Public consultation on the Privacy Act – Submission – Chartered Professional Accountants of Canada

February 12, 2021

The Honourable David Lametti, P.C., Q.C., M.P.
Minister of Justice and Attorney General of Canada

The Honourable Jean-Yves Duclos, P.C., M.P.
President of the Treasury Board of Canada

Uploaded to letstalkprivacyact.ca

Dear Ministers:

Public consultation on modernizing Canada’s Privacy Act

Chartered Professional Accountants of Canada (CPA Canada) supports the modernization of Canada’s Privacy Act initiated by the Department of Justice (DOJ). A modernized Privacy Act can help improve data governance and build a foundation of trust in an increasingly digital and data-driven society. This is necessary to foster greater innovation and prosperity in the public interest.

We are supportive of the Government of Canada’s vision to modernize the Privacy Act under the three pillars of Respect, Accountability, and Adaptability. We also agree there needs to be stronger alignment between the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) as Canadians should be assured of the same level of privacy protection in both the public and private sector, aside from some differences due to the statutory basis for the collection of personal information, and public interest.

The governance of data – and its implications for privacy legislation and policy – is an important area of focus for the Canadian accounting profession. CPAs are required to adhere to a strict code of conduct that guides them to make sound and fair judgement and lays out their obligations to clients, employers, colleagues, and the public interest and therefore support the need to make sure the privacy of all Canadians is protected. At the same time, we also understand the critical importance of data in developing policy and ensuring informed decision making.

CPAs play critical roles in managing, analyzing, and assuring financial information, and our roles are increasingly expanding to include the management of information beyond financial data. CPAs also play a variety of roles supporting business decision making and building trust in both financial and non-financial systems. As well, CPAs have extensive expertise in risk management, governance, compliance, and standard setting in areas of financial reporting and assurance. These standards help ensure the integrity and objectivity in the disclosure of financial information. It is our belief that similar principles should be applied to ensure the integrity of personal information and that appropriate controls must be established so that the private information provided by Canadians is not used inappropriately or compromised.

Increasingly, CPAs are being asked to extend our traditional financial skills and competencies and our role in standard setting to other forms of data. In particular, our skills in designing and implementing internal controls for financial systems are being extended to encompass the provision of trust in non-financial information and in underlying systems. We are working with the CIO Strategy Council^{Footnote 1} and the Standards Council of Canada^{Footnote 2} to contribute to the design of standards around data governance.

CPA Canada has been actively involved with Innovation, Science, and Economic Development Canada in the National Digital and Data Consultation^{Footnote 3} and the modernization of PIPEDA^{Footnote 4}. In CPA Canada’s submission on the PIPEDA modernization, we emphasized the challenges of informed consent, the need for data mobility, the potential of data trusts, and the value of standards and codes. It may be worth examining these topics from the perspective of its applicability to the public sector privacy legislation.

CPA Canada has published related resources, including a Generally Accepted Privacy Principles (GAPP) framework^{Footnote 5} for organizations. The GAPP, while now dated, provided a comprehensive framework against which organizations could measure their privacy management programs. CPA Canada is considering an update to the GAPP to modernize it and reflect changes in privacy legislations and evolving circumstances in the world. Data governance and how privacy should be protected in the digital economy are of growing importance to the future of the accounting profession. CPA Canada launched a Foresight initiative^{Footnote 6} to explore and re-imagine the role of CPAs in the digital economy. Central to this initiative is expanding the profession’s traditional role of instilling trust in financial data to instilling trust in data more broadly. Under the Foresight initiative, we have established a Data Governance Committee bringing together a diverse range of expertise from within and external to the profession. The work of the Foresight initiative and our Data Governance Committee has helped to inform the recommendations in this submission.

A modernized Privacy Act is integral to meeting the overriding objective of Canada’s Digital Charter, to instill trust in the digital economy. Providing greater transparency into how the government treats personal information is key to building trust, but a modernized act should also ensure the government is able to leverage personal data to act in the public interest and improve public services for Canadians. To achieve this, we believe the following key areas need to be addressed in the legislative reform:

1. Stronger accountability

   CPA Canada supports the need for stronger accountability measures to be placed in the Privacy Act. Such measures could include giving the Privacy Commissioner the additional power to enforce the personal information practices of federal departments and agencies as well as an obligation for federal departments and agencies to create and maintain a privacy management program. Internal controls should be established to facilitate privacy compliance reporting and subjected to audit, similar to the model used for internal controls over financial reporting. On that front, CPA Canada believes that compliance mechanisms under the Privacy Act should mirror what is being contemplated for the private sector through the Consumer Privacy Protection Act (CPPA).

   CPA Canada notes that the CPPA would empower the Privacy Commissioner to review and approve certification programs and codes of practice from recognized entities in the private sector. These programs and codes of practice would allow for entities to build compliance systems, set rules on how the CPPA should be applied at the organizational level, monitor, report and most importantly demonstrate ongoing compliance to the spirit of the legislation. This concept may be equally applicable to the public sector under the Privacy Act.

   Accountability is best enforced when organizations demonstrate compliance against measurable standards, made practicable through codes of practice and certification. CPA Canada believes such programs and codes would have greater value and integrity if they were designed and implemented by regulated professionals having robust ethical requirements that are enforced by regulatory bodies with powers and authority to protect the public.

   In the complex realm of data governance, trusted professionals are able to develop standards and establish internal controls to build trust in the processes and systems that manage personal information. Independent verification of adherences to these standards and controls should be required and trusted professionals can help provide assurance that principles, standards and regulations are being followed as required to protect personal information. The accounting profession’s expertise and reputation as trusted advisors as well as our deep roots in providing assurance services against set principles and standards position us well to serve this important role.

   We believe that enforcement powers must also be addressed under a new Privacy Act. Fine-making powers have less meaning in the public sector context when this becomes a redistribution of public funds, so more powerful tools lie in the ability to order cessation of processing, or other positive measures to direct proper and appropriate processing of data.

2. Data integration

   Federal departments and agencies collect information from Canadians to deliver programs and set public policies. Information may only be collected for specifically identified purposes and personal information can only be shared with other federal departments and agencies under limited conditions. This creates data silos across the federal government that prevents the government from using all available data to solve problems for public benefit.

   As Canada is accelerating its transition to a digital economy, data has become a strategic resource. The federal government has a unique opportunity to take a leadership role and establish a balanced framework to facilitate data sharing. Data integration is needed to feed algorithms and machine learning tools. As indicated in the discussion paper on modernizing the Privacy Act, artificial intelligence needs large quantities of data to generate new insights. More data can also reduce the potential for unintended biases. Data sharing between federal departments and agencies can help meet public needs, improve the delivery of public services, and result in more informed decisions. On the other hand, transparent and accountable oversight processes need to be put in place to ensure that federated access and use of data does not result in lower levels of privacy protection.

   In order to generate new insights to help solve problems of public interest, governments and other stakeholders will need to work together. As such, we believe the modernized Privacy Act should manage privacy not by limiting data collection, but by enabling appropriate data sharing and reuse. Sharing data controlled by the Federal government by authorizing access to other interested stakeholders is central to digitization. We support this new paradigm if appropriate and effective frameworks for managing data access and the protection of personal privacy are implemented. To start, the Government of Canada could consider leveraging frameworks being explored and adopted in many regions around the world including the European Union^{Footnote 7}, Australia^{Footnote 8}, and others. Breaking down data silos, getting data access correct, and ensuring shared data sets are appropriately anonymized are central to reap the benefits from enhanced data sharing and reuse.

3. Harmonized privacy protection requirements

   Canadians should be assured a similar level of privacy in both public and private sectors. Stronger alignment between the Privacy Act and the CPPA will help harmonize federal regulation and achieve this objective. This is particularly important given the degree to which the federal government uses private sector services (e.g. cloud providers or software-as-a-service applications) in order to meet its legislative mandates. Furthermore, there exist organizations outside the scope of these contemplated reforms (e.g. some federal agencies such as Statistics Canada), so similar reforms are needed to the legislation governing those organizations. Some of these reforms have already been identified under Canada’s Digital Charter, but there are gaps. Given the extent of information sharing that takes place among all actors, greater oversight over the data privacy policies and practices of all such organizations is required to ensure Canadians receive a similar level of privacy protection and that the overriding objective of the digital charter – trust in the economy – is achieved.

We appreciate the opportunity to comment on this important consultation. We believe that CPAs can play an instrumental role in helping Canada lay the foundation of trust while transforming towards a digital economy. We highlight that the objective should always be to balance measures designed to mitigate potential risks while allowing innovation to facilitate the best outcomes for Canadians.

We would welcome engaging in a discussion on these comments in greater detail and answer any questions you may have related to them. As our own work progresses on data governance and other emerging issues affecting our members and the public interest, we deepen our understanding and can provide better perspective and additional support. In the event there are further consultations and more focused questions, we expect to provide more detailed feedback and advice.

Please contact [Information was severed], Manager, Government Relations ([Information was severed]) if you have any questions regarding our response.

Sincerely,

[Information was severed]

Chartered Professional Accountants of Canada