Privacy Act Modernization: Engagement with Indigenous Partners – What We Have Learned (so far) and Next Steps

Part 2: Moving forward and inviting feedback on potential changes

Moving forward with Privacy Act modernization

The summary in Part 1 of this report shows that not all questions related to Privacy Act modernization raise the same concerns among Indigenous partners. However, many have received a lot of input and could benefit from further comments on potential changes to the Privacy Act.Others questions, however, require additional discussions and consideration before potential policy options can be explored.

Most Indigenous partners expressed an interest in having initial or further engagement once policy options for potential changes were identified. They asked Justice Canada and TBS to communicate timelines and opportunities for future engagement on the Privacy Act modernization and Access to Information (phase 2) review initiatives as they unfold. This part of the report was created with this feedback in mind and is intended to provide information on the next steps for Justice Canada’s engagement with Indigenous partners.

Moreover, it is on this basis that we have developed a multi-stage approach for moving forward with Privacy Act modernization. The goal of this approach is to ensure that all questions related to Privacy Act modernization and its impact on Indigenous peoples are given appropriate consideration and are coherently addressed, while ensuring momentum forward in modernizing the Privacy Act as a whole. With this in mind, we are proposing to first discuss the Privacy Act’s foundational principles and rules that play a significant role in governing information sharing between federal public bodies and Indigenous peoples with Indigenous governments and organizations. After that, and possibly after the enactment of a new Privacy Act, we would then engage partners to discuss the more detailed rules and complex questions to support any initial changes made.

For the next stage, we invite input and comments on the following ideas for potential changes that we have developed based on what have learned so far.

Ideas for potential changes to modernize the Privacy Act

1. Explicitly recognizing advancing reconciliation with Indigenous peoples as a purpose of the Privacy Act

Like many federal laws, the Privacy Act contains a purpose clause. In the context of the online public consultation on Privacy Act modernization, Justice Canada proposed updating the Act’s current purpose clause to clearly state the important underlying objectives of federal public sector personal information protection legislation, including advancing reconciliation with Indigenous peoples in Canada by promoting better sharing of Indigenous individuals’ personal information with First Nations, Inuit and Métis. Other proposed objectives include:

protecting individuals’ human dignity, personal autonomy, and self-determination;
enhancing public trust and confidence in government;
promoting the responsible use and sharing of data to advance federal government objectives in the public interest;
promoting effective and accountable public governance; and
supporting sound, ethical and evidence-based public sector decision making.^{Footnote 11}

Including these objectives could better guide the interpretation of the Act and the discretionary decisions it frequently requires. The idea of adopting a better-framed purpose clause that would reflect the broader public objectives of the Privacy Act received support from many stakeholders who participated in the online public consultation.

Q1. In what circumstances would you support the inclusion of a purpose clause which recognizes that one purpose of a modernized Privacy Act is advancing reconciliation with Indigenous peoples in Canada by promoting improved sharing of Indigenous individuals’ personal information with First Nations, Inuit and Métis?

2. Adding a principle stating that a federal public body may disclose Indigenous individuals’ personal information under its control to an Indigenous government, organization or entity

A principles-based approach to personal information protection

In its online public consultation discussion paper, Justice Canada proposed that a modernized Privacy Act could incorporate a number of internationally recognized principles for protecting personal information, similar to other personal information protection laws in Canada and elsewhere. These would set the baseline expectations for Canadians and federal public bodies as to how personal information should be managed and protected by federal public bodies.^{Footnote 12} These principles would be supported by more detailed rules offering specific direction about what the Privacy Act requires or allows these bodies to do.

This principles-based approach garnered substantial support from most stakeholders who participated in the online public consultation. Such principles were widely seen as being part of a contextually sensitive, adaptable and flexible approach to regulating activities involving personal information, as well as supporting the interoperability of the Privacy Act with other personal information protection frameworks.

Broadening the scope of disclosure to entities representing the interests of Indigenous peoples

In both the online public consultation and Indigenous engagement so far, Indigenous partners expressed a need for greater disclosure of Indigenous individuals’ personal information by federal public bodies to entities representing the interests of Indigenous peoples. In light of this, one idea would be to include a new principle under the Act stating that a federal public body may disclose an Indigenous individual’s personal information under its control to an Indigenous government, organization or entity, without requiring the consent of the individual. Such a principle could expand the current disclosure authorities both by authorizing disclosure for more purposes than currently recognized and by authorizing disclosure to a greater variety of Indigenous recipients. For instance, it could recognize that such personal information might be disclosed to a greater number of Indigenous governments than those currently identified under the Act, as well as to Indigenous organizations and entities.

A principle recognizing such an expansive disclosure authority could be a significant step in modernizing the information-sharing relationship between federal public bodies and Indigenous peoples. However, to ensure that Indigenous individuals’ personal information remains protected and that federal public bodies meet their responsibilities and accountability obligations, this principle would need to be supported by a more specific privacy protection framework. As such, adequate privacy protections would need to be in place before such a principle could be used to disclose Indigenous individuals’ personal information.

Subsections A-D below explore the ways in which a principle could be framed and could work to expand the current disclosure authorities, while subsection E aims to further a discussion on how more specific rules could support such a principle so it could work in practice.

Q2. In what circumstances would you support the addition of a principle recognizing that a federal public body may disclose Indigenous individuals’ personal information under its control to an Indigenous government, organization or entity?

A. The purposes for which the information can be disclosed without an individual’s consent

There was a consistent message throughout the engagement sessions: First Nations, Inuit and Métis governments and organizations need more access to Indigenous individuals’ personal information. Currently, section 8 of the Privacy Act authorizes a federal government institution to disclose an individual’s personal information for any purpose with his or her consent. Section 8 also identifies specific circumstances that authorize the disclosure of the personal information of any individual without that individual’s consent. Some of these are general authorities for disclosing personal information without an individual’s consent,^{Footnote 13} while some are specific to Indigenous peoples.^{Footnote 14}

Indigenous partners expressed support for maintaining the existing disclosure authorities in a modernized Act, but also suggested adding new authorities to allow federal public bodies to disclose Indigenous individuals’ personal information without their consent for a greater number of purposes.

Indigenous partners have raised a number of reasons for needing greater access to the personal information of their citizens or members. Many of these reasons are related to the exercise of government functions such as community service delivery, natural resources management, and future governance initiatives. Some Indigenous partners have also expressed that Indigenous data sovereignty justifies disclosure of personal information for greater purposes.

There are two possible approaches for expanding the current list of purposes for the disclosure of Indigenous individuals’ personal information to Indigenous entities without the individual’s consent. One approach could be to identify all the purposes not already mentioned in the Privacy Act for which disclosure of personal information to Indigenous governments, organizations and entities should be authorized, and then listing them in the Act. These purposes could be specific (for example, “for research purposes”), or more general (using language such as “to contribute to the development or well-being of the community that the recipient represents” or “for the purpose of advancing the interests of Indigenous peoples in Canada”). Another approach could be one that simply authorizes disclosure without consent to Indigenous governments, organizations or entities regardless of the purpose of the disclosure.

Q3. For which purposes, in addition to those already included in the Privacy Act, should disclosure of Indigenous individuals’ personal information to Indigenous governments, organizations or entities be authorized?

Q4. Which approaches would you support to expand the purposes for which Indigenous individuals’ personal information could be disclosed without consent?

A) Would you support (a) listing all the purposes for which disclosure is permitted, (b) allowing disclosure regardless of the purpose, or (c) an alternative approach?

B. Recognizing the diversity of Indigenous governments

Indigenous partners are in overall agreement that the Privacy Act provisions authorizing the disclosure of personal information without consent need to recognize the scope and diversity of Indigenous governments. This would mean no longer limiting disclosure to those who are “Indian Bands”, who are listed as an “aboriginal government”, and those who are expressly identified as authorized recipients of personal information.^{Footnote 15} It would also mean no longer distinguishing between these Indigenous governments. To achieve this goal, a modernized Privacy Act could include new concepts or definitions encompassing First Nations, Inuit and Métis Nation governments as governments to whom personal information could be disclosed. One consideration would be avoiding a legislative list that needs to be constantly updated, yet having a concept clear enough to prevent interpretation issues, delays in disclosures, and potential privacy breaches.

Lawmakers have tried multiple ways to recognize the diversity of Indigenous governments. Some provincial data-protection statutes refer to Indigenous organizations “exercising government functions”,^{Footnote 16} while some federal statutes refer to the concept of an “Indigenous governing body” and define it as “a council, government or other entity that is authorized to act on behalf of an Indigenous group, community or people that holds rights recognized and affirmed by section 35 of the Constitution Act, 1982‍”.^{Footnote 17}

Q5. Which concepts and definitions would you support to ensure that the Privacy Act appropriately recognizes the diversity of First Nations, Inuit, and Métis Nation governments?

C. Disclosures of personal information to Indigenous organizations and entities

Adding a principle to the Privacy Act that would expand the purposes for which the personal information of Indigenous individuals can be disclosed without consent raises another question: whether this personal information should be disclosed without consent to Indigenous organizations or entities other than Indigenous governments? For example, the Privacy Act could authorize disclosure to any “Indigenous organization”, which could be defined as in other federal statutes as an “entity that represents the interests of an Indigenous group and its members”.^{Footnote 18} Furthermore, the Privacy Act could allow personal information to be shared with recipients regardless of the purpose or only for some specific purposes, depending on the recipient. This issue raises related questions about which Indigenous entities have the endorsement and trust of First Nations, Inuit and Métis to receive their personal information and for which purposes.

Q6. If a modernized Privacy Act were to authorize disclosure of Indigenous individuals’ personal information regardless of the purpose, should this broad disclosure authority be for Indigenous governments only or for all Indigenous governments, organizations and entities?

Q7. If a modernized Privacy Act were to authorize disclosure of Indigenous individuals’ personal information for a new list of specific purposes, which types of Indigenous entities (governments, organizations and/or other entities) should be identified as authorized recipients for each of these purposes?

Q8. What measures should be used to assist a federal public body in ensuring that an Indigenous government, organization, or entity is authorized to receive the personal information of its citizens or members?

D. The transfer of personal information

Some Indigenous partners have emphasized the importance of Indigenous data sovereignty and suggested that the Privacy Act should also authorize federal public bodies to transfer personal information about First Nations, Inuit and Métis to their respective governments and representative organizations. For the purposes of this discussion, a transfer is different from the usual situation where a copy of the personal information is provided to the requestor. Instead, with a transfer, a federal public body would provide the personal information and then would cease to have control over or even a copy of the information transferred, subject to its own obligations pursuant to the Library and Archives of Canada Act. This would mean that the federal public body would be unable to use or disclose the information anymore, including giving access to it to the individual to whom it relates.

Q9. In what circumstances would you support expanding the Privacy Act’s disclosure provisions to authorize federal public bodies to transfer personal information?

A) Should the transfer of personal information be authorized in general or limited to specific situations, such as where there is also a transfer of a program or activity?

B) Should federal public bodies be authorized to transfer personal information to all or some Indigenous governments, organizations or entities?

E. Mitigating impacts on Indigenous individuals’ privacy interests

Many Indigenous partners recognized the need to mitigate impacts on Indigenous individuals’ privacy interests and to ensure there are adequate privacy protections in place before a federal public body discloses or transfers the individual’s personal information to a First Nations, Inuit or Métis government, organization or another entity. This means there would need to be a framework in place to ensure adequate privacy protections before the principle extending the current scope of authorized disclosure could be used.

Some Indigenous partners have identified measures and mechanisms that could ensure the protection of the personal information after disclosure or transfer, in line with federal public bodies’ responsibilities and accountability obligations. Information-sharing agreements were recognized by some partners as a good tool for establishing minimal privacy protections but also as very resource intensive. Consequently, some partners proposed creating an ISA template to establish baseline privacy protections and making a regulation power to establish it. As an alternative to an ISA, others suggested that federal public bodies could rely on the privacy protections provided by Indigenous governments’ own privacy legislation or codes where these exist. This alternative would align with the approach of many jurisdictions that authorize the disclosure of personal information when the recipient is subject to a personal information protection framework that provides a “similar”, “equivalent”, or “adequate” level of protection as the one that applies to the disclosing entity.

Q10. What mechanisms should the Privacy Act recognize to support expanded information sharing and to ensure the protection of personal information disclosed or transferred to First Nations, Inuit and Métis governments and organizations in line with federal public bodies’ responsibilities and accountability obligations?

A) Should a new Act explicitly recognize ISAs and Indigenous peoples’ own legislation and privacy codes as mechanisms to support personal information sharing and protection?

Q11. In what circumstances would you support the development of legislative or regulatory requirements to establish the baseline privacy protections that any chosen mechanism (whether ISAs, Indigenous privacy legislation or code) should include to mitigate the impacts of disclosure and transfer on Indigenous individuals’ privacy interests?

Q12. What baseline privacy requirements should be discussed after engagement on the potential changes identified in Part 2 has concluded?

Footnotes

Footnote 11

See Respect, Accountability, Adaptability: A discussion paper on the modernization of the Privacy Act.

Return to footnote 11 referrer

Footnote 12

Ibid.

Return to footnote 12 referrer

Footnote 13

See section 8 of the Privacy Act. For example, paragraph 8(2)(b): for any purpose in accordance with an Act of Parliament; paragraph 8(2)(j): communication for research purposes; and paragraph 8(2)(m): communication that is in the public interest.

Return to footnote 13 referrer

Footnote 14

See paragraph 8(2)(f) of the Privacy Act: for the purpose of administrative or enforcing any law or carrying out a lawful investigation; and paragraph 8(2)(k): for the purpose of researching and validating claims, disputes and grievances. These provisions were adopted in 1982 to address the perceived needs of Indigenous governments at the time.

Return to footnote 14 referrer

Footnote 15

See for example sections 8(2)(k), 8(2)(f), 8(6), 8(7) and 8(8) of the Privacy Act.

Return to footnote 15 referrer

Footnote 16

See for example schedule 1 of the B.C. Freedom of Information and Protection of Privacy Act: "aboriginal government" means “an aboriginal organization exercising governmental functions”.

Return to footnote 16 referrer

Footnote 17

See for example: An Act respecting First Nations, Inuit and Métis children, youth and families; Canadian Energy Regulator Act; Department of Crown-Indigenous Relations Act; Department of Indigenous Services Act, Fisheries Act; Impact Assessment Act and Indigenous Languages Act.

Return to footnote 17 referrer

Footnote 18

See for example Canadian Energy Regulator Act; Department of Crown-Indigenous Relations Act; Department of Indigenous Services Act, and Indigenous Languages Act. Please note that for the purposes of some statutes, an Indigenous organization also includes an Indigenous governing body.

Return to footnote 18 referrer

Report a problem on this page

Date modified:: 2022-03-02

Language selection

Search