Modernizing the legal framework protecting the privacy rights of Canadians can sometimes feel like an endless process, and not just because technology keeps evolving. We want government institutions to use relevant data in their programs and policies, but we also insist on protecting the privacy of Canadians whose data is necessary for the elaboration of those programs and policies. Expect the push and pull to continue.
The CBA’s Privacy and Access Law Section has produced several submissions and sponsored many resolutions on privacy issues going back to 2004. When Justice Canada issued discussion papers on modernizing the Privacy Act in November 2020, the Section was ready once again to comment.
In its latest submission, the Section agrees the Act should sport an updated title “to accurately reflect the specific context in which it regulates the collection, use, retention and disclosure of personal information in the broader set of laws that embody the fundamental value of privacy.” It also wants to see a purpose clause that reflects “the balance of privacy interests against the legitimate needs of government” to collect, use and sometimes disclose information. It would also add an overarching principle “that pseudonymized or anonymized data should be used where possible.”
Justice Canada proposes to update the definition of “personal information” to include unrecorded personal information. In 2019 the Section agreed, and now adds that the Act “could also include an express duty of confidentiality for unrecorded personal information.”
Defining what constitutes “identifiable” information is not something the Section recommends, however it does support replacing “government institution” with “federal public body” to include Parliamentarians’ offices, among others.
Back to the push and pull. The discussion paper suggests Justice Canada wants to change the requirement that information “relate directly to an operating program or activity,” lowering the threshold to information that is “reasonably required.” The Section concedes requiring information to be “directly relevant” is problematic but disagrees that “reasonably required” is appropriate given that it’s less restrictive than what applies to the private sector.
“The CBA Section asserts its longstanding position that government institutions identify the specific purpose for collecting personal information and ensure the information is reasonably necessary for its articulated purpose or authorized by law.”
The Privacy Act doesn’t currently define what is meant by the term “publicly available information,” and the Section believes it should, and states further that special rules on the use of such publicly available information should align with Canadians’ reasonable expectations of privacy.
Justice Canada wants to define what constitutes “de-identified” personal information and regulate its use. The CBA Section recommends further study on the use of information which the Section calls “pseudonymized” — data that cannot be attributed to any particular individual without additional information that is kept separately and is subject to “measures to ensure that the personal data are not attributed to an identified or identifiable natural person,” as per the definition of the European Union’s General Data Protection Regulation.
The Section’s submission covers how to ensure the private information collected by government institutions is properly secured with breach notifications and reporting obligations as stringent as those that apply to the private sector.
It also discusses automated decision-making, access rights to foreign nationals not present in Canada, the sharing and disclosing of personal information where two or more federal public bodies have access to the same datasets and the modernization of enforcement provisions to grant the Privacy Commissioner additional powers including the ability to issue binding orders.