It may be ``Here are the things you can do to improve your program substantially''.
If it is a situation where the Department of Justice concludes, or where I conclude, for example - and let's start at the low level of me - that it is a real charter issue and a serious risk, I'll let the department know that, and they will let me know whether they intend to follow my advice or whether it's something that should go up the line. At that point in time, if they say they think this is really important, I'll say let's sit down with my boss, and it will work its way up the line to the point of deputy ministers and ministers meeting to discuss the issue.
As regards the privacy commissioner, the privacy commissioner doesn't normally get involved with charter analysis. So in some respects we're seeing new things going on here. What has happened is that the privacy commissioner has given us his view about the constitutionality of this. We would expect to sit down with the privacy commissioner to have an opportunity to discuss his views and the reasons for reaching them, to address whether the legal analysis on either side is correct. If the legal analysis is close and we're not in full agreement, what can we do to improve the program to make sure it does comply? And we'll go through those processes. So that's what I would expect to lie ahead.
Mr. John Godfrey: Thank you.
This is really as much for the record. It's another subject.
The Vice-Chairman (Mr. Andy Scott): Mr. Godfrey, just before you do, we've been joined at the table by Ms Neill. I assume it's to speak to this.
Ms Andrea Neill (Senior Counsel, Information Law and Privacy, Department of Justice): Thank you. My comments basically mirror what Michael has said.
In my office, the information law and privacy section for the Department of Justice - and we're the legal advisers to all government lawyers on the Access to Information Act and the Privacy Act - if there is a proposal for a data-match activity by a department, normally the legal service lawyer would come to my section and ask if it's legal under the Privacy Act.
As Michael explained with the charter, there's an onus on departments to determine that the data match they're proposing is in fact legal under the Privacy Act as well. So then they would come to my office.
Process-wise, it works the same way as with Michael. If our opinion is that there is no legislative authority in place to do the data match, then one of the options we would recommend is that, as Michael explained, we would enter in discussions with the privacy commissioner's office as well.
As to one of the things we do recommend in any kind of data-match activity with departments, the data-match policy requires that you consult with the privacy commissioner 60 days before the data match starts to take place. And my office has consistently asked departments to try to consult as early in the process as possible - so if it can be before 60 days, do it - to know exactly where the privacy commissioner's concerns lie and if we can address those.
The Vice-Chairman (Mr. Andy Scott): Mr. Godfrey gets the last word. Ms Augustine has to leave for another meeting.
Mr. John Godfrey: This is a question for the justice department, for the record.
We know there are rules concerning wiretapping and audio surveillance, and we have those pretty much in place. We understand there are no such similar rules for video surveillance without sound. I guess the question is, first, is it viable, in your view, to do something about that, and second, is it on your list of ``to do''s?
Mr. Kratchanov: I'm sorry my colleague, Fred Bobiasz, isn't here this afternoon. I believe he appeared before the committee back in December. He's really the expert in that area.
On the subject of video surveillance, I understand a couple of years ago some amendments were made to the Criminal Code to regulate the use by the police of video surveillance. Those do not extend to the use by private citizens, as in the wiretapping law, which does in fact apply to all of us.
I'm sorry he's not here, but I think in his comments before the committee he did make some comments about why that was the fact. I would refer you to the comments he made.
Mr. John Godfrey: Okay, thanks.
The Vice-Chairman (Mr. Andy Scott): Ms Hayes has a short question.
Mrs. Sharon Hayes: In this discussion on charter challenge and the decision as to whether something is legal or not, I have a really brief question. How has your record been on decisions and then challenges to those decisions in courts?
Mr. Peirce: I'm pleased to say our record has been excellent. Very little federal legislation has been successfully challenged and struck down under the charter.
Mrs. Sharon Hayes: What would be the number of cases?
Mr. Peirce: I don't know off the top of my head. There are thousands of challenges before the Supreme Court, which is the ultimate resting place. I can only think of a handful of situations where we've had legislation found unconstitutional.
The Vice-Chairman (Mr. Andy Scott): Thank you very much.
I have one quick question. Has the privacy commissioner ever been asked to judge the guidelines that have been prepared? I see people in the audience nodding, but is there anybody at the table who...?
Mr. John Godfrey: The Treasury Board guidelines.
The Vice-Chairman (Mr. Andy Scott): Yes, I'm sorry, the Treasury Board guidelines. Has the privacy commissioner rendered a judgment?
Ms Stevens: When the guidelines were being written, the privacy commissioner was consulted and participated in the writing of the guidelines.
The Vice-Chairman (Mr. Andy Scott): We get that all the time, but then when the privacy commissioner comes, he says, ``But I didn't like it.''
Some hon. members: Hear, hear!
The Vice-Chairman (Mr. Andy Scott): Not on that particular topic, but we get that all the time. Treasury Board never volunteers to tell us that.
Ms Stevens: Of course it's a different commissioner now from who it was when the guidelines were written. At the time they were written, the commissioner at the time liked them.
The Vice-Chairman (Mr. Andy Scott): Okay, thanks.
It's now a little after one o'clock. I appreciate the patience of members who should be elsewhere, and I thank the witnesses very much for being here and for their very able representation of their positions.
Thank you very much. The meeting is adjourned.