Public consultation on the Privacy Act – Submission – Christianne Elefante, Petra Faddoul, Hannah Friesen and Karla Mallach

Cette soumission n’est disponible qu’en anglais.

Christianne Elefante, Petra Faddoul, Hannah Friesen, & Karla Mallach
Office of the Privacy Commissioner of Canada
February 14, 2021

Executive Summary

In participating in the public consultation to modernize the Privacy Act, we present recommendations that focus on the ways in which the Act may be improved to support First Nations and Indigenous data sovereignty (as established by OCAP®) and to support the development of citizen engagement and privacy literacy through community-led privacy initiatives.

  • Recommendation 1: We recommend that the Privacy Act establish a mechanism that allows for First Nations to own information about their groups and members, appoint a third party institution as a data steward, and act and be acknowledged as sovereign governments who are capable and empowered to control their own data and the personal information of their members.
  • To supplement Recommendation 1, we recommend that First Nations communities be empowered to appoint their own data stewards in order to protect their communities from potential re-identification through data and personal information disclosure on behalf of the federal government.
  • Recommendation 2: We recommend that the Privacy Act foster transparency and community-led privacy initiatives between the Office of the Privacy Commissioner and the public by creating accessible and community-centered resources, informing citizens of their privacy rights and committing to accountability through government training and development.


We are making these recommendations from a perspective that considers and is informed by Indigenous Ways of Knowing with the hope that they will be implemented to the benefit of all people. To begin, we would like to situate ourselves in the context of this discussion and identify ourselves as a group of settlers who have benefited from colonial power structures. As non-Indigenous persons, we aim to support and amplify recommendations based on literature that centers on Indigenous-based research and documentation. However, we do not speak as members of Indigenous communities and do not intend for our voices to override the stated needs of Indigenous communities.

In our recommendations, we define Indigenous data according to the CARE Principles for Indigenous Data Governance, which states that Indigenous data includes “data collected by governments and institutions about Indigenous Peoples and their territories”Footnote 1. The Principles go on to express that this data is “intrinsic to Indigenous Peoples’ capacity and capability to realise their human rights and responsibilities to all of creation”.Footnote 2

We also reference the Ownership, Control, Access, and Possession (OCAP®) principles, which define these terms as follows:

  • Ownership refers to the relationship of First Nations to their cultural knowledge, data, and information. This principle states that a community or group owns information collectively in the same way that an individual owns his or her personal information.
  • Control affirms that First Nations, their communities, and representative bodies are within their rights in seeking to control over all aspects of research and information management processes that impact them. First Nations control of research can include all stages of a particular research project - from start to finish. The principle extends to the control of resources and review processes, the planning process, management of the information and so on.
  • Access refers to the fact that First Nations must have access to information and data about themselves and their communities regardless of where it is held. The principle of access also refers to the right of First Nations’ communities and organizations to manage and make decisions regarding access to their collective information. This may be achieved, in practice, through standardized, formal protocols.
  • Possession While ownership identifies the relationship between a people and their information in principle, possession or stewardship is more concrete: it refers to the physical control of data. Possession is the mechanism by which ownership can be asserted and protected.Footnote 3

We recognize that OCAP® applies to specific First Nations communities and thus does not extend across all distinct Indigenous communities and Peoples. Therefore, we have referenced OCAP® in a particular capacity, but also adamantly acknowledge the autonomy and individuality of each community. Stewardship and collection needs must be informed by these distinct communities, as will be mentioned further on.

Finally, we affirm that the issues discussed in this intervention should extend to both recognized and unrecognized groups in federal legislation and determine that all groups should be given the opportunity to self-identify, although we recognize that parts of this identification work will be outside of the scope of the Privacy Act recommendations and rely on alternative pieces of legislation. Any reference to or identification of Indigenous Peoples, communities, or governance should be developed out of consultation and informed solely by these communities.

In Modernizing the Privacy Act, one of the objectives that the Government has set out to accomplish is to “advance reconciliation with Indigenous peoples in Canada as there are opportunities for the Privacy Act to acknowledge, affirm and empower Indigenous individuals, communities and governments”Footnote 4.

We believe that, if done with an intentional and community-informed approach, these recommendations offer the opportunity to begin this advancement of reconciliation with Indigenous peoples, acknowledging, affirming, and empowering Indigenous individuals, communities, and governments, as the modernized Privacy Act sets out to do.

We believe that true modernization of the Privacy Act cannot occur without introducing the recommended rights of and obligations towards Indigenous data sovereignty. Otherwise, the Act would not be modernized at all, but continue to enact wrongs and injustices towards the Indigenous Peoples of this land. We also believe that implementing these recommendations will ultimately work to the benefit of all of the people that the Act impacts.

Documents Review

We have used the following national and international authoritative policies and frameworks on the treatment of Indigenous Peoples and Indigenous data in order to inform and guide our creation of these recommendations, particularly for Recommendations 1 and 2.

  • The United Nations Declaration on the Rights of Indigenous Peoples (UNDRIP)Footnote 5
  • OCAP®Footnote 6
  • The Government of Canada’s Truth and Reconciliation Commission’s (TRC) Calls to ActionFootnote 7
  • The Principles Respecting the Government of Canada’s Relationship with Indigenous peoples.Footnote 8

These documents express the importance of data sovereignty for Indigenous peoples and fit will with the Canadian context we are working within.

As of 2020, the Government of Canada introduced legislation to implement UNDRIP. UNDRIP is an international measure adopted by the United Nations in 2007 to enshrine the rights that “constitute the minimum standards for the survival, dignity and well-being of the indigenous peoples of the world”. Consulting the rights outlined in UNDRIP set up our outlook for these recommendations. In particular, we consider the UNDRIP articles to be an important standard which new and modernized legislation should strive to consider. As there is no part of governance or legislation that does not affect Indigenous Peoples living in Canada, there should be no legislation created or introduced that does not consider the rights of Indigenous people.

OCAP® is a set of standards developed by the First Nations Information Governance Centre regarding the treatment of information by and about First Nations. As mentioned previously, we acknowledge that this framework was created for First Nations, but have used the OCAP® principles to help guide our knowledge into creating these recommendations. The TRC’s Calls to Action have also informed our recommendations by providing us with knowledge about how the Government of Canada has determined to address reconciliation with Indigenous Peoples in Canada. Together, these governmental and international documents validate our government’s commitment to Indigenous data sovereignty and provide mutual support for our recommendations and eventually determine the path forward.

We have also consulted several academic studies which highlight some of the existing challenges regarding Indigenous information privacy and data sovereignty and privacy legislation.

Finally, we have explored the methods in which the Government has initiated public engagement and education with information policy through its online resources for PIPEDA in order to create Recommendation 2.

Recommendation 1

“Discussion Paper 5: Modernizing the Privacy Act’s relationship with Indigneous Peoples in Canada”Footnote 9 considers whether or not the provisions that currently allow Indigenous groups to gain information from government institutions should be modified and how. Our opinion is that the current ownership approach to personal information, in particular with regards to Indigenous communities, does not accurately reflect a good relationship with sovereign First Nations groups. Supporting sovereign First Nations groups would mean that the First Nations groups maintain ownership and control of data about themselves and their membersFootnote 10. Rather than allowing federal institutions to decide who information about First Nations individuals and communities may be disclosed to, the First Nations groups should have the power to make decisions regarding how “information about the First Nation and its members can be collected, used and disclosed”Footnote 11. This would result in more strengthened relationships between the federal government and First Nations. Additionally, establishing this foundational level of support for First Nation sovereignty would potentially simplify further legislative attempts to build up and empower First Nations sovereignty by providing a framework from which to work.

When considering how federal legislation may support First Nation sovereignty, OCAP® affirms that, if First Nations access to information law is handled with the federal government’s policies and legislation as the primary source of truth, then that First Nations’ information may be accessible without the explicit consent of any given First Nations groupFootnote 12. Moreover, OCAP® states that under Access to Information and Privacy (ATIP) “personal information is protected for individuals, [however] it would not protect aggregate reports or demographic or survey data, nor would it protect any traditional knowledge, or reporting under contribution agreements”Footnote 13. First Nations information held by the federal government cannot be considered completely secure by OCAP®Footnote 14. Instead, data and personal information relating directly to First Nations groups and their members should be subject to a mechanism that positions First Nations groups as the lawmakers and authorities regarding the collection, use, and disclosure of the First Nation and its members.

We recommend including a data stewardship piece that allows for Indigenous communities to take control of their own data, on their own terms. Section 2 of the Privacy Act specifies that under certain conditions, personal information that is held by a government institution may be disclosed to some third partyFootnote 15. The continuance of this clause would be potentially damaging to First Nations sovereignty because it does not inherently recognize First Nations as sovereign governments. A modernized approach to Section 2 of the Privacy Act should promote Indigenous data sovereignty first and foremost. This may include a change to the data steward for First Nations personal information so that it is controlled by First Nations groups, and so that they may retain a third-party data steward that is not subject to ATIP. The third party could be a university, a provincial partner, or a private corporation, that will work with the First Nation to ensure that the First Nation’s information legislation is not obstructed by government legislationFootnote 16. A third party would help to promote and protect First Nations sovereignty with respect to First Nations data and personal information. Moreover, because First Nations would have the right to appoint their own data steward, this data steward would necessarily have to be responsive to the needs of those First Nations.

We recommend that the Privacy Act establish a mechanism that allows for First Nations to own information about their groups and members, appoint a third party institution as a data steward, and act and be acknowledged as sovereign governments who are capable and empowered to control their own data and the personal information of their members.

Recommendation 1A. In relation to Recommendation 1, we suggest that the Privacy Act consider how de-identification is conducted with respect to Indigenous data. If Indigenous data ownership is moved to First Nations groups, then this becomes less of an issue, as they will have control of their own data as sovereign governments and will have the right to make their own decisions. Any data or personal information that is left under the federal government’s control will, however, need to be considerate of the potential ease of re-identification that is inherent in small Indigenous communitiesFootnote 17. While the inclusion of a law that imposes penalties for re-identification is a worthwhile cause to consider, the ease with which data can be re-identified in small communities makes this an infeasible recommendation.

Proposal 7 of Respect, Accountability, Adaptability considers whether certain sets of personal information could be systematically de-identified in order to then release that informationFootnote 18. In advocating for an established de-identification process, Proposal 7 goes on to recognize that de-identified personal information can be re-identified in some cases, but that should not be a strong enough reason to avoid the use and dissemination of de-identified personal information that is held by the federal governmentFootnote 19. De-identified personal information is not a fail safe. Indigenous communities in particular are susceptible to ineffective de-identification due to the small and insular scale of some communities, especially in northern communitiesFootnote 20. De-identification can be difficult for small communities. Colquhoun et al. found that “data release restrictions designed to maintain confidentiality are not limited to overtly identifiable data; anonymised data may also be considered potentially identifiable”Footnote 21.

Instead of relying on the government de-identification process to disclose First Nations information, transferring stewardship of the data to communities removes the potential for the information to be re-identified by parties that the communities have not already deemed trustworthy. By removing the ability of the federal government to act as a mediator of First Nations data there is less risk for abuse or unauthorized access of this information outside of any First Nations community.

To supplement Recommendation 1, we recommend that First Nations communities be empowered to appoint their own data stewards in order to protect their communities from potential re-identification through data and personal information disclosure on behalf of the federal government.

Recommendation 2

Annex 4.2 in the Modernizing the Privacy Act discussion paper identifies a need for “fostering open dialogue and publicly accessible guidance”Footnote 22 for individuals and groups across the country. The suggested “public education mandate”Footnote 23, while potentially beneficial to increasing public understanding of and citizen involvement with federal privacy initiatives, requires a very explicit, transparent, community-led approach to offer meaningful engagement. Informing the public of personal privacy rights through general or unrelatable messaging will serve little purpose and only perpetuate disinterest in an already unaccessible topic. The alternative, being too prescriptive or exclusionary in delivery, has the potential to build further barriers between the government and communities. This would perpetuate problematic disconnect from important awareness of personal information collection, retention, and access.

As the current Act does not identify explicit initiatives to support citizen engagement, transparency could be improved by bolstering public-friendly resources and making content available to compliment the public-friendly platform suggestions in Annex 3.3Footnote 24. This could be developed as a guideline to relevant content about the Privacy Act in everyday public life and support public understanding. The Office for the Privacy Commissioner (OPC) of Canada’s website for PIPEDA (Personal Information Protection and Electronic Documents Act) promotes compliance and training tools for businessesFootnote 25 through video and PDF guides that could be emulated in the OPC’s website for the Privacy Act for public engagement and education. Alternatively, an accessible front-facing platform, like the Office of the Information and Privacy Commissioner of British Columbia site for IndividualsFootnote 26, displays easy to access prompts to guide users. Similar prompts, with the addition of further engaging tools (webinars, infographics, etc.) could inform and build an easy-to-navigate resource base. We recommend a more concerted effort to ensure that all citizens and communities understand their rights under the Privacy Act, alongside a commitment to clearly identified, community-centered awareness initiatives. This recommendation supports modernizing the Privacy Act by involving the public and specific communities in transparency and privacy literacy efforts.

The second part of this recommendation is development of government learning through professional education to ensure appropriate awareness of and collaboration with communities. This education recommendation comes with the expectation that learning would flow both ways. The Privacy Commissioner and the Department of Justice should be involved in public support and learning surrounding the Privacy Act—including, but not limited to, what it is, why it exists, and how it affects the public on an individual level. At the same time, the Privacy Commissioner and the Department of Justice should also include mechanisms that allow for critical public consultation, review, and feedback of the education surrounding the Privacy Act on an ongoing basis. Annex 3.2 of the proposals for Modernizing the Act, as well as the pillar of accountability outlined in the proposal frameworkFootnote 27, highlight the importance of ongoing governmental accountability with respect to the personal information of those who reside in Canada. A commitment to effective education that also includes mechanisms for public review would assist in keeping the Government “accountable for all personal information under its control, including personal information transferred to third parties for processing on its behalf”Footnote 28.

Government employees also need thorough training on Indigenous data governance. Training pertaining to the Privacy Act could be a first step; however, all offices that handle information about Indigenous communities should include some mandate or plan to provide this specialized training, as discussed in Recommendation 1. OCAP® also references the benefits of “ensuring that the knowledge disseminates to all relevant areas of the federal department…to promote changes to the culture and administration”Footnote 29, and this training can be used to encourage necessary modernization and growth.

One example of how this can work at a federal level is indicated in the Memorandum of Understanding on Community Development between Health Canada and Indigenous and Northern Affairs Canada. In 2013, Health Canada and Indigenous and Northern Affairs Canada, then Aboriginal Affairs and Northern Development Canada, entered into a Memorandum of Understanding on Community Development. From this, a Community Development and Capacity Building FrameworkFootnote 30 was created, which the Privacy Act could consider and reference for development of partnerships with Indigenous agencies and communities in this area. The Government should be held even more accountable to and transparent with stakeholders (ie. the general populace) than private companies, setting a standard and a basis to grow from in years to come.

We recommend that the Privacy Act foster transparency and community-led privacy initiatives between the Office of the Privacy Commissioner and the public by creating accessible and community-centered resources, informing citizens of their privacy rights and committing to accountability through government training and development.