Skip to main content
;

ETHI Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Previous day publication Next day publication







CANADA

Standing Committee on Access to Information, Privacy and Ethics


NUMBER 036 
l
2nd SESSION 
l
39th PARLIAMENT 

EVIDENCE

Tuesday, May 27, 2008

[Recorded by Electronic Apparatus]

(1535)

[English]

     I call the meeting to order.
    Good afternoon, colleagues. Pursuant to Standing Order 108(2), study of the Privacy Act reform, we have witnesses today. We're very pleased to have with us the Honourable Rob Nicholson, Minister of Justice and Attorney General of Canada. He will be able to be with us for approximately one hour, so our questions for the minister should be concentrated in that period. Following the minister's departure, his colleagues from the Department of Justice will be able to remain with us to carry on with our discussion.
    Having said that, welcome, Minister. I appreciate your taking the time. If you would like, please introduce your colleagues, and I assume you have a brief opening statement for us as well.
    I am very pleased to be joined from the Department of Justice by Joan Remsu and Carolyn Kobernick, who may have appeared before you on occasion here—I'm not sure—and Denis Kratchanov. I'm very pleased to have him join me.
    And you're quite correct that I do have a few opening comments. Again, thank you for the opportunity to appear before you today to make some comments about the Privacy Act, and particularly your study of that, among other things. Perhaps you will concentrate on the ten recommendations made by the Privacy Commissioner that were suggested to you. I'll be very interested to hear your comments.
    I have a few opening remarks. I'll give you a brief overview of the federal privacy landscape and then follow that with some general comments on the commissioner's key proposals.
    The privacy protections Canadians enjoy flow from a number of sources at the federal level. To take a macro view, I've divided the landscape into the public sector and the private sector.
    In the public sector, the private protection regime is a complex legislative puzzle. The Canadian Charter of Rights and Freedoms, as you may have guessed, is a part of that puzzle. Although the term “privacy” is not explicitly mentioned in the charter, you're probably aware that the Supreme Court of Canada has found that privacy is a core constitutional value in its interpretations of sections 7 and 8. In particular, section 8 has been found to protect against unwarranted government interference with an individual's reasonable expectation of privacy.
    Another important piece of this puzzle, of course, is the Privacy Act, which, since the enactment of the Federal Accountability Act, applies now to 250 government entities. The Privacy Act describes a legal floor for privacy protection in the federal public sector, below which government institutions cannot go. This means the federal departments are entirely free to impose upon themselves a standard of privacy protection that is in fact higher than that set out in the Privacy Act.
    Indeed this is what many departments have done, which brings me to the next important piece of the public privacy protection, and that's the individual departmental statutes. These more specific statutes outline privacy-related legal obligations for their respective departments. Some examples of these are, of course, very well known. The Income Tax Act is a good example of that, as is the Statistics Act. Both these statutes contain strict controls, including punishments, on what can be done with taxpayer information and personal information gathered for statistical purposes.
    For example, everyone employed under the Statistics Act must, before they begin their duty, swear an oath that they will not disclose, without due authority, anything that comes to their knowledge by reason of their employment. It is a criminal offence to deliberately violate that oath. Similarly, the Income Tax Act stringently controls the collection, use, and disclosure of taxpayer information. Furthermore, taxpayer information may only be disclosed as set out in the Income Tax Act, and this disclosure regime takes precedence over the more general disclosure regime in the Privacy Act. The Income Tax Act also contains offences for unauthorized disclosure of taxpayer information, and that is as it should be.
    The Privacy Act allows for these strict controls, and they are absolutely necessary to maintain people's willingness to provide highly sensitive personal information to the Canada Revenue Agency and to Statistics Canada. In addition, in the same area there are a number of departments that have their own privacy codes. Human Resources and Social Development is an example of one such department.
    Now let me move to private sector privacy protection and the Personal Information Protection and Electronic Documents Act. All of us refer to it, of course, as PIPEDA. As your committee has completed the five-year review of PIPEDA, and because this legislation falls under the purview of my colleague, the Minister of Industry, I will spare you some of its technical details. Essentially, though, PIPEDA is the source of privacy protection in the commercial private sector that is within the federal sphere of control. It controls how companies collect, use, and disclose personal information in the course of commercial activities. PIPEDA contains ten principles of privacy protection, which include accountability, limiting collection, accuracy, and safeguards.
     Now that I've identified the federal privacy protection regime for both the public and the private sector, I would like to make some general comments in relation to the commissioner's Privacy Act reform proposals.
    Before I begin, I must note that my officials have been closely following the testimony of the witnesses you have heard up to this point. Specifically, we are fully aware of the Privacy Commissioner's extensive 2006 reform proposals. We also appreciate that the Privacy Commissioner has tried to make privacy reform more manageable by presenting to you something known as her top ten quick fixes.
    I understand this is why your committee is focusing on the Privacy Commissioner's ten fixes and has invited witnesses to speak to these.
    First, several of the commissioner's recommendations are clearly based on her view that the Privacy Act and PIPEDA should be more alike. I think it's fair to say that the commissioner believes that a number of amendments to the Privacy Act should be imported from PIPEDA. I would suggest to you, though, that there are important differences between the federal public sphere and the federal private sector. These include differences in how entities are held accountable for their actions in relation to privacy and differences in how business is conducted. I would encourage you to keep these differences in mind when you're studying the commissioner's recommendations that are inspired by PIPEDA.
    A few of the commissioner's proposed reforms also seem to be inspired by provincial access to information and privacy legislation. I would suggest to you that the provincial sphere of responsibility is different from the federal one. This seems obvious, but I think it is worth noting nonetheless. For example, provinces do not have the primary responsibility for national security, nor do provinces have the primary responsibility for conducting and furthering international relations for the country as a whole. Accordingly, when you are examining the commissioner's proposals that fall into this category, you may wish to ask yourselves whether the difference between the federal and the provincial sphere comes into play.
    On another note, it's important to point out that some of the commissioner's proposals could have fairly significant cost implications. I don't mean to suggest, Mr. Chairman, that a proposal should be disqualified, so to speak, simply because it would have a cost implication; however, I think in any examination of any proposals, that is of course a consideration.
    Finally, Mr. Chairman, in several instances the commissioner proposes to codify policy or enshrine current policy in law. One of the advantages of policy over law is flexibility; that is, it is undoubtedly easier to change a policy to reflect the current situation than it is to amend a law to do the same thing. At the same time, I recognize that people tend to think a law carries more weight than policy. But when you're considering the commissioner's proposals that fall into this category, I trust you will examine this balancing act between the flexibility of policy and the force of law.
    Mr. Chairman, thank you very much for allowing me to make some initial comments. In conjunction with the officials who are here today, I am prepared to answer any questions you have.
(1540)
    Thank you, Mr. Minister.
    Just to start off, as you know, we've been faced with this challenge, which is that we have two pieces of legislation, the Access to Information Act and the Privacy Act, both of which have not been changed in 25 years. That causes us some concern--first of all, that a mandatory review has not been built into that legislation. The situation is clear from all concerned that there are changes that should have been made and must be made in anticipation of other things coming.
    I'm wondering, with this general assessment, if that's your concurrence, whether or not you as the minister and the department responsible have given some thought as to how we get out of the problems we are in now and what commitments are there to make sure that once we get things fixed up, we in fact will have legislation that is responsive to the realities of the day.
    The challenge you are facing, or articulating, quite frankly, is the challenge I have with all the legislation for which I'm responsible. You will remember, of course, that in the Tackling Violent Crime Act, for instance, we raised the age of consent for sexual activity from 14 to 16 years of age. This comes from 1892, and what I'm faced with many times in the Criminal Code is not just that it was composed in 1892, but that for the most part it was adopted from English Criminal Code statutes that go back far beyond that.
    So I appreciate your challenge and the challenge you have with this legislation. I certainly look forward to any recommendations you make with respect to the Privacy Act and any recommendations you make with respect to this or indeed any other legislation.
    You put your finger on it that we try to look at these on a regular basis, and we try to update them to make them as responsive as possible. That's the challenge we have. As I say, sometimes we're even changing things that are from the 19th century, never mind the 20th century.
     Thank you, Minister.
    In the first round I have Mr. Dhaliwal, Madame Lavallée, Mr. Martin, and Mr. Hiebert.
    We'll have Mr. Dhaliwal, please.
    Honourable Mr. Nicholson, I would like to welcome you and your associates to the committee. Thank you for appearing.
    Some of the witnesses at the proceedings of this committee have said that the Privacy Act fails to even meet basic needs when it comes to privacy protection. First of all, I would like to ask if you agree with that statement.
(1545)
    Actually, I don't, and I hope you give them some push-back. We can be very proud of the regime that has been put in place.
    I remember when the first Privacy Act of this type was introduced, in about 1983. I thought then, and I continue to think, that Canada takes a leading role when it comes to protecting its citizens on a whole host of levels. Yes, the legislation is 25 years of age, but you should point out to them that if you take a list of the countries of the world and for each one see what they do, and in many cases what they don't do in terms of protecting privacy, those individuals can be very proud of what we're doing.
    That doesn't mean that on this or indeed on any other issue we can't continue to improve, and that is the challenge we have as legislators. Indeed, it's the challenge you have with this particular piece of legislation.
    You're looking at it very carefully. Of course, I will be very interested to see what recommendations you make to the government.
    You also mentioned in your presentation today that the Privacy Commissioner has recommended two quick solutions to the Privacy Act. You said there is going to be a significant cost attached to these particular recommendations. Could you speak about the implementation, though? Are they feasible, and if we have to go ahead, how long would it take?
    It's very challenging. One of the suggestions would expand the role of the Federal Court to allow complaints under the Privacy Act. There would be an award of damages against offending institutions, presumably government. I'll be very interested to hear what you have to say about it, quite frankly, and I suppose you might want to have a look at that in conjunction with recommendation number 6, which would give power to the Privacy Commissioner to rule out some complaints that may not be in the public interest or that she thinks are vexatious or frivolous. To me, that is a bit of a challenge. You might have an issue that is of extreme importance to one particular individual, but it may have very few public policy ramifications. I'll be interested in hearing what you have to say on that one.
    On the other hand, in recommendation number 2, you're giving a right to appeal to the Federal Court. It seems to me there has to be some squaring of that box. I don't know how you can dismiss some of them and then say there should always be a right to appeal to the Federal Court. Again, I'm very interested in what has been recommended, but I'll be very interested to hear what you have to say.
    What about the cost? Have you determined that? You said there would be significant costs.
    It's hard to say. I'll gave you one example. If there is an automatic right of appeal to the Federal Court, there will certainly be court costs involved. And it depends on whether you expand the role and to what extent you recommend expanding the role of the Privacy Commissioner. Most of these things cost money. Any time you expand the role of any individual, it requires resources. I'll see when the recommendations are made.
    What I indicated to you in my opening remarks was to just keep that in mind. These things aren't without costs, and our courts are very busy, for instance. There would be a cost, of course. But it may be your recommendation to allow these appeals to the Federal Court.
    You have mentioned the Canadian Charter of Rights and Freedoms. This is a very important document, when I look at myself, first, and at Canadians. We put charter issues on one side, but on the other side we look at the security of this country.
    Does the current Privacy Act unduly limit the RCMP or CSIS in conducting their work?
    I think the Privacy Act works, and I think it works in conjunction with the responsibilities of the federal government. I indicated the charter as including a new test in terms of what people's rights are vis-à-vis their government or with respect to their own personal information. I think these are all part of it.
    We always struggle, of course, with that balance to protect national security and the privacy interests of an individual. I think Canada generally gets it right in trying to balance those. But that's the challenge we have, and we'll have it in the future as well.
(1550)
    What about the new communication technology? We should be updating that act, probably every five years or every two or three years, depending on the new technologies coming out. Do you have any comments on that?
    It's a challenge we have all the time, Mr. Dhaliwal.
     I remember in the early 1990s, departmental officials--I was a parliamentary secretary at that time--pointing out to me that technology had completely overtaken society in the area of child pornography. While it was a crime under the Canadian Criminal Code in 1990 to produce child pornography, it was also a crime to sell child pornography. But there was a whole other area that was developing because of changes in technologies: people who possessed child pornography on their computers neither made it nor was there any money being transferred between individuals. There was a huge gap, and technology created it.
    I'll give you another example: identity theft. Again, we try to fill in these gaps. As I said, I was in Montreal when I made the announcement that we would be bringing forward legislation in the area of identity theft. A reporter said to me, “Is this your attempt to stay ahead of the bad guys?” I said, “Look, I just want to catch up with the bad guys.” We have to have legislation just to hold the line on these things, because the technology is changing very, very quickly.
    It's a good point you're making. It's the challenge we have, not just with the legislation you're studying, but it's a challenge we have right across the board.
    Madame Lavallée.

[Translation]

    Good afternoon, minister. You cannot imagine how pleased I am that you are finally appearing before the committee. As I am sure you know, we have invited you to come several times.
    You said you would be pleased to hear about other legislation. I am going to be discussing the Access to Information Act, and I will touch on the Privacy Act quickly.

[English]

    Mr. Chairman, on a point of order, I think the topic before us today is privacy, not access to information legislation.
     I know this has been a great concern of Madame Lavallée's, but I think this is an inappropriate time. We're here to talk about the review of the privacy legislation and not any proposed legislation with respect to access to information.
    Your point is relevant.
    Madame, you may understand that the member has indicated your intervention does not appear to be directly relevant to the matter before the committee. If you can somehow steer your commentary to satisfy the agenda--

[Translation]

    I disagree with your interpretation, Mr. Chairman. The minister just said that he would be pleased to discuss any other legislation with regard to the Privacy Act. As we know, there is the privacy component and the access to information component. The two go together. He is the minister responsible for both pieces of legislation. If he is a responsible minister—and I am sure he is—he will be happy to answer my question.

[English]

    We don't have a lot of time to debate this matter further.
    Madame Lavallée, I would encourage you to use your time the best you can to the benefit of the committee with regard to the matter that's before it. Please carry on. You still have six and a half minutes.

[Translation]

    The minister will decide whether he wishes to answer my question. I am sure he is a big boy.
    We asked you to appear before the committee on a number of occasions, Minister. In December 2005, the committee asked the then minister of justice to amend the Access to Information Act and accepted the bill put forward by the Access to Information Commissioner at that time so as to—

[English]

     A point of order. It's as if I didn't make a point of order the last time and you didn't make a ruling. It's as if there was a void in the hearings. I don't think there was. I seem to recall making a point of order and you made a ruling that access to information isn't on the agenda for today. And here we go, continuing.
(1555)
    The chair of any committee, and even the Speaker of the House, tries to give a member some latitude and encourages him or her to get back to the business to satisfy the House's concern. I take your point. Clearly, with regard to the overall administration of legislation, there are obviously some common elements.
     Madam Lavallée, the member has now twice raised his point of order, and I encourage you to keep to the order of the business this committee has before it. Maybe you'd like to ask a quick question to the minister and then reconsider your remaining questions. Okay?

[Translation]

    My questions are already thought out, Mr. Chairman. I would just like to comment on your decision. I find it very ironic that we are unable to ask the minister responsible for access to information any questions in order to get clarifications on this.
    Mr. Tilson, allow me to make some comments to the chair. You made your remarks. I respected you, please respect my comments.
    I would like to make this comment, Mr. Chairman, but I will ask the Minister a question about his availability.
    We asked you to appear before the committee on a number of occasions, minister. At one point, we even had to invite in all of your deputy ministers and your senior officials to ensure you would come. It was only then that you agreed to come and see us, with the proviso that you would be coming six months later. In the end, because of the way things worked out, you never came before the committee. Now that we are discussing privacy and the obsessive culture of secrecy, you agree to come at our first invitation, but the purpose of access to information is to discuss the public's right to know.
    Are you behaving in this way because your government has no intention of being transparent?

[English]

    Thank you very much for the question. If you did have departmental officials here, I'm sure you were well served, because I'm certainly well served by them. I'm sure they were very, very helpful to you. I appreciate any information they've been able to provide.
    We've actually made changes, as you know, with respect to the Access to Information Act in the Federal Accountability Act. We have extended the coverage of that particular act, and we have extended it to a whole group of organizations and corporations within the federal sphere that it never covered before. So I think that's a very significant improvement. I know there is a discussion paper before you, and if your committee sees fit to conduct a study after the Privacy Act, I would certainly look forward to any suggestions you might make with respect to that.

[Translation]

    We have a number of suggestions, in fact. The committee passed a number of motions asking you to come forward with a new Access to Information Act. For 15 years now, the proposed legislation has been revised in all sorts of ways.
    Thank you very much for answering my question, Minister—

[English]

    On my point of order, I can be just as difficult as she can. She is just ignoring you, Mr. Chairman.
    Some hon. members: [Inaudible--Editor]
    Order. Could you turn off all the mikes except the chairman's, please?
    Mr. David Tilson: I haven't heard that one before.
    The Chair: That's a specific requirement. I'm advised by the technicians that should the chair be talking and another member jump in, they immediately turn that member's mike on; that's just to get the liveliness of the committee. But the chair has the discretion of requesting...and I have.
    One of the important things to remember, if we're going to keep some decorum within the committee, is that when the chair does call for order, all members should respect the request for order. It's not happening now, so I ask all honourable members, please.... I know sometimes people get a little excited.
    Madame Lavallée has a minute and a half left for the question and the answer, so I'm asking her now to complete her question and put the floor back to the minister in order for us to move on with our meeting, please.

[Translation]

    Thank you very much.
    In response to your answer, Minister, I would like to remind you that on a number of occasions, this committee called on you, as minister, to come forward with a new, modernized Access to Information Act. Specialists in this field tell us that the few cosmetic changes you made to it in Bill C-2 are not enough, and that the legislation needs to be modernized and to be given some teeth, like the Privacy Act, which we are studying at the moment.
    When will you be coming forward to the committee with a new Access to Information Act?
(1600)

[English]

     You've covered a fair amount of ground here. Is this committee usually this lively, Mr. Chairman?
    Yes.
    That's good. Well, I'm glad to be here today to have the opportunity to talk to you about a number of things.
    You pointed out that you would like to have legislation in this particular area. I would like your committee, quite frankly, to have a look at the discussion paper. Again, I look forward to all proposals you make with respect to this and indeed the Privacy Act.
    With respect to a commitment to introduce legislation or a timetable on that, it's very difficult. One of the things I learned as the government House leader is that trying to predict when legislation will get through the House of Commons is very difficult. If you had said to me in February of 2006 that it would take the government two years to get through its Tackling Violent Crime Act, I never would have guessed that. But in fact it did; it took us about two years to get those components and put them together. I guess I learned a lesson with that. Trying to predict what we will get to and when a piece of legislation might get passed, if and when it is introduced, is a very risky business. I've seen that from this portfolio, and indeed as the government House leader.
    Again, you're welcome to have a look at that, study that, and call witnesses in conjunction with or after the Privacy Act. Certainly I would be glad to have all recommendations on that and this, or indeed any other piece of legislation.
    Thank you, Madame Lavallée.
    Mr. Martin, please.
    Thank you, Mr. Chair.
    Minister, the tone of your opening remarks sort of leads me to believe that the Privacy Act isn't really your top priority. Perhaps you might even have difficulty with the ten—what we thought were fairly straightforward, almost innocuous—recommendations of the Privacy Commissioner in terms of the bare minimum that needed to be done to really update the Privacy Act. So both the tone and the content of your remarks kind of worry me. We don't want to spin our wheels here and go through the exercise of reviewing the Privacy Act if you don't really have any intention of implementing it. The same would apply for the Access to Information Act, I suppose.
    I don't want to put Mr. Tilson into a tizzy here, so I'll limit my remarks to the Privacy Act.
    For instance, what I thought was one of the most common sense, innocuous recommendations from the Privacy Commissioner was one where she identified that there's been sort of a creep in the collection of personal information; it's expanded. So she wants a necessity test. For a government department to justify the collection of personal information like that, it should have to state exactly and specifically what for, in the narrowest possible way. Is that one of the recommendations you could see fit to approve?
    I don't want to prejudge anything you might have to say in your analysis of each of them. With respect to the ten I had a look at, I think some of them are possible right now within the existing legislation. One of them is that the Privacy Commissioner take more of an educative function. It seems to me she could expand and go forward on that. I did have some questions with respect to a possible conflict, but I would be very interested to hear what you have to say between recommendations 2 and 6. On the one hand, if the Privacy Commissioner can dismiss or not pursue one, and then at the same time we're also giving them a right to appeal to the Federal Court, there may be a conflict there. Maybe not, but again I would be very interested.
    With respect to these issues, I take these issues as very important. I once sat on a committee much the same as your own, and we went coast to coast in 1987 having a look at these issues. So I'm somewhat familiar with the issues. I do take them seriously.
    But you've also embarked on a very ambitious legislative agenda in the justice area.
    I try not to get too far ahead of myself. There is a danger that a person or a government that has 30 priorities ends up getting nothing done. So I do try to take them one at time. The drug bill that is before Parliament is very important to me and I think to the country. I mentioned identity theft. I'm having a look, for instance, at the Youth Criminal Justice Act, but that does not preclude movement in other areas.
    Again, I look forward to whatever recommendations you have. You will be studying these recommendations on a very intense basis. You will be hearing a lot of witnesses. I indicated to you already that departmental officials are watching very carefully, they're taking notes, and they're briefing me on what people have to say on those. I recognize as well that the Privacy Commissioner was trying to come forward with some changes that didn't necessarily mean we have to scrap everything and start over again in this area. Again, I'll be interested in what you have to say.
(1605)
     It would just be helpful to know, because we would be wasting our time if you had no intention of acting on our recommendations. We'd be spending a lot of time for nothing.
    Another thing that's fairly straightforward, and I wonder.... It is up to you. It doesn't really matter what we recommend, because if you aren't willing to implement it, it's all for naught. The one very commonsensical recommendation is number 6, which you say may conflict with number 2, which would give her the right to deal with any kind of vexatious or frivolous complaint if--
    It worries me as well, Mr. Martin. I have to be honest with you. I appreciate that they look at these on a first come, first served basis, and there's a certain logic to that, of course. But I worry sometimes that something could be of huge importance to an individual that is--
    What if it's the tenth time they've complained on the same issue from their prison cell and they're harassing the Privacy Commissioner with endless complaints, like “The warden looked in my locker and it bugs me, therefore I'm going to the Privacy Commissioner”? That would have the same weight as CIBC's losing 10,000 of your personal financial records.
    That's a very good point. We have this problem sometimes in civil lawsuits, don't we. It's possible that an individual can bring frivolous and vexatious lawsuits, and we have to deal with that.
    Brian Mulroney, for example. That's just an aside.
    This is the Privacy Act--
    I know.
    --so I thought I'd just confine my remarks to that, Mr. Chairman.
    But it's the idea of being able to triage complaints in some way, to be able to deal with those very important ones that are of national interest, as opposed to the ones from some frustrated prisoner in a penitentiary somewhere.
    I hear what you're saying.
    Don't you think that's common sense?
    Believe me, what you're saying makes sense, Mr. Martin. Again, I'm not pronouncing on this, or indeed on the second recommendation. I'd be very interested to hear what you have to say, and will be following very closely what witnesses have to say on this. I believe CSC is coming before you as a witness; you might want to put the question to them.
    You did touch on PIPEDA in your opening remarks, and it's related to privacy, so I'll go that far.
    The one thing we were frustrated about in your reaction to our report--we studied it for a long time--is that you pretty much pooh-poohed...well, that's not the technical term, but you pooh-poohed the one key recommendation that we thought was critically important, which is the duty to notify. If your personal information--
    Are you saying I pooh-poohed PIPEDA or just a particular recommendation with respect to PIPEDA?
    Did you want to say a few words, Mr. Kratchanov?
    The duty to notify was very important to us. It didn't seem to get a very positive reaction from the government.
    The Department of Industry is responsible for PIPEDA, not the Department of Justice.
    You're right. I stand corrected. Thank you.
    I'm sorry, Mr. Martin, your time has expired for this round.
    Mr. Hiebert, please.
    Thank you, Mr. Chair, and welcome, Mr. Minister, to this committee. We're glad to have you here.
    I have a couple of questions.
    One of the things the commissioner has suggested is that she have greater authority in the area of enforcement. Some witnesses have even suggested that she be granted order-making powers. We've noted that her current role is as investigator, but we're wondering whether or not this additional role of prosecutor should be added to her office or whether perhaps this might be too much authority under one roof.
    Should the powers of the commissioner be expanded to include what might be considered the equivalent of a prosecutorial role?
(1610)
     It's an interesting question, Mr. Hiebert.
    The Privacy Commissioner, in her top ten fixes, or quick fixes, actually didn't suggest that particular authority for herself. It would certainly alter the nature, it seems to me, of the role, which is as an ombudsperson for people. There are a number of powers that are given to the Privacy Commissioner under the existing legislation, and it seems to me that would be a fundamental change. Your committee may wish to make recommendations on that, but as I say, I think you should take into consideration that the Privacy Commissioner herself is not asking for that.
    But would you support or oppose giving her prosecutorial power?
    For the most part—and, again, I was involved with this area fairly extensively as a member of the justice committee quite some time ago—I actually like the general balance and the general tenor of this particular piece of legislation. That's not to say it can't be changed or indeed that it shouldn't be changed. Nonetheless, I'm quite comfortable with the role the Privacy Commissioner exercises at the present time.
    All right.
    Some have suggested that there be penalties associated with this additional responsibility. But given that the government, under the Privacy Act, would be the defendant in these circumstances, do you think penalties are appropriate, or is the public scrutiny that currently occurs sufficient?
    I think, Mr. Hiebert, you and your committee should make recommendations on these questions. I'd have to see a lot more on it to pronounce on exactly what you mean by “penalties” or fines being levied. Is that what you're...?
    Against government departments, yes.
    Again, I'll have a look at what you have to say, but from my point of view—and I said this in answer to Mr. Dhaliwal—I actually think the legislation is a pretty good piece of legislation, and I've always believed that, quite frankly, for the last 25 years, since it was introduced and passed. It is 25 years old, and we should review these on a regular basis, but I think it does strike the right balance, in conjunction with other changes that have been made.
    Since that time, of course, interpretations based on the Charter of Rights, in particular with respect to sections 7 and 8 of the charter, add another dimension to this. PIPEDA, which Mr. Martin talked about, is another component of that. Have a look at it, but again, for my money, the act has worked well.
    Okay.
    You've introduced Bill C-27, which is an act to deal with identity theft through the Criminal Code. I'm wondering if there are other things we could do to the Privacy Act that might address some of the concerns that are perhaps left unaddressed or are perhaps not properly dealt with through the Criminal Code. There might be some avenues that haven't been appropriately addressed. Sometimes the Criminal Code can be a blunt instrument. There might be other ways of assisting with the changes to the Privacy Act that you're trying to accomplish. I'm wondering if you or your colleagues have any suggestions along those lines.
    That's a very interesting thought. I indicated to those across the aisle that the constant challenge we have is responding to the changes in technology and making sure the legislation, be it the Criminal Code or indeed any other federal legislation, responds to the changes in technology. If there are gaps that you believe could be filled in by the Privacy Act, by all means make those suggestions. Again, I'm very interested to hear them.
    In general, do you support the ten recommendations, or are there other additional quick fixes beyond those ten that you think we should be considering?
(1615)
    It would be, I suppose, somewhat presumptuous for me to come up with other quick fixes that weren't thought of or articulated by the Privacy Commissioner. I hope in my initial comments that there's nothing outlandish or outrageous about any of these. Many of them, I think, could be accomplished, quite frankly, within the existing legislation. I'd be interested to hear what you have to say. I was hoping to see, and in the first round of questions I pointed out that I'd like to see, more analysis of the relationship between recommendations number 2 and number 6. That's my own opinion. You may conclude that there's no problem, that they can both coexist, but it seemed to me, when I had a look at these initially—and I've thought about it since—there might be some challenges. I'll be interested to hear what you have to say.
     The Privacy Commissioner obviously believes we need to modernize the act. I'm wondering if you have any thoughts on how our Privacy Act compares to other acts in an international context.
    I'm sure there are greater experts than I on that. But in my discussions with departmental officials and in my analyses over the years, we always do very well in this country. If you started with the largest countries in the world and went down that whole list, you'd say that Canada does a pretty good job of protecting these basic rights of its citizens.
    Privacy International, an independent London-based non-governmental organization, placed Canada among the top countries of the world in terms of overall privacy protection. There are different slants on this from other countries--the United Kingdom, the United States, and others--but nonetheless I think we stack up well. One of the reasons why you're having an analysis is to make sure we are at the forefront of reasonable protection of people's privacy. That's presumably why you'll be making recommendations--or you may not make recommendations. That, of course, will be up to you.
    Thank you, Mr. Hiebert.
    Mr. Minister, two or three times you referred to your view of the legislation. One of the areas I hope you'll be able to amplify when we go on to further questions is that of the operations and the condition of the operations of the state of the union in both the access and privacy commissions. You're probably aware from your briefings that there are human resource deficit issues that have led to significant backlogs, etc.
    This is a serious matter. I hope you will be able to give us some assurances that it's not just good enough to have an act; if the act is not being enforced and responded to, having a good act really doesn't help you very much.
    We want it to work. These are independent organizations that operate at arm's length. The government has looked at any budgetary requirements on a regular basis for the last 25 years. The challenge of all governments is to make sure that the resources of the Government of Canada are provided to organizations like the Privacy Commissioner, the Information Commissioner, and other independent officers of Parliament, in the work they do.
    In the second round we have Mr. Pearson, Mr. Tilson, Madame Lavallée, and Mr. Martin.
    Mr. Pearson, please.
     Minister, it's nice to see you today, and the others.
    The Privacy Commissioner would like to see a necessity test in the legislation that would require the government to demonstrate the need for the personal information they collect. I just wonder if you have any thoughts on that.
     Individual departments do that right now. I don't know if my officials have any comments on that, but it's my understanding that they analyze it. As I pointed out in my opening comments, a number of departments have a higher threshold than the Privacy Act. I gave you the examples of the Income Tax Act and the Statistics Act, and that makes sense.
    So there is a certain amount of flexibility, but each department is required to make sure they are up-to-date and meet those tests. I think that's being done.
(1620)
    In your view, do government institutions collect more information than they actually require?
     They're careful in their privacy considerations. I gave the example of the Income Tax Act, in terms of protecting. I pointed out some of the mechanics of that--these individuals take oaths to protect that information. If they're found to be in violation of those oaths, they can be charged under the Criminal Code.
    Of course, there's the Info Source publication that requires all departments to publish. Those banks of documents they have to collect and retain are available to everyone.
    In your opening remarks you said Canada is a world leader in this. We've been at this for some time now. We've heard a number of witnesses say that the Privacy Act is pretty antiquated and we should look at some provincial or European models--use some of the links we have with those.
    I'd be interested in your comments on that, because you seem to be saying we're doing pretty well with the Privacy Act--we're a world leader. But many of the witnesses have not felt that way.
     I'm surprised. For instance, did they go all the way through South America? Did they check how it's going in Ecuador and what it's like in China? If I go to the biggest countries, is Russia outpacing us? I'm just telling you that in my canvassing of all the world....
    Usually people say to me that we're falling way behind. Well, the list is actually very short. I ask who they think we're not maintaining with. There may be countries, and you've mentioned western Europe, that have made changes, and you can say that theirs is a little better than the Canadian piece of legislation. It's certainly newer than the Canadian piece of legislation. But in the briefings I've had, and with the interest I've taken over the years, I'll tell you that the list is always very short.
    People say Canada is falling behind. We're falling behind whom? I always say, give me a list of those countries you think we're falling behind. I think generally, and I say it not just with respect to privacy but with respect to other areas in the protection of human rights, you'll always find that Canada.... Somebody will say that the United Kingdom has.... Okay, I appreciate that. Or somebody says on another issue that Australia has this. Okay, but still, it's a short list.
    That doesn't mean the legislation is perfect. I remember when it came in, I thought it was a breath of fresh air. This was a wonderful piece of legislation that was brought in about 25 years ago. But again, is it perfect? No. This is why I'm interested in what the Privacy Commissioner has to say, and I will be very interested in what you have to say, quite frankly, and in whatever recommendations you have.
    Thank you.
    As far as outsourcing goes, I've heard a number of witnesses who have come before us on that as well. They have concerns about it. There is the idea about written agreements.
    I'm sorry, with what?
    There are written agreements with foreign countries. We have heard that we actually have written agreements on our part, but we don't always get them from others. I wonder if you have a view on that, because that was a concern for the committee.
    Go ahead.
    Denis can perhaps speak to the issue of outsourcing.
    By outsourcing, you mean disclosure to third countries. The Privacy Act requirement right now is that we can do that under an agreement or an arrangement with another country if it's for law enforcement purposes. It doesn't specify what sort of agreement, what sort of arrangement, but there needs to be an agreement that is arrived at with that country. There is nothing more specific required now.
    My own experience is that I've seen a lot of these written agreements. There might be some disclosures that happen without agreements.
    They are unwritten.
    Yes, they are unwritten agreements. But that would not be what I see on a day-to-day basis.
    Just quickly, Mr. Chair, the witnesses are saying that we actually need written agreements. Otherwise, we can't quite track what's going on.
    Well, as a lawyer, I always prefer written agreements. I don't like clients doing verbal agreements, so I would never suggest to a client that a verbal agreement is better than a written one.
(1625)
    We'll have Mr. Tilson, please.
    We can carry on with this when the minister.... I know the minister is going to have to excuse himself soon.
    There is a briefing note on this with respect to recommendation 10, which Mr. Pearson is referring to. The recommendation is that what we have now is pretty weak.
    In all the comments you're making--that the agreement doesn't have to be in writing, that the Privacy Act doesn't impose any duties on the disclosing institution to identify the precise purpose for which this data will be disclosed, and so on.... Mr. Kratchanov, do you think we should have Mr. Day come to the committee and talk about that topic? Because although it's Minister Nicholson's jurisdiction, this is getting into arrangements with foreign states.
    Certainly I think that would be a good idea.
    Yes. Well there you are.
    Thanks a lot.
    Thanks for your support.
    Don't say I made the recommendation; just do what you want.
     Mr. Minister, one of the issues that has not been raised by the Privacy Commissioner was raised by—and I think most, if not all, of us members of the committee received a letter from them back in April—the National Association for Information Destruction. They talk about including a definition of information destruction.
    You probably don't know too much about that, Minister, and maybe I'll look at someone else.
    I'm more concerned about information theft. That's the one we have under the identity label: people who are grabbing your information and then selling it to others.
    I understand that, and it's part of it. But this issue has been raised because of the story after story we heard during the PIPEDA hearings about information that was found in dumpsters in West Virginia and Winners and CIBC—I hate to mention them again. This letter refers to 800 to 900 personal medical files found in vacant buildings in Yorkton, Saskatchewan—some of these, of course, are more PIPEDA; sensitive personal information about children, found in garbage near a social housing project in Toronto; files containing personal tax and financial information of dozens of people, found in a dumpster in downtown Vancouver, etc.
    So the question, which was raised with the PIPEDA hearings, is whether there should be a definition of information destruction, because the public want to be confident that this information is being properly destroyed.
    And the public has every right to expect that and want it. I can tell you, Mr. Tilson, that the treasury department has issued guidelines to departments on what is known as “breach notification”, if there is an inadvertent—or advertent, in the very rare case—release of information, on what to do and making sure it is remedied. It's a big problem, not just within the federal sphere.
     I remember walking down the street in Niagara Falls, and somebody told me he was just checking over my report card. When they closed my high school, they left all the report cards, attendance records—they left everything for the last 60 years—and I guess it was just open season for anybody who wanted to go into the building to check on it.
     I'm pleased that there are Treasury Board guidelines on this, because as you point out, it's a huge problem, or it can be, when it takes place. We hear every so often about sometimes millions of documents that somehow get released on a disc that was inadvertently placed somewhere. I think there are very strict guidelines in this country, but if you have any recommendations with respect to that, we'd be very interested.
    Thank you, Mr. Chairman.
    But again, a lot of the problem we have is the theft of information, not just the inappropriate disclosure. That's a major—
    Oh, I understand that.
    That's a major problem we have.
    Madame Lavallée.

[Translation]

    You said earlier, minister—and you were quite right—that you did not have too many priorities, because when there are too many priorities, there end up being no priorities. Is the review of the legislation we are studying at the moment one of your priorities?

[English]

    Let's see what you have to say, Madame Lavallée. I'll be very interested to see what you have to say and whether it's possible. But I hesitate to make predictions. I have people, for instance, who about every third day tell me another justice priority that I should be bringing in legislation for. While I tell them I am very sympathetic or empathetic to what they have to say, I have to be somewhat realistic in terms of getting anything through the House of Commons. I don't want to say to you I'd be glad to introduce legislation at the end of June on your recommendations when in fact that may not be possible.
     I've had an interest in this particular area, quite frankly, for quite some time, and I was a member of a committee that went coast to coast, as I told you, on the “in and out” report at that time. So I'm quite familiar with it, I'm interested in what you have to say, and I will take it from there.
(1630)

[Translation]

    If I understand correctly, this may become one of your priorities. It will depend on the changes we ask you to make.
    Did I understand you correctly?

[English]

     I'm not in a position to commit the government to making amendments. There is a process that all governments follow, but again, I'm very interested to hear what you have to say.

[Translation]

    If I understand correctly, this is not a priority. A little earlier, you were blowing both hot and cold. You say that this legislation has worked well over the last 25 years, that Canada was not so bad, that it was one of the top 20 countries in the world, and that, as a result, this legislation represented a good balance. Those are all the expressions you used.
    Does that mean that the bill we are reviewing at the moment is not a priority for you, but that if we were to make some interesting suggestions, you might act on them?

[English]

    I suppose you could say I blow hot and cold on the Criminal Code as well, even though I believe the Criminal Code works fairly well in Canada. I believe we have a wonderful criminal justice system in this country. I believe there are lots of rights, a lot of protections, and a lot of constitutional guarantees, but you probably notice I'm involved all the time with making changes to the Criminal Code. I'd never want anybody to take that to say that Nicholson thinks the criminal justice system doesn't work in this country, or that it's a bad system or anything like that. Quite the contrary. Any time I talk about the criminal justice system in this country and its rights, I always say Canada is at the top. We do an excellent job.
     Does that mean I won't be bringing in more legislation to change the Criminal Code? I promise you I will be making changes. Again, I'm not announcing anything. I would be very pleased to get the ones I have before Parliament through right now.
    When people talk to me about the Privacy Act, I say have a look around the world and check out what the rest of the world is doing. Anybody who says others have a better regime for protecting privacy...that has to be a very short list. That doesn't mean that we cannot...indeed, we should continue to look at these pieces of legislation with a view to changing them, because that's how we do stay up to date, that's how we do stay at the top of any particular list that analyzes these issues. Again, without committing to amendments to this, because as I said to you, some of these don't need amendments to the act, some of them I think can be accomplished, and I gave an example to Mr. Martin.
    Again, you go about your work and I'll be very interested to hear what you have to say.
    Thank you very much, Madame Lavallée.
     I understand Mr. Wallace has a brief intervention and I think Mr. Martin wanted to finish off. I'm sure the minister will accommodate us.
    Mr. Wallace, one quick one.
     On recommendation 3, it's to enshrine in law the PIAs, the privacy impact assessments. I'm assuming your department uses this tool already. You indicated in your opening statement that there's a difference between policy and legislation. I'm asking for clarification. Is this the kind of area you're talking about? Do you think policy can work to make these things happen and it does not require legislation to make these things a mandatory management tool, or was it another area that you were referring to? I only want clarification.
    I think I was saying in general that some of what she is looking for could be accomplished without changes to the legislation. That's all I was saying. I don't think I was any more specific than I was with Mr. Martin. I said, for example, on one of the recommendations--I forget which one right now, but she talked about the education component of that. It seems to me you could probably do that without legislation. That was my point.
(1635)
    Minister, my concern has been, on this one in particular, whether we really need legislation to make it happen, if it's working, or if there are other ways to make it more effective or efficient.
    That's the challenge you have here, Mr. Wallace, and I will be glad to see what your recommendations are. I appreciate that.
    That was my question. Thank you very much.
    Minister, it is now twenty-five to five. You gave us an hour and we've been here an hour. I'm going to allow you to excuse yourself.
     I think Mr. Martin had one more question.
    I think he's going to save it for your staff. We didn't want to take any more of your time.
    We do very much appreciate your taking the time and giving us some frank input. I think members learned quite a bit from your perspective. We understand that you don't agree or disagree with everything. We have some work to do, and I thank you for your assistance.
    I appreciate that, and I thank you for your efforts.
    Colleagues, we're going to carry on. We have about two minutes for Mr. Wallace, please.
     Thank you.
    I'm going to continue on with the same processes. This is the one area I've been focusing on a bit.
    Can you explain to me what happens, from a practical point of view, for a PIA in the Department of Justice? I'm assuming the Department of Justice has a fair amount of private information. I'd like to know from a management point of view when they're instituted, how they're used, how they're stored, how long they last. I don't know much about them, and I'd like to understand, if you have that information.
    I can try. I don't do PIAs myself at Justice. Typically, PIAs are done when an institution, like Justice, decides to make some changes to a program or develops a new program that involves personal information. Under the policy it is required that we study the effect on privacy of these changes to a program or of this new program. That involves going through a series of questions and looking at the impact, what information we need, whether we really need that. We talk to stakeholders, and of course we consult with the Privacy Commissioner.
    Are they signed off by the deputy in charge of that particular area? What happens to them? She's recommending that they be legislated. I'm not sure they need to be legislated, and I'd like to know the feedback from the people who actually use them.
    Unfortunately, we're probably not the right persons to ask. We have a separate group in corporate services who are responsible for running that.
    Do you want to know the process, the follow-up?
    No. Could you ask the people in your department who are actually involved--even if they write and then we can share it with everybody--how they...?
    Would you like a general understanding of a privacy impact assessment analysis statement, how that's handled, what the process is, so you have that for part of your own knowledge base? Is that what you would be interested in?
    That's what I would like. I don't care about the rest of them, but that's what I would like.
    We could certainly follow up and provide the committee with that in writing.
    I'd appreciate that.
    We're at the third round now. We're going to have Liberal, Conservative, Bloc, Conservative, NDP, Liberal, Conservative, if we go through all of this.
    We'll start with Mr. Hubbard, please
    Thank you, Mr. Chair.
    With respect to the recommendations, the minister referred to a number of them. Number one is to “create a legislative 'necessity test' which would require...”.
    Is there a test now that has been generated? And I wonder why she uses the word “legislative” in terms of information. Is there a general guideline?
(1640)
    There is actually. There is a test, and it's in section 4 of the act. I can read from the provision. It's very short:
No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.
    The Treasury Board guidelines have said this expression “unless it relates directly” should mean a necessity test. Arguably, that's the only legal interpretation that's possible. If we say you shall not collect information unless it directly relates to a program, then basically it's saying you can't collect information you don't need.
    So from your interpretation of the present legislation and the workings of it.... She also seems to indicate that there would be a need to purify some of the information that's already collected, why the need would continue.
    Well, even if you have a necessity test, you still need to decide, on a factual basis, whether this particular information is necessary to achieve that particular program. The answer is not always obvious. Reasonable people might disagree about what is necessary to be collected for a particular purpose.
    Putting a necessity test in the act itself does not make that issue disappear on its own. There will always be some discussion about what is exactly necessary to collect in terms of personal information for a particular program.
     Another day we talked about criminal activity, criminal sentences, and the pardon system. We know that within our own legislation pardons can be granted after five years of a completed sentence. Yet we know that often our people communicate those offences to foreign jurisdictions, in particular to the United States.
     We used an example of somebody who had been involved with marijuana 20 years ago. They might have a pardon in terms of Canada, but if they want to enter the United States, that offence is still listed. Often truck drivers, for example, are not permitted to cross the border into the United States on a free basis. It's a problem we encounter almost on a daily basis across Canada.
    What can we do in terms of the privacy of a person who has served a sentence and who's been granted a pardon, yet our government has not been able to deal with foreign jurisdictions so that they see the person is a good citizen of our country and should be allowed entry?
    That's a very good question.
     Certainly, there's the Criminal Records Act that deals with pardons and things like that in Canada. When someone is convicted of a criminal offence, there's a public record of that. That's public knowledge. You can access it from a courthouse.
    If a foreign government collects that sort of information at the source, or at some point obtains evidence that someone has been convicted of a crime, and keeps that information, the fact that we have issued a pardon here is not something we can force another country to take into account. We can enforce that legislation here in Canada, but we can't.... The United States is sovereign, and if it wants to retain information it has gathered, that's not something on which we've got any leverage.
    What you're saying, really, is that all criminal offences are communicated with foreign jurisdictions.
    No, I'm not saying that. What I'm saying is that information about convictions is publicly available information in Canada. The restrictions on its dissemination aren't very great. If such information, one way or another, ends up in the hands of a foreign government, that's not something we could necessarily control. They could obtain it through different means.
(1645)
    I guess my time is up.
    Thank you.
    Thank you very much.
    Mr. Nadeau, s'il vous plaît.

[Translation]

    Thank you, Mr. Chairman.
    First of all, perhaps you could send us some information, unless you have it off the top of your head. Could we have a list of the countries with good privacy protection, where people are being well served by their federal government? We were discussing this earlier with the minister.
    Next, if we count Kosovo, which got its independence after a vote in its legislative assembly, there are about 209 countries in the world, I believe. Does Canada have an agreement with these 209 countries? Does the way in which Canada exchanges information with other countries vary from one country to another? How does that work?
    What type of information—
    I'm referring to the Commissioner's 10th recommendation. This could be intelligence information... We know what we are talking about when we refer to Interpol. But we could think of Mr. Arar's case, who went through hell with the previous government. However, the fact remains that there are information-sharing agreements between sovereign countries. I would like to know how that works, whether there are categories of countries, whether there are some countries with which we do not exchange information, and so on.
    In practice, all institutions that run a program or activity, subject to the relevant legislation, may enter into an agreement with the parallel body in another country. There is no agreement between Canada and another country that covers the exchange of all the information held by the Government of Canada. These agreements are—
    I think this comes more under the responsibility of the Minister of Public Security, who has this information. I do not think I could find this information without requesting it from the other department. It would be preferable to ask officials from that department to come in and explain how and with whom Canada develops its agreements.
    I'm going to give you a few hints. We met with people from the RCMP and the Canadian Security Intelligence Service. These two so-called government organizations can make a request of the same country without knowing that the other one is investigating the same individual. Conversely, any given country may request information about Canadian citizens without knowing exactly what is at issue.
    You are telling me that the Department of Justice has no opinion regarding the Privacy Act.
    It is not that we have no opinion, but there is no agreement that covers all information exchanges between Canada and other countries under the Privacy Act.
    The act provides that each institution may enter into agreements with foreign institutions to exchange information. For example, the RCMP may have an agreement with the FBI. There may even be several agreements between the RCMP and the FBI that cover various categories of information. There may be agreements between the RCMP and the French police.
    So it is up to the minister of the department concerned to assume this responsibility, beyond any "para-sovereign" consideration between the two countries.
    Under the act, the agreements entered into are in the name of the person in charge of the institution. In the case of a department, that is the minister.
(1650)
    If I understand correctly, information about a Canadian citizen may be exchanged with another country without the Department of Justice or the Department of Public Safety being aware of it. Is there really this much freedom and openness regarding information exchanges?
    That is what would be allowed under the act.
    Thank you.
    I am sorry.

[English]

     I must pass the floor now to Mr. Hiebert, who will be the last intervenor.
    Thank you, Mr. Chair.
    I'm not sure who can answer this question, but maybe somebody can. The Privacy Commissioner has recommended that she be given the ability to refuse or discontinue complaints that would serve little or no useful purpose. I think Mr. Martin referred to some of the Correctional Services questions that are coming, which might fit this category.
    Do you agree with this proposal? I want to know your perspective. The minister stated that he is concerned about the possible conflict with recommendation 2, but do you agree with this proposal in isolation?
    On the issue of frivolous, vexatious complaints per se, you have that ability in other legislation; so on its face, there is nothing ostensibly wrong with that in isolation. I think one of the concerns with that particular recommendation is that she wants to have the ability to determine what complaints are in the public interest, and our minister's concern was that it might limit individual complainants from being able to take their cases forward.
    As Mr. Martin has mentioned, and I know from my own experience, because I come from a correctional environment, there is an issue of extensive, frivolous, vexatious complaints. So from an operations perspective, it is an issue that one needs to look at. If one looks at it in isolation, there is some legitimacy to that request.
    Of course, if you look at it in the context of the nature of the complaint and her wanting to be able to determine whether a complaint is in the public interest, not all complaints might be in the public interest. For the individual complainant, it's a real issue for them, and they want to have the ability to complain to the Privacy Commissioner.
    Again, there is a balancing here. So I would invite the committee to listen to Corrections to hear their views, but also to understand that there is, of course, a bigger issue here.
     Can you think of any other way the commissioner could prioritize the requests?
    I understand what you're saying, and I kind of agree with it. Natural justice would suggest that we have to give people an opportunity to get answers to their questions if we want to hold ourselves accountable, but is there some other way we could provide a vetting process or a triage?
    Again, Corrections would be a good department to have come and speak to you, because they do have some experience with that. My experience is dated. It has been probably longer than ten years since I was there—as counsel, by the way. I wasn't working in Corrections; I was still with Justice. But we did try to help develop a form of, as you say, triage system as a way to manage complaints. They perhaps have had more success in the past ten years than I could have boasted of ten years ago.
    I have another question, if you've finished on this one. This has to do with a Supreme Court of Canada decision in 2006. It was the Attorney General versus H.J. Heinz Co. In that decision, the Supreme Court of Canada basically stated that without any binding order-making powers, the commissioner has no teeth. It was kind of a backward endorsement of what she's now asking for.
    Do you have any comments on this particular decision or this indirect endorsement for changes to the Privacy Act?
    Yes.
    I wouldn't necessarily read too much into that decision. It dealt not with the Privacy Act, interestingly, but with the Access to Information Act. What the court was asked to look at was whether a third party, under the Access to Information Act, could use the personal information exemption of the access act when it wanted to prevent the government from disclosing information to an access requester. So the analysis had nothing, really, to do with the Privacy Act itself. It had more to do with the inner workings of the access act.
    Now, in the course of its analysis, the court noted that the Privacy Commissioner's ability to provide some relief to the third party in such a case was rather limited. That was part of its reasoning for concluding that the third party could raise the personal information exemption in the access act context, but they certainly wouldn't say in the Supreme Court that they think the powers of the Privacy Commissioner are not sufficient.
(1655)
    So your interpretation is different. You don't think the Supreme Court of Canada was calling her powers limited?
    The court, I think, was simply reading the provisions of the act, saying she has recommendation powers only. That's not disputed; it's a fact. In looking at that, it concluded that it was necessary to give the third party the right to claim the personal information exemption in the access act context.
    Thank you.
    Mr. Dhaliwal, please.
    Thank you.
    Thank you again.
    I was talking to David Loukidelis, the Information and Privacy Commissioner for British Columbia. In fact, my question was not necessarily just about him, but in general. When we look at the public sector and the private sector, the Privacy Act sets lower standards when it comes to dealing with the public sector than it does for the private sector. Do you agree with those findings?
    Do you mean that the protection...?
    I mean protection when it comes to setting standards. When we are dealing with the public sector, the standards are at a much lower level than those imposed on the private sector.
    Well, I certainly don't want to comment on either the public sector or the private sector legislation in B.C., to make a comparison. I think, though, the minister has already alluded to the fact that the public and the private sectors have different responsibilities and accountability mechanisms, and that, by itself, might justify different rules.
     Do you recommend more regulation when it comes to the public sector than to the private sector?
    I was involved in PIPEDA a bit when it was being developed. Back then I heard people say there should be more rules applicable to the private sector than to the government sector. I hear the opposite now. Frankly, I don't know.
    The minister keeps mentioning recommendation 2 and recommendation 6 when made by the Privacy Commissioner. When it comes to recommendation 6, where the Privacy Commissioner has recommended that she be allowed to refuse or to investigate complaints that are not useful for the public purpose, do you agree with that recommendation?
    I think we already spoke to the concern there that it might be limiting the individual complainant who wants to come forward and have their complaint heard. Those issues are not always something of public interest. So to give the Privacy Commissioner that particular power may create an issue. I think it's something that has to be explored. I'm sure she would always act in good faith, so it's not a question of that. But I think we need to explore that issue a bit further to be sure that the individual complainant still has the ability to bring complaints forward.
(1700)
    We were talking to the minister earlier about where Canada is when it comes to protecting the privacy of our citizens in relation to the developed countries. Could you comment on that? Where do we stand, particularly in relation to the developed countries, and can we learn from those developed countries that are ahead of us when it comes to implementing those privacy regulations?
    The minister referred--
    He talked about China, but I'm particularly interested only in the developed nations.
    It was Greece and Romania who appeared in the particular report the minister made reference to as being the top two in the world. Canada is certainly up there, but I don't have any more specific information on the other countries that perhaps were reflected in that report. Perhaps we could get that report and provide it to this committee, and then you would have that available to you to see what information it has.
    Okay.
    The Chair: Mr. Hiebert had one more question, I think.
    Thank you, Chair. We had David Flaherty--I'm not sure if you know who that is--the former Information Commissioner from British Columbia, come and speak before the committee. He was giving us examples, at least in the private sector, where data breaches would occur, that there was a lack of proper security and then the data would get stolen or lost in transit from one location to another.
    He suggested that the federal government, the Privacy Commissioner, should have some standard by which she could hold government departments accountable as to the level of security they have attached to the process they use. Presumably, government departments have to transport this data as well. Do you have any comments on the inclusion of some level of standard in this respect, or what that standard might be?
    Treasury Board has already issued guidelines to departments on breach notification--and I think the minister spoke to that--which does set a standard on data that is inadvertently disclosed.
     I understand there is also a consultation taking place in the context of PIPEDA to look at that whole issue. I think we will wait and see what that consultation shows us, and then perhaps we can take a look.
    I don't know if you've seen the guidelines from Treasury Board on that. You do have them? That would also be useful to take a look at, perhaps, to see what the standards are that have been set.
    Do you have any direct opinion as to whether or not those standards that are being proposed by Treasury Board should also be adopted by changes to the Privacy Act?
    I don't have a personal opinion on that, no.
    Anybody else?
    Thank you.
     Thank you.
    It is actually unusual, in my experience, that the department responsible is waiting for someone else to suggest to it what happens or what should happen. Usually we start off by having the minister and the ministry come before us to provide some of the priorities and areas of concern and ask the committee to do a study.
(1705)
     [Inaudible--Editor]
    No, I understand that, but there is a responsibility to the minister. And I understand that the minister seemed to indicate that maybe it's not his job to tell us what else we might consider. But I think there was an indication that he is prepared to share preliminary or general views with regard to at least the ten—in fact, eleven; there is another one at the very bottom, in the editorial, about training. If you look at the front summary, the training of personnel was an issue.
    We have asked others to do this, and I wonder if we could ask you to provide us with whatever specific input you could on each of the ten. We've talked generally about two or three of those, but is there any input you'd care to give to help us get a sense of what your views would be, should they come up as recommendations for legislative changes?
    I certainly think we could give you the considerations, which is perhaps what you're looking for from us.
    Sure, whatever you feel is appropriate.
    On the one hand or on the other, these might be some issues that one should look at, take into consideration, reflect on a bit. I'm hoping you're not asking for it this second. You'd like it in writing? Is that what you're asking for, or do you want us to go through it? It could take us a—
    Well, we have some other business to do, but I want you to think, because the minister did I think give us some considerations about federal versus provincial, etc.
    Yes, exactly.
    Those are very important, and I don't think anybody else ever said that to us, to be careful or cautious. But if there is further input specifically on the ten, because I don't think we covered all of them, and if you do have matters for consideration or concern, it would be helpful to us, and I'd invite you to apprise us of them if you could. Okay?
    I'm still unclear. Would you like that right now or in writing?
    Oh, absolutely in writing.
    Just provide us, in writing, your comments or concerns or something like that.
    I think that would be easier, and then we could take each recommendation and outline some of the concerns, and that would be helpful for your eventual study.
    Thank you very much. And if you have any other suggestions for us about matters to consider for proposal, we would entertain those as well. How does before you leave for summer vacation sound?
    Thank you very much to Ms. Kobernick, Ms. Remsu, and Mr. Kratchanov. We do appreciate your time and the minister's time, and we hope that our report, when it ultimately comes out, will be helpful input to the minister in his work.
    Thank you.
    Thank you. You're excused.
    Colleagues, Mr. Hiebert had asked me about witnesses. I want to first of all inform members that despite our best efforts, we were not able to get any provincial privacy commissioner to be with us on Thursday.
    We do have the Bar Association coming on June 3, Correctional Service of Canada on June 5, and the Privacy Commissioner is tentatively scheduled to come back before us on June 10. The Canadian Resource Centre for Victims of Crime has been invited, and we have already followed up with them. And we have not had the chiefs of police.
    The only other specific one was with regard to Correctional Service of Canada, which is next Thursday. That's where we are right now. Of course, every time we hear witnesses, and of course the ministry now, other thoughts and things....
    I'm going to hear from Mr. Hiebert, given that's where we are right now, if he has further thoughts for the committee's consideration.
    Mr. Chair, I'm at a bit of a loss in terms of the lack of success we've had in bringing witnesses before this committee. About two weeks ago we submitted a list of 20 organizations, perhaps even more, that could reasonably be called to speak to this topic. You've talked about one or two that weren't available and three or four that are. But I'm wondering about the other 10 or 15 we proposed.
     On which dates would you like them to appear? Our dates are filled until June 10.
    That's only two weeks from now. We have many more people to hear from.
    I hear you. At the last meeting you may recall that I circulated to all members a complete list of all possible witnesses and asked if there were any places we had to fill in to make recommendations.
    Mr. Hiebert, every member has an opportunity to suggest witnesses, but no member has the authority to call for witnesses. It is the decision of the committee of the whole. You submitted a list of 20 without any rationale as to why it was important for us to see them. The committee should have an opportunity to suggest.
    I'm going to suggest something, if I may. Members have the lists of all the people who have come from the Privacy Commissioner, our research assistant, and Mr. Hiebert. I think those are the three areas we had lists from. Is there anybody there who is important for us to do the work we want to do on this and should be proposed to us? I believe I asked for an explanation as to the importance of a witness to our work, so the committee can consider it and make a decision.
    Can we do that for Thursday?
(1710)
    Is that what we're doing on Thursday?
    No, we have a couple of other items to come up yet.
    Mr. Chair, I would be happy to provide you with a list. It was my understanding when we gave you the last list that you simply wanted names. At that point, to my knowledge, you didn't ask for justification. I thought it was self-evident, based on the people and organizations on the list, that it was very much within the scope of their responsibility that they could speak to this. But if you want me to resubmit the list with justifications, I'll be happy to do so.
    Now I know what the problem is. Unfortunately, Mr. Hiebert, you weren't here at the last meeting when we did this. I should have told you. I apologize.
    During the meeting I circulated the lists of all the names of the people coming from various sources and specifically asked for recommendations to fill in the areas where we felt we still had need for expertise--with a rationalization. I'm sorry; you weren't here. I should have let you know about this, because I know you lead on this file.
     Can we do this on Thursday? Let's take the time and do it on Thursday.
    I want to deal with the main estimates. Colleagues, we did a review of the main estimates of Ms. Dawson, Mr. Marleau, and Madam Stoddart, with regard to the votes under the main estimates for each of those. The recommendation at the time was that we not take a vote on approving the estimates one by one, but wait until we finished all three, which we have.
PARLIAMENT
Office of the Conflict of Interest and Ethics Commissioner
Vote 20--Program expenditures..........$6,338,000
JUSTICE
Office of the Information Commissioner of Canada
Vote 40--Program expenditures..........$6,733,000
Office of the Privacy Commissioner of Canada
Vote 45--Program expenditures..........$15,898,000
    (Votes 20, 40, and 45 agreed to)
    Shall the chair report vote 20 under Parliament and votes 40 and 45 under Justice to the House?
    Some hon. members: Agreed.
    The Chair: Thank you.
    Mr. Martin and Mr. Hubbard have asked for the floor.
    Mr. Martin.
    Thank you, Mr. Chair.
     I sent to the clerk, and he circulated to members, a notice of motion that I would like to deal with after the appropriate period next Thursday. There was a typographical error and I'd like the indulgence of the committee to change the language.
    It now says the “third report of the committee Presented to the House on April 2, 2008”. No, I'm sorry. It now says “third”; I want it to say the “fifth...on April 2, 2008”. The motion I submitted currently says the “third report of the committee presented February 29, 2008”. So whether you deem this as notice of motion or what I've sent to the clerk's office as notice of motion, I want it corrected.
     Because you can still have notice for Thursday's meeting, maybe you can simply change the “third” to the “fifth” on your own word processor and resubmit it to the clerk.
    That's what my office is doing as we speak. I just wanted it to be clear.
    Thank you. That's understood.
    Mr. Hubbard.
    I have another motion, that the Standing Committee on Access to Information, Privacy and Ethics investigate the actions of the Conservative Party Canada during the 2006 election in relation to which Elections Canada has refused to reimburse Conservative candidates for certain election campaign expenses in order to determine if these actions meet the ethical standards expected of public office-holders.
     I would like to table that.
    So that's a notice of motion only. That will be dealt with on Thursday.
    Is there any further business?
    I have another motion that I'd like to bring forward. I know this committee considered this at one time in the past, but I'd like to resubmit the motion dealing with the Liberal fundraising tactics. We agreed at one point to call witnesses. Then the committee abruptly changed its direction.
(1715)
    We'll put them all in together. What do you say?
    Please submit a motion to be dealt with on Thursday as well.
    I would like to move a motion that we waste more time at this committee over the next number of months.
    Okay. Order.
    Thank you, colleagues. I appreciate your indulgence. On Thursday, please, on the witnesses. Then we'll deal with the motions.
    We're adjourned.