Yesterday, the Parliament of Canada Standing Committee on Access to Information, Privacy and Ethics has issued the result of its study of the Privacy Act. The Act, which regulates the collection, use and disclosure of personal information by federal public bodies, is antiquated and is in dire need of reform. You'll see in the Report that I appeared as a witness, generally backing the recommendations of the Privacy Commissioner and the Canadian Bar Association.
Many of the recommendations are not new and have been ignored by a succession of federal governments. We'll see what happens now ...
Here, in short, are the recommendations:
LIST OF RECOMMENDATIONS
a) That the purpose clause in section 2 of the Privacy Act be expanded to reinforce the quasi-constitutional nature of privacy rights by including generally accepted and technologically neutral privacy principles similar to those in contained in the Personal Information Protection and Electronic Documents Act, including accountability; identifying purposes; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.
b) That the Privacy Act be modified to clarify that the privacy principles in the amended purpose clause shall guide the interpretation of the Act.
That the definition of “personal information” in section 3 of the Privacy Act be amended to ensure that it be technologically neutral and that it include unrecorded information.
That the Government of Canada define metadata in the Privacy Act, in a technologically neutral way and with an emphasis on the information it can reveal about an individual.
That the Privacy Act be amended to require that all information sharing under paragraphs 8(2)(a) and (f) of the Privacy Act be governed by written agreements and that these agreements include specified elements.
That the Privacy Act be amended to create an explicit requirement that new or amended information-sharing agreements be submitted to the Office of the Privacy Commissioner of Canada for review, and that existing agreements should be reviewable by the Privacy Commissioner upon request.
a) That the Privacy Act be amended to create an explicit requirement that departments be transparent about the existence of any information-sharing agreements.
b) That the Privacy Act be amended to require, except in appropriate circumstances, the publication of the content of information-sharing agreements between departments or with other governments.
That the Privacy Act be amended to create an explicit requirement for institutions to safeguard personal information with appropriate physical, organizational and technological measures commensurate with the level of sensitivity of the data.
That the Privacy Act be amended to set out clear consequences for failing to safeguard personal information.
That the Privacy Act be amended to create an explicit requirement for government institutions to report material breaches of personal information to the Office of the Privacy Commissioner of Canada in a timely manner.
That the Privacy Act be amended to create an explicit requirement for government institutions to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals.
That section 4 of the Privacy Act be amended to explicitly require compliance with the criteria of necessity and proportionality in the context of any collection of personal information, consistent with other privacy laws in effect in Canada and abroad.
That the Privacy Act be amended to clarify that a recipient federal institution that receives personal information through information sharing with another federal institution is collecting personal information within the meaning of section 4 of the Privacy Act, and must meet the criteria of necessity and proportionality that apply to the collection of personal information.
That section 6 of the Privacy Act be amended so as to explicitly require compliance with the criteria of necessity and proportionality in the context of any retention of personal information.
That the Privacy Act be amended to set clear rules governing the collection and protection of personal information that is collected on the internet and through social media.
a) That the Government of Canada strengthen the oversight of privacy rights by adopting an order-making model with clear and rigorously defined parameters.
b) That, in order to ensure the most effective use of resources, the Government of Canada explore ways of finding efficiencies, by, among other things, combining the adjudicative functions of the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner of Canada.
That the Government of Canada further examine the possibility of expanding judicial recourse and remedies under the Privacy Act.
That the Privacy Act be amended to include a requirement for government institutions to conduct privacy impact assessments for new or significantly amended programs and submit them to the Office of the Privacy Commissioner of Canada in a timely manner.
That the Privacy Act be amended to require federal government institutions to consult with Office of the Privacy Commissioner of Canada on draft legislation and regulations with privacy implications before they are implemented.
That the Privacy Act be amended to explicitly confer the Privacy Commissioner with:
a) the authority to conduct, on his own initiative, research and studies on issues of public importance, and
b) a mandate to undertake public education and awareness activities.
That the Privacy Act be amended to require an ongoing five-year parliamentary review.
That section 64 of the Privacy Act be amended to create an exemption from confidentiality requirements to provide the Privacy Commissioner with the discretionary authority to report proactively on government privacy issues where he considers it in the public interest to do so.
That the Privacy Act be amended to expand the ability of the Office of the Privacy Commissioner of Canada to collaborate with other data protection authorities and review bodies on audits and investigations of shared concern in connection with Privacy Act issues.
That section 32 of the Privacy Act be amended to grant the Privacy Commissioner discretion to discontinue or decline complaints on specified grounds, including when the complaint is frivolous, vexatious or made in bad faith, and that the Commissioner’s decision to discontinue or decline a complaint be subject to a right of appeal by the complainant.
That reporting requirements on broader privacy issues dealt with by federal institutions be reinforced by requiring the addition of a descriptive element so as to make the information in the reports accessible and relevant.
That there be specific transparency requirements for lawful access requests from agencies involved in law enforcement.
That the Government of Canada explore extending the scope of the Privacy Act to all federal government institutions, including ministers’ offices and the Prime Minister’s Office.
That the Government of Canada consider extending the right of access to personal information to foreign nationals.
That the Government of Canada examine the possibility of limiting exemptions to access to personal information requests under the Privacy Act.