:
Okay. Let me see if I can respond, just so everybody knows.
At the last meeting, as we were debating the prior motion of Mr. Martin, it appeared to me very late in the meeting that that matter was not going to be completed. I was also very well aware that we had scheduled witnesses who had to travel here, and I requested that the clerk give notice of another meeting, at the call of the chair, to continue the committee business.
As it turned out, we did in fact complete that item. I forgot to tell the clerk not to call that meeting. He followed his instructions; it was my mistake. But I don't want the members to feel there are any other things. I have already indicated to Mr. Hiebert that unless the committee agrees otherwise, our meetings are as regularly scheduled, 3:30 to 5:30 Tuesdays and Thursdays, until the committee decides otherwise.
In regard to this matter, I understand that once we get started and should we get into the situation you described, the committee can give its consent to say that in the best interests of all, and our witnesses, we should hear from them today—they're here, they've travelled here—and that there is a logical point at which we may suspend the proceedings or the debate on the matter before us, to be continued at the point where we left off, at our next meeting when we have a little bit more time to deal with it.
That is my proposal to the committee. If the committee wishes to do otherwise, I will certainly entertain any proposals. But in the meantime, I would ask Mr. Hubbard to move his motion.
I have spent some time in consultation on this matter and I am prepared to rule on the admissibility of the motion.
I don't have to explain to members that the matter relates to an issue in which Elections Canada has found that a political party engaged in some practice that Elections Canada claims was an attempt to circumvent the national advertising spending limits of the party and that a number of candidates were recruited to participate in those actions.
You may recall that the mandates of committees are under section 108 in the Standing Orders. Indeed, our specific mandate is laid out in Standing Order 108(3)(h), subparagraphs (i) to (vi). As with the Mulroney–Schreiber case, subparagraph 108(3)(h)(vi) states that our mandate would include “the proposing, promoting, monitoring and assessing of initiatives which relate to...ethical standards relating to public office holders”. That's extremely important, and it's one of the reasons I wanted to be careful about this. As members know, public office holders are cabinet ministers, secretaries of state, and parliamentary secretaries, as well as Governor in Council appointees, of which there are some 1,200 or 1,300.
The motion before us ultimately asks us to determine whether these actions as alleged or described by Elections Canada and the actions of public office holders related to this meet the ethical standards expected of public office holders.
The question I had to wrestle with, colleagues, was that at the time of the election, there were candidates; there were no public office holders involved. However, once the election was over, the government formed, and public office holders appointed--ministers, etc., and parliamentary secretaries--one further action took place: the filing of election expenses returns by all candidates who ran in that election. Therefore, there was a formal obligation under the Canada Elections Act to file a return and to make all necessary declarations in accordance with the law.
In this matter, 67 candidates who participated were identified by Elections Canada. Of those, 17 became members of Parliament. They were elected. Of the 17, 10 are currently or at the time had been public office holders.
The four parliamentary secretaries are the , the , the , and the .
The ministers or secretaries of state who were named by Elections Canada include the ; the ; the ; the ; the former foreign affairs minister; and the .
Colleagues, this motion and our mandate can only relate to public office holders. You will find the code on the Ethics Commissioner's website. It's a 34-page document that, pursuant to the Parliament of Canada Act, must be provided by the .
I want to just cite a couple of quotations from this document. One is a comment from the :
Our government must uphold the public trust to the highest possible standard, and this responsibility falls uniquely on all public office holders, beginning with Ministers.
Under the objectives and principles of the Conflict of Interest and Post-Employment Code for Public Office Holders, under “Ethical Standards”, it states that:
Public office holders shall act with honesty and uphold the highest ethical standards so that public confidence and trust in the integrity, objectivity and impartiality of government are conserved and enhanced.
As well, under the caption “Public Scrutiny”, it requires that
Public office holders have an obligation to perform their official duties and arrange their private affairs in a manner that will bear the closest public scrutiny, an obligation that is not fully discharged by simply acting within the law.
I also note that there is a compliance obligation, in addition to specific compliance, that required measures provide that “the Ethics Commissioner may impose any compliance measure, including divestment or recusal, in respect of any matter or asset”, liabilities, and so on. This relates to conflict of interest. It would appear to me that conflict of interest is not what we're talking about in this matter. But it does provide a model when there is an issue such as a subsequent event.
It also says, under section 9, that within 60 days after appointment, a confidential report is required. A further report is required 120 days after appointment. The report shall include a description of all outside activities in which the public office holders were engaged during the two years prior to assuming office. It also must report all their assets and direct and contingent liabilities. I stress the contingent liabilities, because as you know, under the Canada Elections Act, when a candidate is an official candidate, the surplus or deficit is the responsibility of the candidate, not the party and not a riding association, and so on. In fact, the full disposition and responsibility are the responsibility of the candidate.
As a consequence, depending on the circumstances of an individual candidate, there may be some implications with regard to how this matter with Elections Canada is resolved by the courts and how it impacts persons. There may be some consequences to certain persons, depending on how that ruling comes out.
Finally, paragraph 15, which is related to outside activities, affirms that “Public office holders' participation in activities outside their official duties and responsibilities is often in the public interest”. It goes on to list prohibited activities and so on.
Now, having said that, colleagues, it would appear that there are issues of public interest here. There is no question that public office holders are involved in terms of filing their obligations under the Canada Elections Act and in terms of claiming expenses that relate to the matter Elections Canada has alleged and on which it has ruled, which is now being challenged in court, as you know. I won't elaborate any further.
So the question of interest, as I see it, can involve such things as whether the public office holders knew or ought to have known that their actions in regard to this matter may have been in violation of the Canada Elections Act and whether the conflict of interest code appropriately handles this kind of matter. We know that it handles conflict of interest. It certainly does not specifically deal with an alleged infringement of other acts of Canada, such as the Canada Elections Act, and whether that would require reporting disclosure and possible recusal of any parties involved in such a matter on votes or debate, pending the resolution of the matter. This is not specifically clear. An item the committee may want to consider is whether there should be amendments to the conflict of interest code.
We don't want to impugn any member or party in this matter. This is a very serious matter. But there is also the matter of whether or not there are any actions the public office holders should have met or may have met to meet ethical standards that are expected of them.
It may involve an assessment of whether or not due diligence was taken by them and by others who are jointly responsible for their elections return, whether or not they exercised a duty to make necessary inquiries of officials, experts, or Elections Canada, seeking rulings on matters that may have been in question, and whether or not there was an obligation or duty to report to the Ethics Commissioner and maybe even recuse themselves pending the resolution of the matter.
Also, as I indicated, under section 8 of the code there is a confidential report--
:
First of all, the chair is not obligated to explain to you, on your question, or to others. Let me indicate that the motion is asking us to determine whether the actions meet the ethical standards expected of public office holders, but it's not simply that issue. It's whether or not the nature of the item is properly reflected in the Standing Orders and in the code with regard to obligations. This is like an example. It's not the specifics of it, but rather an example of whether there are standards.
In any event, we have witnesses. From the Canadian Bar Association we have Mr. Gregory DelBigio, chair of the national criminal justice section; and Mr. David Fraser, treasurer, national privacy and access law section.
Welcome, gentlemen.
I apologize for the delay. It was important that we get that matter out of the way.
We know we have until 5:30 or maybe a little longer, if the members are into it, to engage you on matters of importance.
As you know, we're dealing with the Privacy Act. It's not necessarily a comprehensive review, but we're certainly focusing ourselves, as you're probably aware, on some of the so-called quick fixes that may allow us to improve the situation to some extent while consideration is being given to a more comprehensive review of the act.
I welcome you. I understand you have a brief opening statement, and I will ask you to start now.
:
Thank you for the opportunity.
We're looking at the Canadian federal Privacy Act, which when it was passed in 1982 was undoubtedly on the cutting edge of privacy legislation. But it's starting to show its age. It was built based on what are referred to as the OECD guidelines, which was a consensus of members of the Organisation for Economic Co-operation and Development with respect to changes in the way that governments collect, use, and disclose personal information.
In 1982 the federal government led the way in Canada. It was one of the first jurisdictions to implement legislation that regulated the information governments could collect, how they could use it, and to whom they could disclose it. Since then, every single province and territory in Canada has followed by implementing privacy legislation, often in combination with access-to-information legislation.
This committee has been tasked with taking a look at the Personal Information Protection and Electronic Documents Act. We've recently seen privacy laws extended to the private sector in Canada, so that now, a number of years later, we have comprehensive privacy protection from coast to coast to coast, covering both the private sector and the public sector.
Since 1982 a lot of water has passed under this bridge. We have a lot of experience in dealing with privacy legislation. We've seen it implemented in a number of different jurisdictions, and we know how it works. It's not implemented everywhere in exactly the same way, and we have had the opportunity of seeing how it works in certain implementations.
We are also living in a different world from that of 1982. Probably the paramount difference has to do with technological change. This growth in technology wasn't even foreseen in 1982. It certainly wasn't in place. We now have issues related to data matching, biometrics, genetic information, the decoding of the human genome, portable electronics, surveillance, video surveillance, GPS, and so on.
We've also seen a significant change in the environment within the public sector as information is collected, used, and disclosed. We see more joint delivery of programs by the federal and provincial governments. We also have a significantly different security environment from what we had in 1982, in the post-September 11 world.
Since 1982 we've also seen an enormous consultation among a wide range of stakeholders, primarily in the private sector. It arrived at the remarkable consensus embodied in the Canadian Standards Association's model code for the protection of personal information, which is the nucleus of PIPEDA, a piece of legislation that this committee has recently spent a lot of time looking at.
Also, there's a significant increase in concern on the part of citizens with respect to how information is collected, used, and disclosed. This is not limited to the public sector or the private sector. One cannot ignore the breaches of security related to personal information that are coming out of the private sector. But since the passage of the Privacy Act in 1982, we're also seeing significant breaches in the public sector. One hears stories of stolen servers from government departments, misdirected mail, missing tapes and backup CDs.
We're now living in the age of identity theft, and it's a significantly changed environment. In the same year that the Privacy Act became law, we also saw the Canadian Charter of Rights and Freedoms come into effect, which has changed the expectations of citizens with respect to their own personal information, their intimate details.
In our consultations with the members of the Canadian Bar Association, we have seen the growth of a consensus that in many cases guidelines—and many of the points we address are the subject of guidelines—are not enough. They may be helpful interim measures, but they're very often ignored, very easily overlooked, and don't provide sufficient accountability when it comes to the potential misuse of personal information. Legislation and therefore amendments to the Privacy Act are the only way to make sure that this happens.
Accountability is the touchstone of two of our recommendations, in concurrence with the Office of the Privacy Commissioner of Canada, which would be to extend Federal Court oversight with respect to privacy, and enshrine the necessity of having privacy impact assessments in legislation. Doing so ultimately leads to accountability to court and also goes hand in hand with the recommendation, which we're happy to speak to in greater detail later, with respect to the ability of the Privacy Commissioner to make public interest disclosures that are in addition to the Privacy Commissioner's obligations in reporting to Parliament on an annual basis.
Some of these measures relate directly to the significantly different criminal climate, in a sense. We're now informed that identity theft is one of the fastest growing crimes in the world, if not Canada. The Government of Canada, with its many departments and crown corporations, is the repository of significant databases with what's often referred to as “foundation information for identity theft”: full names, dates of birth, social insurance numbers, and information like that, which if disclosed and misused can lead to identity theft. There are any number of government databases that contain that information.
Currently there's no statutory requirement that government safeguard that information, and there's currently no obligation that government notify affected individuals if their information is lost or disclosed. And it's not just a matter of individuals wanting to know what's happening with their information, which may in fact be their right or should be their right, but it's a matter of giving individuals the opportunity to take steps to mitigate any harm that might happen with respect to the misuse of that personal information.
An important additional maxim that's been developed with respect to best practices for the collection, use, and disclosure of personal information since 1982 is something called the “necessity test”. Simply put, it's to collect only that information that is reasonably necessary, which safeguards against the natural tendency, or what appears to be a natural tendency, to collect more information than is required, which then of course requires that it be safeguarded. And if it's collected and is not necessary, it increases the likelihood that information can be misused.
We also talk briefly on the topic of data matching in our submissions, which ultimately probably does amount to, at least constructively, an additional collection of information, more than was necessary, and certainly an additional use of that personal information.
There are some other matters that are probably not as controversial but that we think are important as well.
There is a distinction between recorded and unrecorded information. There doesn't seem to be a rational reason to make that distinction. More recent privacy laws in Canada, provincial and federal, don't make that distinction. We don't think that the transient images and transient information, for example live video feeds and things like that, should necessarily be excluded from the ambit of the Privacy Act.
We do agree that five-year reviews should be necessary, and that the Privacy Commissioner should also have a public education mandate, and ultimately, in order to try to increase the efficiency of the Office of the Privacy Commissioner of Canada, discretion to refuse to investigate or to produce reports on complaints or inquiries that might be simply mischievous or vexatious or frivolous.
In the end, we do believe that ultimately the Privacy Act is due for significant reform and significant overhaul. At the Canadian Bar Association's annual meeting a couple of years ago, the national sections council did endorse a motion, which passed without dissent, calling for a complete review of the Privacy Act. But since we're at this stage, we're only given the opportunity to comment on incremental improvements. We couldn't sit idly by and do that.
With respect to our final issue, I'm going to pass it back to Greg just to touch on the cross-border information-sharing issue.
:
Mr. Chair, the Arar commission report illustrated the risks and complexities associated with intelligence-gathering by law enforcement agencies, the sharing of data between different agencies within Canada and abroad, and the great harm that can arise when the system fails. What is now referred to as intelligence-led policing has a potential to result in a vast amount of information being collected, not all of which is verified or even verifiable as to its accuracy.
It is our position that the existing statutory framework lacks a mechanism for effective and ongoing oversight by the Canadian government and its institutions in relation to transborder data-sharing. The existing statutory framework also does not provide an adequate mechanism for assuring compliance and accountability.
In our view, effective ongoing oversight should be mandatory, given the enormous trust that is placed in and the power that is accorded to government and its institutions in relation to law enforcement and data-sharing.
The reasons for this oversight include the following: that an individual will have no opportunity to know when a law enforcement agency has collected data about the individual; if the data has been collected, the individual will have no opportunity to learn what the data is or whether it's accurate; an individual will have no opportunity to know if data has been shared with a foreign government or institution, and if so, what foreign government or institution the data's been shared with; an individual will have no opportunity to know the uses for which the data will be used by a foreign government or institution; an individual will have no opportunity to know if the foreign government or institution will have shared the data with other governments or institutions; an individual will have no way of knowing whether the foreign government or institution that has received data will comply with any terms or arrangement under which the data was transferred by the Government of Canada; and the data may be used by a foreign government or institution in a manner or for a purpose that significantly jeopardizes the individual, the individual's family, or friends.
Further, even if an individual knows that a foreign government or institution has breached the terms of an arrangement under which the data was shared—and it is virtually impossible to know whether that is so—the individual is left with basically no recourse or remedy.
It's for that reason that the CBA has recommended what is set out on pages 18 and 19 of our brief, and in particular that:
arrangements for disclosing personal information to a foreign government be written, formal, detailed, and public; arrangements with foreign governments or institutions that do not respect the fundamental principles of democracy, human rights, and the rule of law be very carefully considered; and a full record be made of all personal information disclosed...and the arrangement under which it is disclosed and the purposes....
In summary, it is our position that the present scheme lacks a sufficient or effective mechanism for accountability. We fully recognize—and I understand that Chief Superintendent Paulson has testified before this committee—the needs of law enforcement, the complexities of an effective law enforcement. But we urge, despite those needs and complexities, that the rule of law be maintained and upheld, and that is done through an effective mechanism of accountability.
Thank you.
:
I want to thank you for being here today.
I'm a refugee from another committee that isn't actually sitting these days, the justice committee, but I'm happy to be here. Forgive me if I'm not as au courant with everything that's going on that this committee obviously has studied over the last year or so.
If I can take you to your brief, pages 9 and 10, with respect to notification of security breaches, David, I just want to get this straight. I think the gist of the third paragraph on page 9 is that there are now no legislated guidelines for notification. In the last paragraph, you say, or at least I'll say, it's too bad the commissioner did not recommend or have an explicit recommendation for a parallel statutory breach notification, mimicking a bit what PIPEDA had done.
The OPC's response, at the top of page 11, is that “It is the view of the OPC that these requirements should be incorporated into the act itself”—that is, the Treasury Board guidelines.
Do I understand that the OPC has said the Treasury Board guidelines should be incorporated into the act, but you would like to suggest that the considerations that are in PIPEDA for notification also be made part of the act, and it's unfortunate that the OPC did not specifically say that?
Is that clear?
Thank you to both of the witnesses. It's been very interesting.
I don't know if I fully understand Brian's comments that the Privacy Act should have the same duty of notification provisions as PIPEDA. One of the big flaws of PIPEDA is that it doesn't have the duty of notification, and when our committee studied it we recommended unanimously to the government that it should have duty of notification. But when the government reacted to our report, tabled in Parliament, they said clearly the government is not interested in putting duty of notification into PIPEDA. So I don't think we're any closer to having that duty put into statute at all, which is really worrisome to me, because a lot of Canadians would be horrified to know or would want to know if their personal information was compromised in the private sector or the public sector.
The PIPEDA report was just tabled in Parliament today by the Privacy Commissioner. You might want to get a copy of that. It talks about the TJX case, where personal information and 94 million debit card and credit card numbers were compromised in that one violation alone. There were 94 million--they weren't all Canadians--people from around the world, I guess. This is worrisome to me, and I think the Privacy Act should have a rigid duty of notification.
The cross-border sharing of information is of great concern to us. I want to thank you for bringing your input into this, and specifically citing the Maher Arar case as a graphic illustration of what can go wrong and has gone wrong.
Is there anything more you can tell us about the Canadian Bar Association's views on this? Or would you like to speak a little more on the subject of how we might prevent another Maher Arar incident?
:
Certainly the CBA has taken positions in relation to this issue really since the anti-terrorism legislation was tabled. And we have appeared before different committees and we have expressed concern with respect to the need to have appropriate checks and balances in place.
We recognize it is very easy to speak in generalities such as that, to say that it is important to have the checks and balances. And it's equally easy to make remarks such as that it's important that there be effective law enforcement. What that actually looks like in terms of the drafting of a statute, for example, is very, very difficult. But one must start from first principles of agreement to ask, is it agreed that there should be a mechanism of accountability?
We have taken the position that it should be an independent body. So our position is that the RCMP, for example, should not be responsible for their own oversight on these types of issues. And because it is an independent body that is disinterested in an ongoing issue, that can perhaps most effectively ensure compliance or an accurate audit of what is actually going on.
What can be learned? Well, hopefully the specific incident of Mr. Arar...all of Canada must desperately hope that this will not be repeated.
Is there a mechanism in place to ensure that it will not be repeated? I'm not sure, because what is going on is there continues to be, as I understand the allowances of law, a vast amount of information gathering and information sharing between agencies within Canada and abroad. And until one knows exactly how much information is being gathered and what information is being gathered and why it is being gathered and who it's being shared with and whether that sharing mechanism has appropriate checks and balances, it's really impossible to know whether or not some of the mistakes of the past will be repeated.
:
What it comes down to, ultimately, is that the Privacy Commissioner has scarce resources, scarce staffing, just as every other government department. Also, as of necessity, every individual has a right to make a request for access to their own information, about the existence of their own information, and otherwise. There's a very low barrier to entry, and that's important, for individuals to exercise their rights of access under the Privacy Act.
The concern is, and it has been at least a position taken by the Privacy Commissioner, that there are inquiries or complaints generated that might amount to being frivolous or vexatious, or might have been initiated for collateral purposes, so in order just to be an irritant rather than actually exercising what amounts to a legitimate right.
We are suggesting that if there is a reasonable basis to believe that this is the case, no purpose would be in fact served by proceeding further with a full investigation, with producing a report, to provide a mechanism to short-circuit that. While not addressed within our report, if the commission were to make a decision like that, and the individual was sufficiently aggrieved and believed they did have a legitimate case, they would have the opportunity, under other legislation, to seek judicial review of that decision, to have a judge take a look at it.
So it would include, one would hope, the protections to make sure that only in fact those cases that are frivolous, vexatious, or malicious are short-circuited at that particular point.
:
Page 6: I'm a little bit worried about that recommendation. There seems to be a problem with inmates, and I'm a little afraid that this particular recommendation would worsen that problem. That's just a personal observation.
I think the recommendation on page 11 is good. I think that's necessary.
Page 12: when we get to the final list of recommendations, I begin take issue. I really don't care if foreign governments have my information. Mr. Fraser, you said somebody would ask, “Why are they collecting this information?” and the answer would be, “Because they can”. The question then was, “How can I make them stop?” Why?
What are worried about if we don't have anything to hide? I'll tell you why I'm leaning towards this. I had an interesting chat with a criminologist. I know Mr. Martin would quickly bring out Mr. Arar's case, but that was a case where we had just had 9/11, and we made a bad judgment call. I'm wondering, don't we correct that?
Getting back to the criminologist, the biggest challenge to law enforcers today are criminal elements. It's the criminal elements who use these. I'm not being judgmental, but I want a balance here. I would think if you were drafting up something you'd probably be representing mostly criminal elements when you talk about people who are concerned about privacy. If you were a criminal, you'd want to have laws that would enable you to win your case. Do you understand what I'm saying?
I'm not being judgmental. I'm not saying you're being cynical. I'm just wondering if that's not what we're doing, if we're not protecting the criminal even further. It's so difficult now for law enforcement agencies. It's so difficult for governments to handle terrorist groups. Why would we want to make it that much more difficult?
I'm happy to share with Madame Lavallée if there are a few minutes left.
When I first got here, I moved a private member's bill to deal with a database for missing persons. There isn't one that exists federally. There is some semblance of that provincially. There are some provincial jurisdiction issues.
One of the things that surprised me was that there were privacy issues, in a sense, around those who didn't want to be found and have gone missing because they're hiding from an abusive relationship, for example. But for the vast majority.... As an example, there's an individual right now in Hamilton who is pushing hard that she has DNA of a missing son that could be used to maybe find him. Otherwise you have to rely on information or go to different morgues across the country to see if the individual might be there, and so on and so forth.
It doesn't solve all the problems, but my question to you today would be, based on the Privacy Act, since you have some experience with it, and these recommendations that you have in front of me, do you foresee that they would in any way hinder my goal of adding a missing persons database to what is there already?
As you know, there's a database for criminals, sex offenders and a number of others. I want to have a more positive database that individuals can access if they have DNA of individuals who are missing.
Do you foresee, from the association's point of view or any of these recommendations, that there are any issues dealing with that concept?