Archives

Canadian Privacy Act

The Canadian Charter of Rights and Freedoms indirectly protects the individual’s right to privacy. The Privacy Act aimed to extend Canadian laws to protect not only individual privacy, but also to promote right of access for individuals to be able to know about and change personal information held by the government. It was the first Act explicitly protecting the privacy rights of individuals.

About the Privacy Act

The Privacy Act was enacted July 1, 1983 by the Canadian Parliament to regulate the collection, use and disclosure of personal information by federal government institutions, thereby respecting the privacy rights of individuals. It imposes restrictions on 150 federal government departments and agencies, which include:

  • Department of Agriculture
  • Department of Citizenship & Immigration
  • Department of Finance
  • Department of Foreign Affairs & International Trade
  • Department of Health
  • Department of Human Resources & Skills Development
  • Department of Industry
  • Department of National Defence
  • Department of Public Works & Government Services
  • Canada Employment Insurance Commission
  • Canada Revenue Agency
  • Canadian Human Rights Commission
  • Canadian Security Intelligence Service

The Act also gives individuals the right to see and correct personal information held by the Government of Canada and protects unauthorized use and disclosure of that information. Some important provisions under the Privacy Act include:

COLLECTION

  • Personal information should not be collected unless it directly relates to the institution’s activity or program.
  • Individuals should be aware of the purpose for which personal information is being collected.

ACCURACY

  • The institution should take reasonable steps for ensuring that the personal information is as complete, accurate and up-to-date as possible.

RETENTION & DISPOSAL

  • Personal information should be retained by the institution for an adequate period of time, in order to ensure that the individual in question has an opportunity to access that information.
  • Institutions should dispose personal information appropriately.

PROTECTION

  • Personal information should be used for the purpose it was collected. It should not be disclosed without the consent of the individual in question, unless provided for in the Act.

RIGHT OF ACCESS

  • This applies to every Canadian citizen as well as permanent residents.
  • Individuals have the right to access their personal information held by a government institution, as long as the individual can provide adequate information to locate it.
  • Individuals can also request correction or attach notations to their personal information held by institutions.

Accessing Personal Information

There are a number of steps in the process for accessing information held by the Canadian federal government:

  1. Determine which federal agency or department holds the information. This is done through using Info Source, which is a public directory of federal government agencies.
  2. Complete a Personal Information Request Form. This describes the requested information and enables the appropriate institution to locate it.
  3. The Personal Information Request Form is then forwarded to the Privacy Coordinator of the correct government institution.
  4. If the request has been filled, the individual may decide to make a further request under the Privacy Act. Alternatively, the individual may choose to file a complaint to the federal Privacy Commissioner in the case that his/her privacy rights were denied.

Filing a Complaint

Oversight of the Privacy Act is the responsibility of the Privacy Commissioner of Canada. The Office of the Privacy Commissioner (OPC) has authority to receive and investigate complaints under the Privacy Act. A complaint may arise if an individual believes that a government institution mishandled his/her personal information, or if the institution did not respond to a request for access to personal information.

Before an individual files a complaint with the OPC, they are recommended first to attempt to resolve the matter directly with the department in question. It is then recommended to contact the Access to Information and Privacy (ATIP) Coordinator, or the Privacy Coordinator, of the department in question to attempt to negotiate a resolution to the issue.

If a resolution cannot be reached by communicating directly with the federal government institution, the individual may choose to file a complaint with the OPC. This process is free of charge and completely facilitated by the OPC. Filing a complaint with the OPC is a request to review the behaviour of the institution in question.

Complaints can be made by a member of the general public, or an employee of the institution. Complaints can also be made on behalf of other individuals, if the appropriate authorization is provided. The OPC is interested in documenting individuals’ expectations of both the government department as well as the OPC, with respect to resolving the privacy concerns.

Finally, an individual who has been refused access to his/her personal information may demand the Federal Court to review this matter. The Federal Court may require the institution to disclose the information to the individual. Decisions made may be appealed at the Federal Court of Appeal.

Privacy Act Reform & Recommendations

In 2006, the OPC began the Privacy Act review process with the Standing Committee on Access to Information, Privacy and Ethics. As it is legislation that has not been substantially updated since it was passed in 1982, the Privacy Act requires some amendments to continue to relevantly respond to privacy concerns.

Since the enactment of the Act, public expectations of privacy rights and practices have increased. These challenges are magnified by increasing globalization and concerns over national security. Many note that the federal government imposes more stringent privacy standards on the private sector than it does on its own institutions, departments and agencies. The collection, use and disclosure of personal information by the federal public sector require greater accountability, transparency and protection.

Some other concerns and shortcomings of the Privacy Act that have been raised by the review process include:

  • Inadequate involvement of individuals (elected and non-elected) and civil society groups in the formulation of the Privacy Act.
  • New initiatives, such as e-government movements, create new challenges for information management and protection.
  • Transborder data flows are not mentioned in the Act. As such, it is unclear how the Act can protect the transfer of personal information outside the federal public sector.
  • The Act sets a low standard for disclosure. Currently, the disclosure of government-held information to a foreign state is not explicitly prohibited in the Act. This poses a serious concern, especially in situations where government work is outsourced.
  • The Act does not meet international norms for audit practices.
  • Fundamental rights and interests protected in the Act have become subordinated to new legislation, such as the Anti-Terrorism Act (2001).
  • New government entities have been created that currently are not subject to federal privacy legislation (neither the Privacy Act, nor the PIPEDA). The Act should be expanded to respond to these new entities.
  • Personal information is only defined as recorded information, with no mention of unrecorded information on an individual.
  • Currently, the Federal Court is only empowered to review claims of denial of access to personal information. It cannot review improper collection, use and disclosure of personal information.
  • Rights of Access only apply to individuals located in Canada.

The push for a review of the Act continued well into 2008, demanding a need for a reform of the Act. The following are ten relatively basic recommendations for the reform of the Privacy Act. Although they do no address all the concerns of the OPC, they would greatly improve the Act.

  1. Before government institutions collect personal information, they should be legally required to conduct a “necessity test,” to prove the need for collecting the information.
  2. All privacy rights and protections made under the Privacy Act should be able to be brought to Court for review. The Federal Court should also have the authority to award damages against offending institutions.
  3. Leaders of government institutions should be required to assess privacy programs or systems before implementation. Assessment results should be reported publicly.
  4. The Privacy Act should include a clear public education goal for the OPC.
  5. The OPC should have greater authority to report on privacy policies and practices of government institutions.
  6. The Privacy Commissioner should have greater authority to refuse or discontinue investigating complaints that are not in line with the public interest.
  7. The Privacy Act should more closely align with the Personal Information Protection and Electronic Documents Act (PIPEDA).
  8. Government departments and agencies should be required to more rigorously report their privacy activities to Parliament.
  9. The Privacy Act should be subject to an ongoing five-year Parliamentary review.
  10. The Privacy Act should more explicitly protect the disclosure of personal information by the Canadian government to foreign states.

Ongoing OPC reports and recommendations on the Privacy Act highlight important developments and future trends in public-sector privacy issues. In this digital age, modernization and reform of the Privacy Act – which still remains a first-generation privacy law – is necessary to meet the privacy needs and expectations of Canadians.

Summary

This article discusses main provisions of the Canadian Privacy Act, the first piece of legislation which explicitly addressed individuals’ privacy rights and concerns. Procedures for accessing information and filing complaints under the Privacy Act are also explored. This article also examines some shortcomings of the Act and proposed areas for reform.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

  • Enforcement agencies and powers (II.B.e.i.)
  • Canadian Public Sector Privacy; the Privacy Act of Canada (IV.A.a.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>