In February 2024, the Committee undertook a study on the use, by certain federal government institutions, of technological tools capable of extracting data from mobile devices and computers, known as digital forensic tools.

Given the capacity of these tools, some stakeholders raised concerns about the possibility that they could be misused. In particular, they questioned how these tools might be used in internal administrative investigations involving federal employees.

The Privacy Commissioner of Canada noted that, in an era where technology is increasingly changing how personal information is collected, used and disclosed, federal government institutions must pay close attention to how their activities affect privacy, particularly by ensuring that they respect the principles of necessity and proportionality. One way of assessing how a program or activity affects privacy is to carry out a privacy impact assessment before it is implemented.

The federal government institutions’ representatives who appeared before the Committee said that their use of digital forensic tools was necessary to keep pace with changes in technology in recent years. These tools ensure that they can obtain the evidence they need to fulfill their mandate. This evidence is no longer found in physical spaces, but rather in the filing cabinets of the modern era: mobile devices and computers.

The matter of knowing whether a privacy impact assessment should be carried out when a powerful new technological tool is used for the first time or rather at the program level was a common topic of discussion during the study. The Committee noted that clarity appeared to be lacking on this matter in the Directive on Privacy Impact Assessment. The President of the Treasury Board indicated that this directive was being updated to clarify requirements for these assessments.

In light of the testimony it heard, the brief it received and the supplementary information provided to it by certain witnesses, the Committee makes nine new recommendations and reiterates five recommendations from its 2022 report on device investigation tools used by the Royal Canadian Mounted Police, including one to make privacy impact assessments mandatory under the Privacy Act.