Tuesday, June 20, 2006

Privacy Commissioner tables annual report to parliament on the Privacy Act

The Privacy Commissioner of Canada has tabled her Annual Report on the Privacy Act in Parliament. The report is here: Annual Report to Parliament 2005-2006 — Report on the Privacy Act (PDF format).

Here is the press release:

News Release: Tabling of Privacy Commissioner of Canada's 2005-06 Annual Report on the Privacy Act: Commissioner expresses concerns about public sector privacy protection (June 20, 2006)

Tabling of Privacy Commissioner of Canada's 2005-06 Annual Report on the Privacy Act: Commissioner expresses concerns about public sector privacy protection

Ottawa, June 20, 2006 – Considerably more could be done to protect Canadians’ personal information, especially with respect to information flowing across the border and a federal privacy law that simply isn’t up to standard, according to Privacy Commissioner of Canada Jennifer Stoddart, whose 2005-2006 Annual Report on the Privacy Act was tabled today in Parliament.

The Privacy Act governs how federal departments and agencies handle Canadians’ personal information.

Key to the report are the Commissioner’s findings from a major audit of the Canada Border Services Agency (CBSA). Upon her appointment in December 2003, the Commissioner immediately began raising concerns about the transborder flows of personal information. She called for an audit of the CBSA shortly thereafter. Worries about improper use of personal information became heightened following passage of the USA PATRIOT Act, which gives the United States government sweeping powers to seize information from American companies or Canadian companies operating in the U.S. The audit assessed the agency’s framework for controlling and protecting Canadians’ personal information as it flows to foreign governments.

Recent polling commissioned by the Commissioner’s Office suggests that 94% of Canadians express some concern about Canadian companies transferring customers’ personal information to companies in other countries. Furthermore, 85% of those Canadians with awareness of the privacy implications of the USA Patriot Act also express some concern over the issue.

“The overall issue of transborder dataflows has certainly caught the imagination of Canadians, and we have received inquiries and complaints which focus on it as a threat to privacy,” said Ms. Stoddart.

While the Commissioner found that the CBSA does have policies, procedures and systems in place for managing and sharing Canadians’ personal information with other countries, more must be done to mitigate risks, and achieve greater accountability and control over that information. The Commissioner made 19 recommendations to the CBSA and these have been accepted by the Agency. The findings include the following:

  • The CBSA needs a coordinated method of identifying and tracking all flows of its transborder data. The Agency cannot, with a reasonable degree of certainty, report on how much and how often it shares information with the U.S.
  • Information is often disclosed without first obtaining approval from a designated CBSA official, which contravenes the Agency’s policy. There are also weaknesses in the record keeping associated with disclosures of information.
  • Activities associated with sharing data across borders should be made more transparent.

Although the Commissioner found room for improvement in the CBSA audit, she also noted in her report that the federal government has already begun to address Canadians’ concerns about transborder data flows of personal information. In March 2005, Treasury Board Secretariat released a federal strategy and guidelines on how government institutions must protect personal information when outsourcing activities to private sector organizations.

“We see the federal strategy and guidelines as a positive step toward addressing Canadians’ concerns,” said Ms. Stoddart. “However, we also hope that they will be an integral part of a reformed Privacy Act.”

The Privacy Act has not been substantially amended since it came into effect in 1983. In early June 2006 the Commissioner tabled a report with the Standing Committee on Access to Information, Privacy and Ethics outlining her proposed reforms to the Act.

Also key to her Annual Report is the Commissioner’s observation that, at times, federal departments and agencies incorrectly interpret the Privacy Act in response to calls for disclosures of information in the public interest. The Act provides that the head of the institution may disclose personal information if the public interest clearly outweighs the privacy concerns of the individual involved—if, for example, the issue relates to health and safety, or public security. However, in certain instances where in the Commissioner’s view it could be invoked, it is not, and the Privacy Act is blamed by the institution as the reason important information cannot be provided to the public.

“This inaccurate explanation of the role of the Act paints the Act as the villain,” said Ms. Stoddart. “Our concern lies with the simplistic characterization of the Privacy Act as the barrier to disclosure.”

The Annual Report indicates that in 2005-2006 the Office prepared a Vision and Institutional Service Plan, and a Business Case for Permanent Funding – a blueprint for a stronger and more effective institutional role. Parliamentarians agreed with the Vision and the new House of Commons Advisory Panel on the Funding of Officers of Parliament was supportive of the request. The Office is now planning for a significant increase – close to 50% – in human and financial resources over the next two years.

“We are grateful that the government and Parliament have seen the wisdom in our proposals,” said Ms. Stoddart. “And we will now be in a better position to serve Canadians.”

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

— 30 —

To view the report: Annual Report to Parliament 2005-2006 — Report on the Privacy Act (Adobe format) Audit of the Personal Information Management Practices of the Canada Border Services Agency — Trans-Border Data Flows

No comments: