The Federal Privacy Commissioner appeared before the House Standing Committee on Access to Information, Privacy and Ethics to call for reform of the federal Privacy Act, which governs the collection, use and disclosure of personal information by federal government institutions.

News Release: Privacy Commissioner tables report calling for urgent reform of Canada's Privacy Act (June 5, 2006):

Ottawa, June 5, 2006 –The Privacy Act is an outdated law that leaves the Office of the Privacy Commissioner of Canada virtually powerless to protect the privacy rights of Canadians relating to information collected, used and disclosed by the federal government, said Privacy Commissioner Jennifer Stoddart in a document tabled today with the House of Commons Standing Committee on Access to Information, Privacy and Ethics.

The Privacy Act, which came into force in 1983, has never been amended or updated despite repeated calls for review by successive Privacy Commissioners.

“The world has profoundly changed since the Privacy Act was drafted,” said Ms. Stoddart. “Globalization has increased, national security concerns have become heightened, and Canadians have higher expectations that the federal government will respect fundamental privacy rights. The Privacy Act is outdated and it must be amended.”

Two separate federal laws protect Canadians’ privacy rights: the Personal Information Protection and Electronic Documents Act, or PIPEDA, and the Privacy Act. PIPEDA limits the private-sector’s collection, use or disclosure of an individual’s personal information. The Privacy Act governs how the public sector must handle personal information.

In her report, the Commissioner calls for the scope of the Privacy Act—which the Supreme Court has said has quasi-constitutional status—to be expanded in a number of specific ways:

• Since 1982, the government has created many entities that are not subject to either the Privacy Act or PIPEDA. All public-sector bodies or offices should be subject to the Privacy Act unless Parliament specifically excludes them.
• The Federal Court should be able to review not only claims of denial of access to personal information held by government, but also improper collection, use and disclosure of personal information. The Court should also be empowered to assess damages against offending institutions.
• The definition of personal information should be expanded to include both recorded and unrecorded information, such as DNA samples, about identifiable individuals.
• All individuals about whom the government holds personal information—and not just those present in Canada—should have the right to access, correct and be informed of that information. For example, airline passengers, immigration applicants and foreign student applicants have no right to access their information in Canadian government files.

The Commissioner has noted that the Privacy Act could be substantially remedied by adopting many of the provisions of PIPEDA, which came into force in stages starting in 2001. Ms. Stoddart identified specific fair information principles contained in PIPEDA that should be applied to the Privacy Act, such as:

• Government institutions should only collect personal information that is reasonable and necessary for a particular purpose. They should specify the authority under which information is being collected, the uses to which it will be put, whether and with whom it may be shared, the consequences of not providing the information, and the right to make a complaint.
• Where possible, when information is disclosed without consent, there should be a corresponding duty on the government to inform the individual about the disclosure.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

To view the report: Government Accountability for Personal Information: Reforming the Privacy Act

Labels: information breaches, privacy