Ottawa

Parliamentary committee calls on federal government to amend Privacy Act

The committee on access to information, privacy and ethics has released a report with 14 recommendations for the federal government following its look into how at least a dozen departments and agencies use personal data extraction tools.

Privacy, ethics committee has 14 recommendations after studying government's use of data extraction tools

Liberal MP Brenda Shenahan, left, and Bloc Québécois MP René Villemure, right, present the parliamentary committee's report.
Liberal MP Brenda Shanahan and Bloc Québécois MP René Villemure presented the report by the committee on access to information, privacy and ethics on the federal government's use of personal data extraction tools in Ottawa on Thursday. (CBC News)

A parliamentary committee is recommending that the federal government modernize the Privacy Act following their study on some federal departments' use of tools capable of extracting personal data from mobile phones, computers and tablets.

The committee on access to information, privacy and ethics launched the study following reporting by Radio-Canada last November that revealed personal data extraction tools were being used by at least a dozen federal departments and agencies.

Most of those institutions did not abide by a federal directive from the Treasury Board of Canada requiring them to undertake a privacy impact assessment before implementing the technology.

The tools in question can unlock devices and recover data found on mobile phones and computers, including information that has been encrypted or protected by passwords. Departments say they use them in internal investigations or to enforce laws.

Between February and March, the committee heard from 32 witnesses including representatives of 12 of the departments and agencies that use such instruments and Treasury Board President Anita Anand. 

Among the 14 recommendation in their report published Thursday, the committee says the federal government should update its directive on privacy impact assessments and make changes to the now outdated Privacy Act.

"I think that an overhaul is overdue," said Bloc Québécois MP René Villemure who serves as the committee's vice-chair.

"Most of the disposition of the law were written before social media, before internet, before artificial intelligence, so I think we have to recognize that these made a difference."

Directive needs legal reinforcement, says committee

The Treasury Board directive in place since 2002 required all federal institutions to carry out a privacy impact assessment prior to any new program or activity that involves the collection or handling of personal information. 

After hearing from departmental representatives who said they were unsure whether those assessments should also be carried out when new technological tools are implemented, however, the committee found the directive lacked clarity.

The committee found some of the federal departments had carried out broader privacy impact assessments, but none had conducted the assessments for the digital forensic tools they began using.

"The requirement to submit a privacy impact assessment would be useful and we would like to see that when there have been substantial modifications or changes to the program or activity, which I think by extension would likely be due in part to the using of new tools and devices," said committee member and Liberal MP Brenda Shanahan.

A politician sits at a desk before a committee meeting.
The new directive on privacy protection follows Treasury Board President Anita Anand's assurance in the spring that new federal requirements were in the works. (Olivier Plante/Radio-Canada)

When Anand appeared before the committee in March, she said a more robust directive to measure the impact of potentially intrusive software would be ready in the summer.

The day before the committee released its report, the Treasury Board published a new directive on privacy practices. It requires that privacy impact assessments are completed for "any program or activity that uses personal information for an administrative purpose."

Villemure said the government should go further by making the requirement legally binding. 

"A directive is not a revision of the law," he said. "We have to make it into law which then will have the right power to do things."

Federal government reviewing report

The report's recommendation that the federal government amend the Privacy Act echoes suggestions made by Canada's privacy commissioner Phillipe Dufresne to the committee.

Dufresne said some personal data extraction tools can be useful, but privacy protection needs to be prioritized.

"We need to have that reflex of privacy by design — privacy at the front end," he told the committee in February.

A man sits at a desk during a committee meeting.
Privacy Commissioner Philippe Dufresne was the first witness to appear before the committee. (CBC)

The committee has asked the federal government to respond to its report. Under House of Commons rules, it will have 120 days to do so.

CBC News reached out to Anand, the Treasury Board's president, for comment. Anand's office deferred to the Justice Minister Arif Virani, who would be responsible for enacting changes to the Privacy Act.

A man in a black suit gestures as he speaks into a microphone.
A spokesperson for Justice Minister Arif Virani said he's reviewing the parliamentary committee's report and will respond in due course. (Sean Kilpatrick/The Canadian Press)

In a statement, Chantalle Aubertin, a spokesperson for Virani, said he's reviewing the committee's recommendations.

"Our government will respond to the Committee's report in due course," she added. 

ABOUT THE AUTHOR

Jodie Applewaithe

Associate Producer

Jodie Applewaithe is an associate producer with CBC Ottawa. You can reach her at jodie.applewaithe@cbc.ca