The Federal Privacy Commissioner has today tabled her annual report on the Privacy Act. And she isn't happy with how certain government departments handle personal information:
News Release: Privacy issues given short shrift in passport operations and tribunal Internet postings, Commissioner says (December 4, 2008) - Privacy Commissioner of Canada
Privacy Commissioner’s 2007-2008 Annual Report to Parliament on the Privacy Act outlines audit of Passport Canada; investigative findings regarding online posting of personal information by administrative and quasi-judicial bodies
Ottawa, December 4, 2008 — Privacy concerns are not given enough weight in the day-to-day operations of a number of federal government institutions, the Privacy Commissioner of Canada says.
The Commissioner’s latest Annual Report to Parliament on the Privacy Act, which was tabled today, describes how privacy and security problems in Canada’s passport operations added up to a significant risk for Canadians applying for passports.
The annual report also highlights the Commissioner’s concerns that the online posting of personal information by some federal administrative and quasi-judicial bodies does not strike the right balance between the public interest and privacy rights.
Privacy Commissioner Jennifer Stoddart says her Office’s audit of passport operations raised a broad range of concerns about how personal information was handled.
“Given the high sensitivity of the personal information involved in processing passport applications, better privacy and security measures are needed,” says Commissioner Stoddart. “Unfortunately, the shortcomings we found raised the risk that Canadians’ information could wind up in the wrong hands.”
The audit found that passport applications and supporting documents were kept in clear plastic bags on open shelves; documents containing personal information were sometimes tossed into regular garbage and recycling bins; and some documents that were shredded could be easily put back together. Meanwhile, computer systems allowed too many employees to access passport files. The investigation also concluded there was inadequate privacy training for employees – an issue which is a concern across government institutions.The Commissioner is pleased that Passport Canada and the Department of Foreign Affairs and International Trade have indicated they will act on her recommendations and improve privacy and security safeguards.
The annual report also outlines the Commissioner’s concerns about the online posting of federal administrative and quasi-judicial bodies’ decisions which contain highly sensitive personal information.
The OPC investigated 23 complaints regarding the disclosure of personal information on the Internet by seven bodies created by Parliament to adjudicate disputes. The complaints involved: the Canada Appeals Office on Occupational Health and Safety; the Military Police Complaints Commission; the Pension Appeals Board; the Public Service Commission; the Public Service Staff Relations Board; the RCMP Adjudication Board; and Umpire Benefits decisions.
Decisions of these bodies often include highly personal information such as an individual’s financial status, health and personal history.
“This is private information. Law-abiding citizens fighting for a government benefit should not be forced to expose the intimate details of their lives to everyone with an Internet connection,” says Commissioner Stoddart.
The Commissioner agreed that the “open court” principle is an important part of Canada’s legal system, but noted there is a crucial distinction between the courts and the bodies the OPC investigated: The Privacy Act does not apply to the courts, but it does apply to many administrative tribunals and quasi-judicial bodies.
In order to respect their obligations under the Privacy Act, the Commissioner recommended, among other steps, that the bodies reasonably depersonalize decisions posted online by replacing names with random initials. However, the Commissioner noted that, where there is a genuine and compelling public interest in such a disclosure, these bodies have the legal authority under the Act to exercise discretion in disclosing personal information.
Service Canada and Human Resources Development Canada agreed to fully implement the OPC’s recommendations. Other bodies took important but incomplete steps towards compliance with the Commissioner’s recommendations.
Currently, unlike its private-sector counterpart, the Privacy Act does not empower the Privacy Commissioner to enforce her recommendations through legal actions. The OPC has recommended an overhaul of the legislation to address this and other concerns.
The OPC has also asked Treasury Board Secretariat to develop centralized policy guidance on the online posting of personal information by administrative and quasi-judicial bodies.The annual report outlines key activities undertaken by the OPC during 2007-2008, including audits, investigations and policy work. The report notes that new complaints against government institutions dropped slightly to 759 in 2007-2008 from 839 the previous year.
The report is available on the OPC website.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.