THE OFFICES OF THE INFORMATION AND PRIVACY COMMISSIONERS: THE MERGER AND RELATED ISSUES

Part I: Background

In this Part of the Report, I set out the background information necessary for an analysis of the questions raised in the Terms of Reference. I review the history and purposes of the relevant legislation, detail the functions of the federal Information and Privacy Commissioners, relate the history of previous merger proposals, and describe the access to information and privacy regimes in the provinces, territories, and selected international jurisdictions.

The History and Purposes of Federal Access to Information and Privacy Legislation

From their beginnings to the post-World War II period, governments at both the federal and provincial levels functioned without any general law permitting access to information in their possession or restricting the collection, use, and disclosure of matters contained in such information that could affect the privacy of individuals. With the vast expansion in government and the consequent growth of the amount of information it collected, it came to be perceived both that access to such information was required to ensure democratic and accountable government, and that information collected by government about individuals should be treated as confidential. By the late 1960's, some of the provinces had already taken steps in that direction. The federal government began to engage in studies on both fronts in the early 1970's, but it was not until the early 1980's that comprehensive legislation addressing both issues was introduced.[5] The Bill, which contained both the present Access to Information Act and the Privacy Act, came into force on July 1, 1983. The Access to Information Act gives individuals a right of access to government information.[6] The Privacy Act permits them to gain access to information about themselves held in government data banks, and limits government's ability to collect, use, and disclose such information.[7]

The rights protected by both Acts are of the highest importance in the functioning of a modern democratic state. The right of access promotes accountability by government to the public and enables the latter to participate more meaningfully in the political process. It also serves the function of providing access to the extensive storehouse of information about our society in the possession of government. The recent Report of the Access to Information Review Task Force says it well:

The rationale for access to information legislation was recognized in the Government's 1977 Green Paper on public access to government documents which concluded that:

  • effective accountability - the public's judgment of choices taken by government - depends on knowing the information and options available to the decision-makers;
  • government documents often contain information vital to the effective participation of citizens and organizations in government decision-making; and
  • government has become the single most important storehouse of information about our society, information that is developed at public expense so should be publicly available wherever possible.

So important is the right to government information that some have come to refer to it as "quasi-constitutional" in nature.[8] This properly underlines the importance of the right. However, Parliament has made it clear that the right of access must cede to other interests in certain circumstances. As discussed in more detail below, the protection of the privacy of personal information constitutes one of the most important exceptions to the right of access.

The courts have also described the Privacy Act as carrying a "quasi-constitutional mission."[9] In a number of respects, however, privacy has also been recognized internationally as a human right and in Canada as a constitutional right. The Universal Declaration of Human Rights refers to privacy in the following terms:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.[10]

In Canada, privacy is a constitutional right both by virtue of the "liberty interest" in section 7 and the prohibition against unreasonable search and seizure set forth in section 8 of the Canadian Charter of Rights and Freedoms.[11] As early as 1984, the Supreme Court of Canada in Hunter v. Southam declared that the individual under section 8 has a constitutional right to a reasonable expectation of privacy.[12]

A few years later, in R. v. Dyment, the Court described privacy as an essential component of individual freedom. It thus put the matter:

Grounded in man's physical and moral autonomy, privacy is essential for the well-being of the individual. For this reason alone, it is worthy of constitutional protection, but it also has profound significance for the public order. The restraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state.[13]

The Court in the latter case went on to explain that there are several aspects or zones of privacy, notably those relating to one's person, those having a spatial aspect (e.g. security of the home), and those relating to information, the aspect with which we are concerned here.[14] No one, of course, denies that modern governments have valid reasons to collect information about individuals for a wide variety of matters in the public interest. The Supreme Court has made it clear, however, that such information is in a fundamental way that of the individual and must remain confidential and restricted to the purposes for which it was divulged. It thus put the matter in Dyment:

Finally, there is privacy in relation to information. This too is based on the notion of the dignity and integrity of the individual. As the Task Force put it (p. 13): "This notion of privacy derives from the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain for himself as he sees fit." In modern society, especially, retention of information about oneself is extremely important. We may, for one reason or another, wish or be compelled to reveal such information, but situations abound where the reasonable expectations of the individual that the information shall remain confidential to the persons to whom, and restricted to the purposes for which it is divulged, must be protected. Governments at all levels have in recent years recognized this and have devised rules and regulations to restrict the uses of information collected by them to those for which it was obtained; see, for example, the Privacy Act, S.C. 1980-81-82-83, c. 111.[15]

With this broad context in mind, we can turn to the question of how the rights set out in the Access to Information Act and the Privacy Act interact with one another. As stated, privacy is an exception to the right of access under the Access to Information Act. As the Supreme Court concluded in Dagg v. Canada (Minister of Finance):

Both statutes regulate the disclosure of personal information to third parties. Section 4(1) of the Access to Information Act states that the right to government information is "[s]ubject to this Act". Section 19(1) of the Act prohibits the disclosure of a record that contains personal information "as defined in section 3 of the Privacy Act". Section 8 of the Privacy Act contains a parallel prohibition, forbidding the non-consensual release of personal information except in certain specified circumstances. Personal information is thus specifically exempted from the general rule of disclosure. Both statutes recognize that, in so far as it is encompassed by the definition of "personal information" in s. 3 of the Privacy Act, privacy is paramount over access.[16]

This interpretive framework was reiterated by the Court in Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police) as follows:

Further, I note that s. 4(1) of the Access Act states that the right to government information is "[s]ubject to this Act". Section 19(1) of the Access Act expressly prohibits the disclosure of a record that contains personal information "as defined in section 3 of the Privacy Act". Thus, s. 19(1) excludes "personal information", as defined in the Privacy Act, from the general access rule. The Access Act and the Privacy Act are a seamless code with complementary provisions that can and should be interpreted harmoniously.[17]

Most recently, the scope of privacy protection in Canada has been substantially enlarged by the passage of the Personal Information Protection and Electronic Documents Act ("PIPEDA").[18] Spurred on by legislative developments in the European Union[19] and the province of Quebec,[20] as well as the work of the Canadian Standards Association,[21] Parliament enacted PIPEDA in 2000 to protect personal information collected, used or disclosed by private sector entities.[22] PIPEDA sets out a list of principles, sometimes referred to as "fair information practices," that organizations subject to the Act must adhere to, subject to certain exceptions.[23] Generally speaking, those organizations must obtain the consent of individuals from whom they have collected personal information, and must limit their use of that information to the purposes for which consent was given. As advances in information technology cause more and more personal information to be collected and shared by private organizations, PIPEDA and its provincial counterparts will become increasingly important tools in safeguarding Canadians' personal information against misuse by profit-motivated organizations and ensuring that those organizations are able to compete in the marketplace on a level playing field.

The Functions of the Federal Information and Privacy Commissioners

The offices of the Information Commissioner and Privacy Commissioner were created in 1983 with the passage of the Access to InformationAct and the Privacy Act, respectively. As the Supreme Court of Canada observed in Lavigne, the mandates of the commissioners are "in many significant respects . . . in the nature of an ombudsman's role."[24] The Court described the nature of that role as follows:

An ombudsman is not counsel for the complainant. His or her duty is to examine both sides of the dispute, assess the harm that has been done and recommend ways of remedying it. The ombudsman's preferred methods are discussion and settlement by mutual agreement. As Dickson J. wrote in British Columbia Development Corp. v. Friedmann, [1984] 2 S.C.R. 447, the office of ombudsman and the grievance resolution procedure, which are neither legal nor political in a strict sense, are of Swedish origin, circa 1809. He described their genesis (at pp. 458-59):

  • As originally conceived, the Swedish Ombudsman was to be the Parliament's overseer of the administration, but over time the character of the institution gradually changed. Eventually, the Ombudsman's main function came to be the investigation of complaints of maladministration on behalf of aggrieved citizens and the recommendation of corrective action to the governmental official or department involved.

  • The institution of Ombudsman has grown since its creation. It has been adopted in many jurisdictions around the world in response to what R. Gregory and P. Hutchesson in The Parliamentary Ombudsman (1975) refer to, at p. 15, as "one of the dilemmas of our times" namely, that "(i)n the modern state . . . democratic action is possible only through the instrumentality of bureaucratic organization; yet bureaucratic power - if it is not properly controlled - is itself destructive of democracy and its values."

  • The factors which have led to the rise of the institution of Ombudsman are well-known. Within the last generation or two the size and complexity of government has increased immeasurably, in both qualitative and quantitative terms. Since the emergence of the modern welfare state the intrusion of government into the lives and livelihood of individuals has increased exponentially. Government now provides services and benefits, intervenes actively in the marketplace, and engages in proprietary functions that fifty years ago would have been unthinkable.[25]

Appropriately, the offices of the Information and Privacy Commissioners are designed to be independent of the administrative branch of government.[26] Each commissioner is appointed by the Governor in Council (Cabinet), with approval by resolution of the Senate and House of Commons.[27] They are appointed on good behaviour for seven years and may be removed by the Governor in Council on address of the Senate and House of Commons.[28] They receive the same salaries as judges of the Federal Court,[29] and they report on their activities to Parliament, not to the Government.[30]

In keeping with the ombudsman function, the primary duty of both the Information and Privacy Commissioners is to independently and impartially investigate and make recommendations with respect to complaints from persons alleging that a government institution has breached their rights under the Access to Information Act or Privacy Act.[31] Both commissioners have robust investigative powers, including the rights to summon and enforce the appearance of witnesses, compel witnesses to give evidence or produce documents, and enter premises of government institutions and inspect records found there.[32] Both also have the authority to access any document (except Cabinet confidences) under the control of a government institution, including documents that would otherwise be protected by a legal privilege.[33] After completing the investigation, the Commissioner must report his or her findings to the head of the government institution in question. If the Commissioner finds that the complaint is well-founded, the Commissioner may recommend that the government institution take corrective action.[34] Neither Commissioner has the power to order the release of information or compel the institution to do anything or refrain from doing anything with respect to the information. If the government institution does not follow the Commissioner's recommendation to disclose information, either the complainant or the Commissioner (with the consent of the complainant) may apply to the Federal Court for a review of the institution's decision.[35] The Court has the power to order the disclosure of the information.[36]

The Information and Privacy Commissioners also have a number of other important functions. The Privacy Commissioner, for instance, is empowered to audit government institutions to ensure that they are complying with their obligations under the Act, recommend changes to effect compliance, and report failures to comply to the institution and Parliament.[37] The Privacy Commissioner may also assess whether a government institution's decision to designate a data bank as exempt from disclosure was correct, and ask the Federal Court to rule on the question if the government institution fails to accept the Commissioner's determination that it was not.[38] Both commissioners must also submit annual reports to Parliament and may in addition submit special reports with respect to urgent matters.[39]

In recent years, the Privacy Commissioner has also taken on another substantial set of responsibilities. With the enactment of Part I of PIPEDA, the Privacy Commissioner has become responsible for overseeing the application of privacy norms across a broad swath of the private sector. As is the case under the Privacy Act, the Privacy Commissioner's chief role under PIPEDA is to attempt to resolve complaints that organizations have violated their obligations with respect to the collection, use, or disclosure of personal information. Like the Privacy Act, PIPEDA gives the Commissioner strong investigative powers, but it reserves decision making authority for the Federal Court, which has remedial powers similar to those provided by the Access to Information Act and the Privacy Act.[40] The Commissioner is given only the power to make recommendations.[41] PIPEDA also authorizes the Privacy Commissioner to initiate investigations[42] and audit organizations' personal information management practices.[43] Unlike the Access to Information Act and Privacy Act, PIPEDA also expressly obliges the Commissioner to promote the purposes of the Act by, among other things, conducting public educational programs, undertaking and publishing research, and encouraging organizations to develop compliance policies.[44] And in keeping with the constitutional reality of shared jurisdiction over privacy protection, PIPEDA also empowers the Privacy Commissioner to consult with provincial authorities to ensure that "personal information is protected in as consistent a manner as possible."[45]

Apart from their express, statutory duties, the Information and Privacy Commissioners have been active in promoting the values of access and privacy in a variety of national and international fora. Commissioners have commented on proposed legislation and government policies, appeared before parliamentary committees, conducted surveys, sponsored research, published summaries of findings, and given public lectures.[46]

It can be seen, then, that while the primary role of the Information and Privacy Commissioners continues to be that of an ombudsman - investigating complaints and issuing advisory findings - their functions are in fact multi-faceted. As Colin J. Bennett has said of the Privacy Commissioner, she is "expected at some point to perform seven interrelated roles: ombudsman, auditor, consultant, educator, policy advisor, negotiator and enforcer."[47] Many of these roles, I would add, are also performed by the Information Commissioner. And each of these roles, and the increasingly strenuous demands they place on the offices of the two commissioners, must be considered in assessing the wisdom of any form of merger.