APPENDIX III
RECOMMENDATIONS
RECOMMENDATION 1
The Committee recommends that the Government of Canada recognise and act upon its responsibility to respect and protect privacy rights in Canada by enacting a declaration of privacy rights to be called the Canadian Charter of Privacy Rights. This Privacy Charter would apply within federal jurisdiction, take precedence over ordinary federal legislation and serve as a benchmark against which the reasonableness of privacy infringing practices and the adequacy of legislation and other regulatory measures would be assessed.
Furthermore, the Committee recommends that the Canadian Charter of Privacy Rights be enacted no later than the 1st of January 2000.
RECOMMENDATION 2
The Committee recommends that the Canadian Charter of Privacy Rights declare and entrench fundamental privacy rights and the responsibilities attaching to these rights. These rights and responsibilities would include, but not necessarily be limited to, the following:
1. Fundamental Privacy Rights and Guarantees
- 1.1. Everyone is entitled to expect and enjoy:
- physical, bodily and psychological integrity and privacy;
- privacy of personal information;
- freedom from surveillance;
- privacy of personal communications;
- privacy of personal space.
- these privacy rights will be respected by others adopting whatever protective measures are most appropriate to do so;
- violations of these privacy rights, unless justifiable according to the exceptions principle which follows, will be subject to proper redress.
2. Justification for Exceptions
Exceptions, permitting the rights and guarantees set out above to be infringed, will only be allowed if the interference with these rights and guarantees is reasonable and can be demonstrably justified in a free and democratic society.
3. General Obligations
- 3.1. The basic duties owed to others to ensure their privacy rights are
adequately respected include:
- the duty to secure meaningful consent;
- the duty to take all the steps necessary to adequately respect others' privacy rights or, if their rights must be infringed, to interfere with privacy as little as possible;
- the duty to be accountable;
- the duty to be transparent;
- the duty to use and provide access to privacy enhancing technologies;
- the duty to build privacy protection features into technological designs.
4. Specific Rights Related to Personal Information
- Everyone is the rightful owner of their personal information, no matter where it is held, and this right is inalienable.
- Everyone is entitled to expect and enjoy anonymity, unless the need to identify individuals is reasonably justified.
- 5.1. The basic duties owed to others to ensure their informational privacy
rights are adequately respected include, in addition to the general
obligations set out above:
- the duty to hold sensitive personal information in trust;
- the duty to limit information collection to what is necessary and justifiable under the circumstances;
- the duty to identify the purpose for which personal information is collected;
- the duty to ensure the information collected is correct and of the highest quality;
- the duty to provide the people whose personal data is collected with access to that information and a means to review and, if they judge it necessary, to correct it;
- the duty to only use and disclose personal information for the purposes identified when meaningful consent was obtained;
- the duty to keep personal information only for as long as is necessary and justifiable;
- the duty not to disadvantage people because they elect to exercise their rights to privacy.
The Committee recommends that the Canadian Charter of Privacy Rights declare that to achieve proper respect for privacy rights in Canada the following measures are essential:
- on-going public discussion and input on matters related to the protection of privacy rights;
- research related to privacy rights and their protection;
- public awareness and education to sensitise everyone to their rights and responsibilities with respect to privacy.
The Committee recommends that the Canadian Charter of Privacy Rights declare that, to ensure the core privacy principles are observed, the following measures must be put in place:
- proper compliance, accountability and enforcement mechanisms;
- appropriate remedies to redress violations of privacy rights.
The Committee further recommends that the Canadian Charter of Privacy Rights declare that the Privacy Commissioner of Canada shall exercise general oversight and protection of privacy rights within areas of federal jurisdiction.
The Committee recommends that the Minister of Justice, in consultation with the Privacy Commissioner of Canada, examine existing federal legislation and regulations, bills and draft regulations for consistency with the Canadian Charter of Privacy Rights and report any inconsistency to Parliament. This report shall be referred to the appropriate Parliamentary Committee for consideration and recommendations.
The Committee also recommends that the Canadian Charter of Privacy Rights require the Minister of Justice to notify the Privacy Commissioner of Canada of all bills tabled in Parliament and all draft regulations which may have ramifications for privacy.
RECOMMENDATION 6
The Committee recommends that the Government of Canada take a leadership role to ensure that Canadians' privacy rights are accorded equivalent dignity across the country. The Government of Canada should invite the governments of the provinces and territories to work together to develop a complementary and uniform approach to privacy protection across Canada that would accord with the Privacy Charter.
RECOMMENDATION 7
The Committee recommends that the Government of Canada, federal agencies and all Crown Corporations identify privacy issues in their respective workplaces and institute appropriate measures that accord with the Privacy Charter to safeguard employees' privacy rights.
RECOMMENDATION 8
The Committee recommends that the Government of Canada introduce into Parliament comprehensive data protection legislation to be known as the Data Protection Act to replace the current Privacy Act. This Act must accord with the Privacy Charter and apply to Parliament, all federal government departments, agencies, Crown corporations, boards and commissions, and other institutions, and to all federally-regulated businesses and industries. The Data Protection Act shall be enacted no later than the 1st of January 2000.
A broad and open process of public consultation shall precede the introduction of this legislation and provision shall be made in the Act for comprehensive public review of its provisions and operations within five years of the proclamation of the Act, and at regular intervals thereafter.
The Government of Canada shall give due consideration to other data protection models, such as the Canadian Standards Association's Model Code for the Protection of Personal Information and the New Zealand Privacy Act 1993, when developing the Data Protection Act. The Data Protection Act shall recognise the role of federally-regulated industries in the development of their own privacy codes.
RECOMMENDATION 9
The Committee recommends that the Data Protection Act it proposes contain:
- strict protections against all unnecessary intradepartmental and interdepartmental data matching;
- standards for acceptable data matching practices;
- acceptable data matching practices that comply with the Privacy Charter, in particular the principles of informed consent and transparency.
The Committee recommends that to comply with the proposed Data Protection Act, the Treasury Board Secretariat, a central agency of the federal government must:
- create mandatory data matching guidelines;
- monitor federal government departments for compliance with the new guidelines;
- educate federal departments and employees on what constitutes unnecessary data matching practices.
The Committee recommends that the proposed Data Protection Act shall set out the circumstances under which data sharing between the federal and provincial governments is appropriate.
The Government of Canada should advise the provinces and territories that upon the enactment of the proposed Data Protection Act, all personal information shall only be shared with those provinces that have adequate data protection in place.
RECOMMENDATION 12
The Committee recommends that the proposed Data Protection Act must apply to:
- any personal information transferred from federal government institutions to the private sector;
- any contracts for providing services to federal government institutions.
The Committee recommends that:
- the Treasury Board Secretariat take responsibility for monitoring compliance by federal departments and agencies with the proposed Data Protection Act;
- the Minister of Industry take responsibility for monitoring compliance by the federally-regulated private sector with the proposed Data Protection Act; and
- the federal Privacy Commissioner be made responsible for ensuring enforcement of the proposed Data Protection Act and that penalties exist in the proposed Act for violations of its provisions.
The Committee recommends that the Data Protection Act regulate the development, testing (including pilot projects), implementation and application of emerging technologies that have a potential to infringe on the privacy of personal information. These technologies would include, but not be limited to, smart cards and biometric identification systems.
RECOMMENDATION 15
The Committee recommends that the Government of Canada take immediate action to deal with privacy violations and discriminatory treatment that may result from genetic testing including:
- a review of current policies and practices in the employment, health, insurance and criminal justice sectors;
- a review of existing reports and existing and proposed legal instruments (including the draft international covenant on the human genome);
- consultations with the public;
- the development of legislation that is necessary to deal specifically with the privacy and antidiscrimination issues related to genetic testing.
The Committee recommends that the Government of Canada introduce amendments to the Criminal Code that would, to the greatest extent possible, apply the prohibitions against the interception of private communications to surreptitious video surveillance.
RECOMMENDATION 17
The Committee recommends that the Government of Canada, in particular Industry Canada, encourage the development and use of privacy-enhancing technologies by:
- developing partnerships and creating incentives for research and development into privacy enhancing technologies;
- educating the public and businesses (large and small) about the capacity of privacy enhancing technologies to protect the personal information of Canadians.
The Committee recommends that the Government of Canada undertake ongoing public awareness and education programs about new technologies and their impact on privacy to ensure that everyone is able to make appropriate decisions regarding their personal privacy and the direction of public policy in the future.
The Committee further recommends that the Government of Canada should undertake an ongoing public consultation process that examines and makes recommendations about specific legislative and non-legislative measures that are required to ensure that individuals' privacy is protected as technologies are refined or brought into use.
The Committee further recommends that the Government of Canada initiate ongoing discussions with the provinces with a view to encouraging a common approach to the treatment of these technologies (particularly genetic testing) within different jurisdictions.
RECOMMENDATION 19
The Committee recommends that the Government of Canada table in Parliament new legislation that would replace the current Privacy Act, to be called An Act Respecting the Office of the Privacy Commissioner of Canada. This Act would broaden and strengthen the mandate and powers of the Privacy Commissioner in relation to all issues of privacy within the federal sector. Specifically, it should contain, but not be limited to, provisions that empower the Privacy Commissioner to:
- receive, investigate and settle complaints of alleged privacy invasions;
- initiate his own privacy investigations through the use of privacy audits and technology impact assessments;
- carry out studies relating to privacy and emerging technologies;
- review all government bills, legislation, regulations, delegated legislation, policies and practices that may have an impact on privacy rights and, whenever appropriate, table a privacy impact statement before the House of Commons;
- ensure effective enforcement of the proposed Data Protection Act.
This Act shall contain complaint review mechanisms such as an administrative tribunal and the provision for judicial review.
RECOMMENDATION 20
The Committee recommends that the introduction of An Act Respecting the Office of the Privacy Commissioner must:
- be preceded by a broad and open public consultation process;
- provide for a comprehensive public review of its provisions and operations within five years of the proclamation of the Act and at regular intervals thereafter;
- assign a general public education mandate to the Privacy Commissioner.
The Committee recommends that Parliament provide sufficient resources to the Office of the Privacy Commissioner to adequately carry out its proposed responsibilities.