Thursday, October 06, 2005

Canadian Privacy Commissioner releases annual reports to Parliament

The Privacy Commissioner of Canada has released her Annual Report to Parliament. There are actually two reports: the first related to the Privacy Act and the second based on the PIPEDA. Here's the relase for your consideration while I digest the report itself:

News Release: Privacy Commissioner's 2004-2005 Annual Report on the Privacy Act tabled in Parliament - Commissioner calls for reform to the Privacy Act (October 6, 2005):

"Privacy Commissioner’s 2004-2005 Annual Report on the Privacy Act tabled in Parliament – Commissioner calls for reform to the Privacy Act

Ottawa, October 6, 2005 – The Privacy Act is an outdated and often inadequate public sector data protection law, according to the Privacy Commissioner of Canada, Jennifer Stoddart, in her 2004-2005 Annual Report on the Privacy Act, which was tabled today by Parliament. The Privacy Commissioner's 2004 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private sector privacy law, was also tabled today.

In her 2004-2005 Annual Report on the Privacy Act, the Commissioner highlights some of the most significant issues her Office has faced in the past year. These include security and the voracious appetite for personal information and surveillance that has sprung up in the post-9/11 environment, and the sharing of information and outsourcing of data operations across borders. She also emphasizes the long overdue need to modernize the Privacy Act, a first generation privacy law which has not been substantially amended since its inception in 1983.

"The privacy landscape is infinitely more complex today than it was a decade ago," states Ms. Stoddart. "Faced with increased globalization and extensive outsourcing of personal information processing and storage, Canada's Privacy Act lags woefully behind."

In her report, the Commissioner elaborates on the situation and explains some of the important things for the government to consider in updating the Privacy Act, for example:

  • There are gaps in the Privacy Act's coverage. Many institutions, including the Office of the Privacy Commissioner of Canada, are not subject to privacy law.
  • Under the Privacy Act, only those present in Canada have the right to seek access to their personal information. This means airline passengers, as well as immigration applicants, foreign student applicants, and countless other foreigners with information in Canadian government files, have no legal right to examine or correct erroneous information, to know how their information is used or disclosed, or to complain to the Commissioner.
  • Although government use of data matching arguably poses the greatest threat to individuals' privacy, the Privacy Act is silent on the practice. Government institutions should be obligated to link personal records in discrete systems only when demonstrably necessary, and under the continued vigilant oversight of the Commissioner.
  • Complainants may only seek a Court review of, and remedies for, denials of access to their personal information. This means that allegations of improper collection, use and disclosure may not be challenged before the Court, and the subsequent benefit of the Court's guidance on all government institutions is lost. Nor does the Privacy Act contemplate remedies for any damages caused by government actions.
  • The weaknesses of the Privacy Act are even more striking when the law is measured against PIPEDA. In fact, several of the Commissioner's concerns could be remedied by adopting provisions similar to those in PIPEDA.

In addition to pointing out the flaws of the Privacy Act, the Commissioner also calls for a more comprehensive and consistent approach to managing privacy in the federal government. She recommends seeking improvements to the current system through the development of a privacy management framework. A privacy management framework should be designed to help departments protect the personal information they control by identifying the inherent privacy risks, and how best to mitigate those risks.

This year, for the first time, the Commissioner has published two separate annual reports, dividing the Privacy Act from PIPEDA. The Privacy Act requires the Office to report on the fiscal year (2004-2005), while under PIPEDA, it must report on the calendar year (2004). As well, each Act provides a separate framework for investigations and audits. There is much overlapping between the reports because many of the Office's activities are not particular to one law or another and, increasingly, the policy issues are common across the two regimes.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.


No comments: