The Privacy Act and the Access to Information Act are two pieces of federal legislation whose time has come – to be amended.
The federal Privacy Commissioner sent the government a letter outlining 16 changes that he believes need to be made to the Privacy Act. The CBA’s Privacy and Access Law Section agrees with most of those changes – in fact it has made many of the same recommendations over the past decade or more. And it doubles down by saying the Access to Information Act – which, like the Privacy Act, has not been substantially changed in 34 years – must be amended at the same time. “Both statues have been treated as a package since they were enacted and there are compelling reasons to continue doing so,” the Section says.
In its submission, presented to the Standing Committee on Access to Information, Privacy and Ethics in late September, the Section notes that the review must also address the “supporting infrastructure.”
(Hear more from Gary Dickson, who appeared before the Committee for the CBA.)
“More than 30 years of experience with access and privacy laws in Canada dictate that we cannot achieve a truly robust set of information rights if we focus exclusively on the enabling statute,” the submission says. “The access and privacy infrastructure includes the role and work of the Treasury Board, the role and work of ATIP Coordinators, the Open Government initiative and a host of administrative and procedural matters that directly and indirectly affect individuals asserting their information rights under either or both statutes.”
The then-Privacy Commissioner noted in 2006 that the government holds the information-gathering and disclosure operations of the private sector to a higher standard than it holds its own. The Section says this disparity has become more pronounced since the passage of the Digital Privacy Act and its amendments to PIPEDA.
“Some might question whether the Privacy Act should be similar to PIPEDA. There certainly are features of PIPEDA that should be considered for inclusion in the Privacy Act. This includes an explicit duty to safeguard personal information, breach notification requirements, a broad definition of personal information and the ability to consult with data protection authorities,” the submission states. At the same time, the Section notes that there are important differences between the two laws – accountability, for example, is a different beast in the private sector than for government, and while PIPEDA is consent-based, government has the authority to collect certain information without consent.
Among other recommendations, the Section says the Privacy Act should impose a legal obligation on government institutions to protect personal information, and the breach-reporting regime should be “at least as stringent” as any imposed by PIPEDA, which would entail establishing the threshold of “real risk of significant harm.” Previous submissions have also recommended that the government be required to “identify the specific purpose for collecting personal information” and to ensure that the information is used only for that purpose.
In addition, the Office of the Privacy Commissioner should be given a public education and research mandate, the office-holder should have discretion about publicly reporting privacy issues, and the Privacy Commissioner should be given the same jurisdiction to share information with counterparts under the Privacy Act as under PIPEDA.
“This amendment reflects the reality that contemporary data routinely moves over borders and between different jurisdictions anywhere in the world. Effective enforcement of privacy rights must allow for cooperative approaches with other data protection authorities and privacy commissioners.”