Public consultation on the Privacy Act – Submission – Anonymous #4

Cette soumission n’est disponible qu’en anglais.

February 12, 2021

The Honourable David Lametti, P.C., Q.C.
Minister of Justice and Attorney General of Canada
House of Commons
Ottawa, Ontario K1A 0A6

Dear Minister Lametti,

This letter is further to your invitation to provide comments on the discussion paper, titled “Modernizing Canada’s Privacy Act – Online Public Consultation” dated November 16, 2020.

We appreciate the opportunity to provide our views on modernizing the Privacy Act. This letter focuses on the areas of the discussion paper that we strongly support, as well as areas of particular concern for us, as discussed below (numbers and titles match the numbers and titles in the discussion paper).

A vision for modernizing the Privacy Act

1. Technological neutrality:

We are supportive of the view that a modern Privacy Act should emphasize technological neutrality. These advanced technologies, which are constantly changing, are more secure ways of protecting the personal information collected by government institutions. We believe that the statute should encourage technological innovation among government institutions.

4. Clarifying concepts

Updating and clarifying the definition of “personal information”:

We believe that the scope of the Privacy Act should remain limited to recorded personal information. From a practical perspective, it is unclear how an organization could protect unrecorded personal information.

We also support:

  • a reasonableness test and further criteria to clarify the concept of “identifiable” in the definition of personal information; and
  • eliminating exemptions from the definition of “personal information”, provided that the definition is very clear on what constitutes personal information.

Defining business contact information:

We support explicitly excluding business contact information (including federal government employees, private sector employees, etc.) from the definition of personal information. In particular, we recommend including examples of business contact information in guidance documents that can be updated over time, such as titles, address, email, phone number, etc.

Broadening the concept of administrative purpose:

We would like to better understand the rationale for broadening the concept of administrative purpose to any personal information that “could directly affect the individual”. This broad wording could potentially encompass almost all personal information, even if there is only a possibility that it may directly affect the individual. Further, such wording may create uncertainty on how the requirements could be met due to a lack of clarity on what could directly affect an individual. Therefore, we do not recommend changing the definition of administrative purpose.

5. Updating rights and obligations, and introducing new ones

Expanded access rights:

We believe that expanded access rights for foreign nationals to request their personal information would have resource implications for government institutions. In addition, mailing personal information to foreign jurisdictions could also give rise to greater security concerns where the foreign jurisdictions have less secure mail services. However, we would be supportive of expanding access rights by allowing foreign nationals to request their personal information by electronic means and we support including criteria for verifying the identity of foreign nationals.

A right to have personal information collected directly from the individual for all intended purposes, unless an exception applies / A right for the individual to be notified when his or her personal information is collected by a federal public body, unless an exception applies:

We support including an exception to direct collection and notification where collection from another source is authorized or required under another act of Parliament, including regulations and by-laws.

An obligation to contain personal information breaches and to subsequently notify the Privacy Commissioner and affected individuals in certain cases:

Regarding an obligation to mitigate privacy breaches, we support the overall concept, but would appreciate further clarity on the extent of “mitigation”. For example, how will it be determined whether an organization has taken appropriate mitigation steps?

6. Updating rules on the collection, use, disclosure, and retention of personal information

Addressing unsolicited collections of personal information:

We support the view that unsolicited personal information be addressed in the Privacy Act. Unsolicited personal information should be deleted or returned upon receipt, and individuals should be notified of the actions taken regarding their personal information.

Introducing a principles-based approach to retaining personal information:

We agree with the proposed “limiting use, disclosure and retention” principle to retain personal information for no longer than is reasonably needed. This reduces the amount of personal information retained by government institutions for longer retention periods than needed, which could reduce the risk of a privacy breach.

7. Allowing a greater role for “de-identified” personal information:

We would appreciate greater clarity/criteria for when personal information is considered “de-identified” and thus is no longer considered personal information under the Privacy Act.

8. Introducing stronger accountability mechanisms in the Act

An obligation to undertake a Privacy Impact Assessment (“PIA”):

The drafting of PIAs is resource intensive for government institutions, particularly for smaller organizations. Therefore, in order to balance the protection of personal information with operational effectiveness, we suggest:

  • Some modifications to when a PIA is required. For example, when substantial changes are made to an existing program where a PIA has already been undertaken, instead of undertaking a new PIA, we suggest a requirement to notify the Privacy Commissioner and the Treasury Board, as well as update the summary of the PIA on the institution’s website.
  • Further defining what constitutes a “substantial” modification.
  • That PIAs only be required for programs/activities where decisions are being made that directly affect an individual.
  • Per the comment above about technological neutrality, that the PIA requirement clarify that a new program or activity does not include changes in technology.
  • Not publishing the full PIA online (given confidential information in PIAs).

9. Modernizing transparency practices

We fully support creating an online, accessible, searchable personal information registry. The personal information banks (PIBs) as drafted are difficult for members of the public to understand and are rarely referenced in personal information requests. That being said, given that this is a significant change to current practices, we would suggest a transition period for this new registry.

Regarding publishing details of information-sharing agreements, we would like further clarity on whether these are only agreements that contemplate the sharing of personal information and with whom (federal government, international authorities, etc.). We will be in a better position to comment on this point upon further clarity of what is captured under this proposed requirement, as well as any exceptions.

We suggest including a more expansive list of exceptions to the transparency requirements, similar to the current section 5(2) of the Privacy Act where doing so would defeat the purpose of collection.

Additional Recommendations

While not directly addressed in the discussion paper, we have the following recommendations to modernize the Privacy Act:

  • Clarifying the definition of a “material privacy breach” – in particular, providing a definition of “unauthorized” use, disclose and disposal as it relates to a “material privacy breach” as opposed to a “privacy breach”. For example, we believe that “unauthorized” could be more relevant to criminal activity in a material privacy breach, as opposed to less severe infractions in a privacy breach.
  • Removing the requirement for a personal information bank for any personal information that “is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual”, as this requirement does not consider modern technological ways of organizing personal information.

Thank you for the opportunity to provide comments on the discussion paper. We would be happy to provide comments on exemptions/exclusions in the Privacy Act during the next phase of review.