Skip to main content

ETHI Committee Report

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

PDF

LIST OF RECOMMENDATIONS

RECOMMENDATION 1

  • a) That the purpose clause in section 2 of the Privacy Act be expanded to reinforce the quasi-constitutional nature of privacy rights by including generally accepted and technologically neutral privacy principles similar to those in contained in the Personal Information Protection and Electronic Documents Act, including accountability; identifying purposes; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.
  • b) That the Privacy Act be modified to clarify that the privacy principles in the amended purpose clause shall guide the interpretation of the Act.

RECOMMENDATION 2

That the definition of “personal information” in section 3 of the Privacy Act be amended to ensure that it be technologically neutral and that it include unrecorded information.

RECOMMENDATION 3

That the Government of Canada define metadata in the Privacy Act, in a technologically neutral way and with an emphasis on the information it can reveal about an individual.

RECOMMENDATION 4

That the Privacy Act be amended to require that all information sharing under paragraphs 8(2)(a) and (f) of the Privacy Act be governed by written agreements and that these agreements include specified elements.

RECOMMENDATION 5

That the Privacy Act be amended to create an explicit requirement that new or amended information-sharing agreements be submitted to the Office of the Privacy Commissioner of Canada for review, and that existing agreements should be reviewable by the Privacy Commissioner upon request.

RECOMMENDATION 6

  • a) That the Privacy Act be amended to create an explicit requirement that departments be transparent about the existence of any information-sharing agreements.
  • b) That the Privacy Act be amended to require, except in appropriate circumstances, the publication of the content of information-sharing agreements between departments or with other governments.

RECOMMENDATION 7

That the Privacy Act be amended to create an explicit requirement for institutions to safeguard personal information with appropriate physical, organizational and technological measures commensurate with the level of sensitivity of the data.

RECOMMANDATION 8

That the Privacy Act be amended to set out clear consequences for failing to safeguard personal information. 16

RECOMMENDATION 9

That the Privacy Act be amended to create an explicit requirement for government institutions to report material breaches of personal information to the Office of the Privacy Commissioner of Canada in a timely manner.

RECOMMENDATION 10

That the Privacy Act be amended to create an explicit requirement for government institutions to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals.

RECOMMENDATION 11

That section 4 of the Privacy Act be amended to explicitly require compliance with the criteria of necessity and proportionality in the context of any collection of personal information, consistent with other privacy laws in effect in Canada and abroad.

RECOMMENDATION 12

That the Privacy Act be amended to clarify that a recipient federal institution that receives personal information through information sharing with another federal institution is collecting personal information within the meaning of section 4 of the Privacy Act, and must meet the criteria of necessity and proportionality that apply to the collection of personal information.

RECOMMENDATION 13

That section 6 of the Privacy Act be amended so as to explicitly require compliance with the criteria of necessity and proportionality in the context of any retention of personal information.

RECOMMENDATION 14

That the Privacy Act be amended to set clear rules governing the collection and protection of personal information that is collected on the internet and through social media.

RECOMMENDATION 15

  • a) That the Government of Canada strengthen the oversight of privacy rights by adopting an order-making model with clear and rigorously defined parameters.
  • b) That, in order to ensure the most effective use of resources, the Government of Canada explore ways of finding efficiencies, by, among other things, combining the adjudicative functions of the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner of Canada.

RECOMMENDATION 16

That the Government of Canada further examine the possibility of expanding judicial recourse and remedies under the Privacy Act.

RECOMMENDATION 17

That the Privacy Act be amended to include a requirement for government institutions to conduct privacy impact assessments for new or significantly amended programs and submit them to the Office of the Privacy Commissioner of Canada in a timely manner.

RECOMMENDATION 18

That the Privacy Act be amended to require federal government institutions to consult with Office of the Privacy Commissioner of Canada on draft legislation and regulations with privacy implications before they are implemented.

RECOMMENDATION 19

That the Privacy Act be amended to explicitly confer the Privacy Commissioner with:

  • a) the authority to conduct, on his own initiative, research and studies on issues of public importance, and
  • b) a mandate to undertake public education and awareness activities.

RECOMMENDATION 20

That the Privacy Act be amended to require an ongoing five-year parliamentary review.

RECOMMENDATION 21

That section 64 of the Privacy Act be amended to create an exemption from confidentiality requirements to provide the Privacy Commissioner with the discretionary authority to report proactively on government privacy issues where he considers it in the public interest to do so.

RECOMMENDATION 22

That the Privacy Act be amended to expand the ability of the Office of the Privacy Commissioner of Canada to collaborate with other data protection authorities and review bodies on audits and investigations of shared concern in connection with Privacy Act issues.

RECOMMENDATION 23

That section 32 of the Privacy Act be amended to grant the Privacy Commissioner discretion to discontinue or decline complaints on specified grounds, including when the complaint is frivolous, vexatious or made in bad faith, and that the Commissioner’s decision to discontinue or decline a complaint be subject to a right of appeal by the complainant.

RECOMMENDATION 24

That reporting requirements on broader privacy issues dealt with by federal institutions be reinforced by requiring the addition of a descriptive element so as to make the information in the reports accessible and relevant.

RECOMMENDATION 25

That there be specific transparency requirements for lawful access requests from agencies involved in law enforcement.

RECOMMENDATION 26

That the Government of Canada explore extending the scope of the Privacy Act to all federal government institutions, including ministers’ offices and the Prime Minister’s Office.

RECOMMENDATION 27

That the Government of Canada consider extending the right of access to personal information to foreign nationals.

RECOMMENDATION 28

That the Government of Canada examine the possibility of limiting exemptions to access to personal information requests under the Privacy Act.