Privacy Act Modernization: Engagement with Indigenous Partners – What We Have Learned (so far) and Next Steps

Part 1: Context and Summary

Why modernize the Privacy Act?

The Privacy Act is a key piece of Canada’s legal framework for protecting privacy interests. It governs how federal public bodies may collect, use, disclose, retain, dispose of, and protect personal information. It also sets out the rights of individuals to access their own personal information from federal public bodies.

Our world has changed dramatically since the Privacy Act came into force in 1983. After close to 40 years of technological advances and societal change, Canadians’ expectations of how federal public bodies collect, use, disclose, store and protect their personal information have evolved. There has been a profound shift towards the digitization of information over the last few decades, which has given federal public bodies enormous potential to gather, analyze, and store more information, including personal information. This raises important opportunities and challenges for consideration.

In 2016, the Minister of Justice announced that Justice Canada would be leading the modernization of the Privacy Act. A new, modernized Privacy Act would establish an updated framework to govern how federal public bodies manage personal information. It would reflect Canadians’ modern expectations of privacy. It would also support responsible innovation by federal public bodies in using new technologies and business models to better serve Canadians, especially when these initiatives require cooperation among these bodies or the sharing of information with other levels of government.

Since the Privacy Act was enacted, there have also been a number of significant developments that highlight the uniqueness of Indigenous interests in relation to personal information. For example, in 1998, the First Nations and Inuit Regional Health Survey National Steering Committee recognized the OCAP® principles of data ownership, control, access, and possession.Footnote 4 In 2018, the Government of Canada committed itself to the Principles respecting the Government of Canada’s relationship with Indigenous Peoples, which include recognition of Indigenous rights and of Indigenous governments’ right to self-determination. On June 21, 2021, the United Nations Declaration on the Rights of Indigenous Peoples Act received Royal Assent and immediately came into force.

Engagement with Indigenous partners

A modernized Privacy Act could support reconciliation with First Nations, Inuit and Métis in Canada by engaging in renewed, nation-to-nation, government-to-government, and Inuit-Crown relationships. While the Privacy Act focuses on protecting the personal information of all individuals that is held by federal public bodies, it also has specific impacts on Indigenous peoples in Canada. For instance, the Act currently defines “Indian band” and “aboriginal government” in a restricted manner. In addition, some of the provisions allowing the disclosure of personal information may not reflect the variety of reasons for which Indigenous partners may require disclosure of personal information.

In this context, Justice Canada sought to engage with governments and organizations representing the distinct perspectives of First Nations, Inuit and Métis on Privacy Act modernization. In 2019, Justice Canada held a targeted technical engagement to begin an in-depth exploration of issues related to the Privacy Act, including issues affecting Indigenous peoples. During this technical engagement, privacy and data experts, including experts with knowledge of Indigenous data issues, provided submissions which helped Justice Canada to identify issues for discussion for the dedicated engagement with Indigenous governments and organizations.Footnote 5

In 2020, Justice Canada wrote to 32 Indigenous governments and organizations to express interest in meeting to discuss Privacy Act modernization.Footnote 6 This initial contact was intended to gauge partners’ interest and ability to have virtual bilateral engagement sessions, particularly in light of the COVID-19 pandemic. Officials from the Treasury Board of Canada Secretariat (TBS) were also invited to attend these meetings, given their role leading Access to Information (phase 2) review and that initiative’s overlap with Privacy Act modernization.

Since August 2020, Justice Canada and TBS officials have held bilateral engagement sessions with representatives of 14 Indigenous governments and organizations to discuss Privacy Act modernization. These sessions took place in parallel with Justice Canada’s online public consultation, and some Indigenous partners participated in both forums.Footnote 7 The purpose of the dedicated engagement was and continues to be understanding Indigenous partners’ perspectives and experiences with the Privacy Act and learning how the Actcould better reflect their respective needs and expectations.

To date, we have had discussions with four national Indigenous organizations (NIOs), five Modern Treaty governments, one Métis Nation government, and several organizations and an advisory circle that have particular expertise in privacy, claims research, or information management. Though we have met with partners who advance the interests of all Indigenous peoples, we have not yet had the opportunity to meet with any who exclusively represent Inuit interests. The summary of what we have learned so far should be read with this limitation in mind.

To help orient the conversation, we provided a Backgrounder document to support the bilateral engagement sessions.Footnote 8 Nevertheless, these conversations were an open forum for Indigenous partners to share their perspectives and experiences.

Throughout these meetings, all participating Indigenous partners were careful to clarify whose interests they were representing as well as the limitations of their authority to speak on behalf of other Indigenous peoples. Governments and organizations representing First Nations and Métis interests further emphasized the need to engage directly with First Nations and Métis rights-holders and with the governments authorized to represent them.

The majority of Indigenous partners emphasized the preliminary nature of their comments and expressed a desire for a continued dialogue. Many partners stressed the importance of having open and transparent communication with Justice Canada and TBS as they move forward with their respective modernization initiatives. This report was created as a direct result of this feedback.

One of the purposes of this report is to provide a transparent record of all the conversations that have occurred with Indigenous partners to date regarding Privacy Act modernization. Justice Canada officials prepared notes to document the important points raised during these conversations. After each session, these notes were shared with the representative(s) of participating partners and they were invited to provide feedback on the notes to ensure that they accurately captured the conversation. This report draws from these notes and consolidates the input received so far, so that all Indigenous partners, whether they have participated yet or not, can benefit from knowing what others have raised in the context of our initial discussions.

The following is a summary of what we have learned so far.

What we have learned so far from the Indigenous engagement

The modernization of the Privacy Act impacts First Nations, Inuit and Métis in unique ways

Several Indigenous partners noted that, in many cases, the federal government tends to hold more personal information about Indigenous individuals compared to most Canadians. Some partners suggested that the Government of Canada should explore ways to reduce what they view as the over-collection of Indigenous individuals’ personal information. They noted that this information also tends to be more sensitive than that pertaining to Canadians in general, as it may include demographic and social data such as information related to an individual’s genealogy, health, education, employment, housing, Indian Act status, and treaty annuity payments. As a result, Privacy Act modernization may have a unique impact on Indigenous individuals compared to other Canadians.

Indigenous partners also insisted that distinguishing between the experiences and perspectives of First Nations, Inuit and Métis is crucial to understanding the unique impacts and potential of Privacy Act modernization for each.

The PrivacyAct is one part of the broader Indigenous data framework

Multiple Indigenous partners, including organizations with expertise in privacy, claims research or information management, noted that the Privacy Act does not regulate the handling of all Indigenous data, but only an individual’s personal information. The Privacy Act also intersects with other federal statutes,Footnote 9 many Modern Treaties, self-government agreements, and in some cases, Indigenous peoples’ own legislative, regulatory, and policy frameworks. Because the Privacy Act is only one piece of the framework regulating the access, protection, preservation, control, and sharing of Indigenous data, changes to modernize the Privacy Act should consider how the Act intersects with other important pieces governing First Nations, Inuit and Métis individuals’ personal information and other Indigenous data.

Recognizing the diversity of Indigenous governments

Subsection 8(2) of the Privacy Act specifies how federal public bodies can disclose personal information without the consent of the person to whom the information relates. Certain subsections (see ss. 8(2)(k), 8(2)(f), 8(6), 8(7) and 8(8)) authorize federal public bodies to disclose personal information for specific purposes to certain Indigenous governments, notably those defined as an “aboriginal government” or an “Indian Band” under the Act.

Most Indigenous partners considered these concepts and definitions too restrictive. Multiple partners asserted that a modernized Privacy Act should acknowledge the diversity of Indigenous governments in Canada and the various legal regimes under which they operate (Modern Treaties, self-government agreements, the Indian Act, the First Nations Land Management Act, Inuit Land Claims, etc.). Any modernized concepts and definitions should be expanded to recognize that Indigenous governments and organizations are formed at the community, grass-roots level. It should allow for a bottom-up determination of who qualifies as “Indigenous” and take into account traditional and hereditary governance structures. In addition, such a definition should not perpetuate the exclusion of historically underrepresented groups (for example, First Nations women, non-status individuals identifying as Indigenous, Métis Nation citizens, and individuals who identify as Indigenous but who are living off-reserve or outside land claim settlement areas).

Some partners expressed a preference to be explicitly named as governments under a modernized Privacy Act.However, some Modern Treaty partners indicated that this particular issue is less relevant to them, since they are already listed under the Privacy Act’s definition of “aboriginal government”.

One NIO partner suggested that the Privacy Act should adopt the inclusive definition of an “Indigenous governing body” as incorporated in other federal statutes, such as the Indigenous Languages Act.‍Footnote 10 Another NIO partner, however, raised concerns with this suggestion, indicating that not all partners are recognized under this definition or were consulted when it was introduced in other federal legislation. Other partners either did not comment on this suggestion or indicated that they would need to seek the perspectives of their citizens or members before providing input on this topic.

Expanding the purposes for which information may be shared

The current Privacy Act lists two specific purposes for which personal information may be shared with certain Indigenous partners without the consent of the individual to whom the information relates: first, for the purpose of administering or enforcing any law or carrying out a lawful investigation (paragraph 8(2)(f)); and second, for the purpose of researching and validating claims, disputes and grievances (paragraph 8(2)(k)).

Indigenous partners emphasized the need to expand these purposes. They provided a number of reasons that First Nations, Inuit and Métis need increased access to personal or communal information, including:

Some NIOs, Modern Treaty governments, and organizations with expertise in privacy, claims research, or information management also emphasized the importance of receiving information in a timely, accurate, and efficient manner to effectively deliver programs and for strategic planning. One Métis Nation partner suggested that the United Nations Declaration on the Rights of Indigenous Peoples (UNDRIP) and the inherent rights to self-government and self-determination as recognized under section 35 of the Constitution Act, 1982, should be the starting point for information sharing. They saw no reason for the Privacy Act to list specific and limited purposes for which information can be disclosed to Indigenous peoples.

Finally, many partners underlined the importance of Indigenous data sovereignty, meaning that First Nations, Inuit and Métis should have control over their personal information and information relating to their respective communities. Some NIO partners and organizations with expertise in privacy, claims research, or information management added that federal public bodies should go beyond increased disclosure authorities and explore ways to transfer information about First Nations, Inuit and Métis to their respective governments and representative organizations.

Information-sharing agreements and interaction with federal government and Indigenous laws

Paragraph 8(2)(f) of the Privacy Act authorizes the disclosure to certain recipients of personal information without the consent of the individual to whom the information relates “for the purpose of administering or enforcing any law or carrying out a lawful investigation” where there is an information-sharing agreement (ISA) in place. However, regarding Indigenous partners specifically, such disclosures can only be made to First Nations listed in the Act. We asked whether there was a need for new and more flexible information-sharing partnerships to ensure that First Nations, Inuit and Métis Nation governments have the same opportunities to access personal information held by federal public bodies.

Most partners identified ISAs as one tool to address their need for more information. ISAs are useful because they can be tailored to the parties’ specific needs and can set different levels of protection depending on the sensitivity and use of the information. These partners suggested that the Privacy Act should provide clear legislative authority for the creation of ISAs between federal public bodies and First Nations, Inuit and Métis Nation governments and organizations. In their view, such an authority should be distinct from that used for foreign, provincial and territorial governments. It should be broad and adaptable so that it will work for different Indigenous peoples (for example, taking into account that some First Nations operate under the Indian Act and others have modern treaties, self-government agreements, or their own effective access to information and privacy legislation).

Certain Modern Treaty partners noted that it can be very resource intensive to create comprehensive ISAs. They suggested that the federal government should create template ISAs to assist First Nations who have less capacity to create one. Some partners suggested that template ISAs could establish baseline privacy protections to ensure adequate protection for the personal information disclosed or transferred to them, as long as First Nations governments were consulted on what the templates would cover.

Many partners noted that laws, regulations, or policies could be used to establish baseline privacy protections, which could supplement or be used in lieu of ISAs. Similarly, the federal government could consider supporting Indigenous governments with less capacity by clearly establishing baseline privacy protections in federal legislation, regulations, or policy. Including these standards in legislation might be more transparent and helpful to First Nations individuals than nation-to-nation ISAs, which may be confidential or harder to access. On the other hand, where federal laws interact with modern treaties, self-government agreements, or Indigenous partners’ own legislation on access to information and privacy, federal laws should recognize and respect these existing legal frameworks.

One NIO partner suggested that, similar to the Carbon Pollution Pricing Act, the Privacy Act could establish a minimum floor for Indigenous governments’ privacy protection requirements, but allow for an Indigenous government’s own legislation or an agreement between the Government of Canada and an Indigenous government to override the Privacy Act where the legislation or agreement provides equivalent or higher protection.

Finally, some Modern Treaty partners suggested that, regardless of whether ISAs or other legal tools are used, the federal government should ensure that First Nations have the capacity to meet increased privacy protection standards. Where necessary, the federal government should provide resources to assist First Nations in building capacity to meet these requirements prior to the disclosure or transfer of personal information.

Some organizations, particularly those representing First Nations’ interests, indicated that further engagement would be required to ascertain their members’ perspectives on ISAs or whether minimal privacy protections should be governed by legislation, regulation, or policy.

Mitigating impacts on Indigenous individuals’ privacy interests

The disclosure of personal information to Indigenous governments and organizations raises a number of questions that impact the privacy interests of First Nations, Inuit and Métis individuals. We asked whether there is a need to mitigate impacts to individual privacy interests through new legal, policy, or governance measures. We also asked to what extent federal public bodies should disclose personal information to an Indigenous entity where the personal information relates to an individual who is not associated with the entity seeking the information.

Many partners pointed out that this was a complex issue that requires the consideration and balancing of multiple interests, such as: (i) the federal government’s interest in ensuring adequate privacy protection and accountability; (ii) Indigenous peoples’ communal interest in data sovereignty and the protection of communal information; and (iii) Indigenous individuals’ privacy interests in having their personal information protected, regardless of who holds it. Some NIO partners indicated that particular care should be taken to protect the privacy interests of vulnerable Indigenous individuals, such as Indigenous women, First Nations individuals living off reserve, or individuals with no ties to their ancestral communities. They suggested that a case-by-case analysis should determine whether personal information should be disclosed.

Many partners agreed that there is a need to ensure that there are adequate privacy protections in place before a federal public body discloses or transfers personal information. Some NIO and Modern Treaty partners suggested that the Métis Nation and some First Nations already have governance frameworks or legislation that would provide or support adequate privacy protections for information under their control.

Many partners also commented that the level of protection for personal information may differ depending on the sensitivity of the information and how it is to be used. For example, some partners suggested that privacy protections should be as strong as possible where family history or health information is involved.

Some partners suggested that there should be a mechanism to allow Indigenous individuals to opt out when a federal public body is about to disclose their personal information to an Indigenous government, organization or entity. Others thought that Indigenous individuals should have the right to formally complain about their community’s use of their personal information. One NIO partner suggested that the Privacy Act could be amended to make the unauthorized disclosure of personal information an offence in order to deter improper use and disclosure of Indigenous individuals’ personal information.

Many Indigenous governments and organizations mentioned that they were not aware of their citizens’ and members’ perspectives regarding the impact of information sharing on Indigenous individuals. They indicated that further discussions would be needed to ascertain their particular perspectives.

Researching and validating claims, disputes and grievances

Paragraph 8(2)(k) of the Privacy Act authorizes federal public bodies to disclose personal information to certain Indigenous governments, associations and Indian bands, or to any person acting on their behalf, “for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada”.

Most NIO partners and organizations with expertise in privacy, claims research, or information management noted the importance of paragraph 8(2)(k). They identified its limits and discussed the need for more access to Indigenous data, but did not question the need to maintain such a disclosure provision in the Privacy Act.

Indigenous partners identified a number of practical impediments to meaningful access to information (described in the next section below). Many of their comments apply to both the Privacy Act and the Access to Information Act, given how the acts interact with each other with respect to accessing relevant information to support Indigenous peoples’ claims and address other needs.

Organizations with expertise in privacy, claims research, or information management were of the view that it is a conflict of interest to have federal public bodies making decisions about Indigenous peoples’ access to records and information that are needed to advance claims, disputes and grievances against the Government of Canada. They expressed concerns that Indigenous peoples often do not have access to the information they need to advance their collective claims, but that the Government of Canada has access to these same records in order to defend claims against it.

Practical impediments to meaningful access to information and privacy protection

Some Indigenous partners discussed the administrative barriers and limitations of the current access to information and Privacy Act regimes. Organizations with expertise in privacy, claims research, or information management noted that a number of issues arise in practice. These include the criteria that must be met to obtain access, the amount of information needed to prove successful claims, and the time it takes to access or challenge denials of information (up to five years). These partners noted there is also an issue with government departments taking different approaches to policies that require transferring records to Library and Archives Canada.

NIO and First Nations government representatives discussed the unique barriers their members and citizens experience that impact their access and privacy rights. They mentioned a lack of basic Internet access, IT systems, and infrastructure, the remote nature of some Indigenous communities, and technological and other literacy challenges (especially in English or French). While they acknowledged that increasing electronic access to government services is generally beneficial, they asserted that paper options must remain available given the current realities of many Indigenous communities and individuals. One barrier in particular was noted: that many Indigenous individuals may be hesitant to interact with the federal government because of past negative experiences.

Multiple Indigenous partners suggested that a mechanism to allow third parties to assist with information requests would alleviate some of these barriers. Some recommended a legislative modification to allow First Nations governments to request personal information on behalf of their citizens. However, another partner noted there are risks in allowing third-party representation where a vulnerable person is involved and stated that a strict consent framework would be required to maintain confidence in the system. One organization suggested these practical barriers could be reduced by providing free translation services or allowing information requests to be made in an Indigenous language.

Indigenous partners offered different perspectives on whether the publication of genealogical information would facilitate claims and other research. Two NIOs indicated that such a publication would be welcomed if it reduced the cost and the difficulty of obtaining that information. One organization with expertise in privacy, claims research, and information management suggested using a general database instead of a publication and providing equal access to researchers acting on behalf of Indigenous governments and organizations and Government of Canada researchers.

All Indigenous partners who provided input on this issue noted that the bigger challenge is how to appropriately balance access to information with the privacy rights involved. Questions such as whether publication would be open access (publicly available online) or limited access (such as only allowing authorized researchers to access databases or only allowing individuals to access their own ancestors’ and descendants’ information) require further discussion and consideration. Early comments suggested that there is no one-size-fits-all solution and government should adopt a risk-management approach to these questions.

New governance mechanisms

Decisions touching on the access to and protection of First Nations, Inuit and Métis individuals’ personal information can be particularly complex, and Indigenous governments and organizations want to exercise a measure of control over such decisions. We asked whether Indigenous partners thought that new governance tools were needed to support a participatory approach in assisting federal public bodies to discharge their stewardship obligations.

NIOs and organizations with expertise in privacy, claims research, or information management who provided feedback on this topic emphasized the need for Indigenous sovereignty over their data. This would require Indigenous peoples to be directly involved in the decision-making process related to how their information is used and disclosed. This may require legislative, policy, and process changes, such as the establishment of appropriate enforcement and appeal mechanisms.

These partners suggested that a new access to information and privacy regime could be established, one which would allow Indigenous peoples to provide direct guidance, oversight, or exercise formal decision-making powers with respect to how their information is used. For example, some of these partners suggested that Indigenous governments should be notified where there is a privacy breach involving their citizens’ data, or be consulted where federal public bodies intend to disclose Indigenous peoples’ data, particularly to third parties who intend to share or sell this information to others.

These partners suggested that a new oversight body could also be established. The oversight body would need to be arm’s length from the government, have Indigenous and non-governmental representation, and be adequately resourced. One NIO partner suggested that the Office of the Privacy Commissioner and Office of the Information Commissioner could continue their oversight functions, but be given the additional power to conduct a confidential investigation where an Indigenous individual’s request for information is denied. This would help protect the most vulnerable Indigenous individuals who require information, including Indigenous women and their families.

All partners who provided input on this topic emphasized that the creation of any new governance mechanisms would require consultation and co-development with Indigenous governments.

Recognizing collective-based privacy interests

Another issue that we raised for discussion was whether the Privacy Act should provide protection for both individual and collective privacy interests, and if so, how this could be best achieved.

Some NIOs and Indigenous expert organizations, as well as one Modern Treaty partner, noted that Indigenous peoples have unique, collective privacy interests. Collective privacy interests may arise in relation to a variety of traditions – for example, with respect to a First Nation’s ancestral naming traditions or traditions relating to sun dance ceremonies. Collective privacy interests may also arise in relation to other forms of knowledge and information (including Indigenous peoples’ oral histories, songs, stories, knowledge of medicines, and any other information about their community and in relation to their traditional lands). One organization with expertise in privacy, claims research, or information management noted that privacy protections for these types of interests must transcend jurisdictional boundaries and be open-ended enough to recognize new forms of privacy interests into the future.

There was divided opinion on whether the Privacy Act or other federal or Indigenous laws were the appropriate legal framework to protect collective privacy interests. Some partners noted that due to the Privacy Act’s emphasis and structuring around individual-based interests, it might not be the best framework for recognizing and protecting collective privacy interests. Others felt that the Privacy Act should protect collective privacy interests and could set out specific rules for this form of knowledge (for example, a requirement to notify the Indigenous community that Indigenous knowledge will be collected, how it will be used, if it will be disclosed, and if so, to whom). One organization with expertise in privacy, claims research, or information management stated that First Nations should have decision-making powers with respect to all their data; in their view, it would be better for First Nations’ own legislative frameworks to address this question. Another organization said that it would have to consult its individual member nations before providing feedback on this topic.

NIO partners who provided feedback on this topic felt that greater protections were needed for collective privacy interests, whether that occurred in the Privacy Act or elsewhere. One partner saw this issue as an opportunity to align Canadian privacy laws with the United Nations Declaration on the Rights of Indigenous Peoples, particularly its provision recognizing Indigenous peoples’ collective knowledge and to align privacy protections with the concept of Free, Prior and Informed Consent. This partner also suggested that Indigenous knowledge be explicitly recognized, as in the federal Impact Assessment Act.