The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, June 20, 2006
The Privacy Commissioner of Canada has tabled her Annual Report on the Privacy Act in Parliament. The report is here: Annual Report to Parliament 2005-2006 — Report on the Privacy Act (PDF format).
Here is the press release:
News Release: Tabling of Privacy Commissioner of Canada's 2005-06 Annual Report on the Privacy Act: Commissioner expresses concerns about public sector privacy protection (June 20, 2006)
Tabling of Privacy Commissioner of Canada's 2005-06 Annual Report on the Privacy Act: Commissioner expresses concerns about public sector privacy protection
Ottawa, June 20, 2006 – Considerably more could be done to protect Canadians’ personal information, especially with respect to information flowing across the border and a federal privacy law that simply isn’t up to standard, according to Privacy Commissioner of Canada Jennifer Stoddart, whose 2005-2006 Annual Report on the Privacy Act was tabled today in Parliament.
The Privacy Act governs how federal departments and agencies handle Canadians’ personal information.
Key to the report are the Commissioner’s findings from a major audit of the Canada Border Services Agency (CBSA). Upon her appointment in December 2003, the Commissioner immediately began raising concerns about the transborder flows of personal information. She called for an audit of the CBSA shortly thereafter. Worries about improper use of personal information became heightened following passage of the USA PATRIOT Act, which gives the United States government sweeping powers to seize information from American companies or Canadian companies operating in the U.S. The audit assessed the agency’s framework for controlling and protecting Canadians’ personal information as it flows to foreign governments.
Recent polling commissioned by the Commissioner’s Office suggests that 94% of Canadians express some concern about Canadian companies transferring customers’ personal information to companies in other countries. Furthermore, 85% of those Canadians with awareness of the privacy implications of the USA Patriot Act also express some concern over the issue.
“The overall issue of transborder dataflows has certainly caught the imagination of Canadians, and we have received inquiries and complaints which focus on it as a threat to privacy,” said Ms. Stoddart.
While the Commissioner found that the CBSA does have policies, procedures and systems in place for managing and sharing Canadians’ personal information with other countries, more must be done to mitigate risks, and achieve greater accountability and control over that information. The Commissioner made 19 recommendations to the CBSA and these have been accepted by the Agency. The findings include the following:
- The CBSA needs a coordinated method of identifying and tracking all flows of its transborder data. The Agency cannot, with a reasonable degree of certainty, report on how much and how often it shares information with the U.S.
- Information is often disclosed without first obtaining approval from a designated CBSA official, which contravenes the Agency’s policy. There are also weaknesses in the record keeping associated with disclosures of information.
- Activities associated with sharing data across borders should be made more transparent.
Although the Commissioner found room for improvement in the CBSA audit, she also noted in her report that the federal government has already begun to address Canadians’ concerns about transborder data flows of personal information. In March 2005, Treasury Board Secretariat released a federal strategy and guidelines on how government institutions must protect personal information when outsourcing activities to private sector organizations.
“We see the federal strategy and guidelines as a positive step toward addressing Canadians’ concerns,” said Ms. Stoddart. “However, we also hope that they will be an integral part of a reformed Privacy Act.”
The Privacy Act has not been substantially amended since it came into effect in 1983. In early June 2006 the Commissioner tabled a report with the Standing Committee on Access to Information, Privacy and Ethics outlining her proposed reforms to the Act.
Also key to her Annual Report is the Commissioner’s observation that, at times, federal departments and agencies incorrectly interpret the Privacy Act in response to calls for disclosures of information in the public interest. The Act provides that the head of the institution may disclose personal information if the public interest clearly outweighs the privacy concerns of the individual involved—if, for example, the issue relates to health and safety, or public security. However, in certain instances where in the Commissioner’s view it could be invoked, it is not, and the Privacy Act is blamed by the institution as the reason important information cannot be provided to the public.
“This inaccurate explanation of the role of the Act paints the Act as the villain,” said Ms. Stoddart. “Our concern lies with the simplistic characterization of the Privacy Act as the barrier to disclosure.”
The Annual Report indicates that in 2005-2006 the Office prepared a Vision and Institutional Service Plan, and a Business Case for Permanent Funding – a blueprint for a stronger and more effective institutional role. Parliamentarians agreed with the Vision and the new House of Commons Advisory Panel on the Funding of Officers of Parliament was supportive of the request. The Office is now planning for a significant increase – close to 50% – in human and financial resources over the next two years.
“We are grateful that the government and Parliament have seen the wisdom in our proposals,” said Ms. Stoddart. “And we will now be in a better position to serve Canadians.”
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.
— 30 —
To view the report: Annual Report to Parliament 2005-2006 — Report on the Privacy Act (Adobe format) Audit of the Personal Information Management Practices of the Canada Border Services Agency — Trans-Border Data Flows
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.