Parliamentary committee calls on federal government to amend Privacy Act
Privacy, ethics committee has 14 recommendations after studying government's use of data extraction tools
A parliamentary committee is recommending that the federal government modernize the Privacy Act following their study on some federal departments' use of tools capable of extracting personal data from mobile phones, computers and tablets.
The committee on access to information, privacy and ethics launched the study following reporting by Radio-Canada last November that revealed personal data extraction tools were being used by at least a dozen federal departments and agencies.
Most of those institutions did not abide by a federal directive from the Treasury Board of Canada requiring them to undertake a privacy impact assessment before implementing the technology.
- Tools capable of extracting personal data from phones being used by 13 federal departments, documents show
- Parliamentary committee to study federal departments' use of tools to extract personal data
The tools in question can unlock devices and recover data found on mobile phones and computers, including information that has been encrypted or protected by passwords. Departments say they use them in internal investigations or to enforce laws.
Between February and March, the committee heard from 32 witnesses including representatives of 12 of the departments and agencies that use such instruments and Treasury Board President Anita Anand.
Among the 14 recommendation in their report published Thursday, the committee says the federal government should update its directive on privacy impact assessments and make changes to the now outdated Privacy Act.
"I think that an overhaul is overdue," said Bloc Québécois MP René Villemure who serves as the committee's vice-chair.
"Most of the disposition of the law were written before social media, before internet, before artificial intelligence, so I think we have to recognize that these made a difference."
Directive needs legal reinforcement, says committee
The Treasury Board directive in place since 2002 required all federal institutions to carry out a privacy impact assessment prior to any new program or activity that involves the collection or handling of personal information.
After hearing from departmental representatives who said they were unsure whether those assessments should also be carried out when new technological tools are implemented, however, the committee found the directive lacked clarity.
The committee found some of the federal departments had carried out broader privacy impact assessments, but none had conducted the assessments for the digital forensic tools they began using.
"The requirement to submit a privacy impact assessment would be useful and we would like to see that when there have been substantial modifications or changes to the program or activity, which I think by extension would likely be due in part to the using of new tools and devices," said committee member and Liberal MP Brenda Shanahan.
When Anand appeared before the committee in March, she said a more robust directive to measure the impact of potentially intrusive software would be ready in the summer.
The day before the committee released its report, the Treasury Board published a new directive on privacy practices. It requires that privacy impact assessments are completed for "any program or activity that uses personal information for an administrative purpose."
Villemure said the government should go further by making the requirement legally binding.
"A directive is not a revision of the law," he said. "We have to make it into law which then will have the right power to do things."
Federal government reviewing report
The report's recommendation that the federal government amend the Privacy Act echoes suggestions made by Canada's privacy commissioner Phillipe Dufresne to the committee.
Dufresne said some personal data extraction tools can be useful, but privacy protection needs to be prioritized.
"We need to have that reflex of privacy by design — privacy at the front end," he told the committee in February.
The committee has asked the federal government to respond to its report. Under House of Commons rules, it will have 120 days to do so.
CBC News reached out to Anand, the Treasury Board's president, for comment. Anand's office deferred to the Justice Minister Arif Virani, who would be responsible for enacting changes to the Privacy Act.
In a statement, Chantalle Aubertin, a spokesperson for Virani, said he's reviewing the committee's recommendations.
"Our government will respond to the Committee's report in due course," she added.