5. Updating rights and obligations, and introducing new ones
CLOSED: This discussion has concluded.
Existing rights for individuals and obligations for federal public bodies could be updated and new ones introduced
The Privacy Act currently set outs a number of rights for individuals. Canadians and individuals present in Canada have the right to access their personal information. They also have rights related to notification and the correction of their information where a federal public body uses it to make a decision about them.
The Act also imposes certain obligations on federal public bodies when they intend to use the personal information to make a decision about that person. These obligations include: (i) collecting personal information directly from the individual where possible (subject to certain exceptions); (ii) retaining personal information for at least two years from the last time the personal information was used (unless the individual consents otherwise) or until the individual has had the opportunity to exercise all his or her rights under the Act; (iii) maintaining the accuracy of such information; and (iv) including it in a personal information bank (among other information).
These existing rights and obligations could be updated, and new rights and protections could be added to address expectations that have evolved in the digital era. Such changes could include:
Expanded access rights : The Act could extend the right to access one’s personal information to foreign nationals who are not present in Canada, provided there are adequate procedures to verify the identity of the person requesting the information. This would eliminate the current need for foreign nationals to rely on third parties present in Canada to make requests for their personal information on their behalf under the Access to Information Act. It would also bring Canadian law in line with other jurisdictions’ practices of providing universal access to personal information and enhance interoperability with the European Union in particular. However, given that a number of federal government institutions have noted that expanding access rights could have important resource implications, it might be prudent to first pilot a limited expansion of access rights to test its impact on public resources and the system as a whole, and to provide an opportunity to develop effective procedures for identity verification.
A right to have personal information collected directly from the individual for all intended purposes, unless an exception applies : Exceptions allowing a federal public body to collect personal information in ways other than directly from the individual would include those already set out under the Act. Other exceptions might be:
- where the individual provides consent to indirect collection of their personal information;
- where the information is “publicly available” and is being collected for a purpose other than making a decision directly affecting the individual;
- where the information is collected for the purpose of an investigation by a law enforcement or national security agency;
- where collection from another source is authorized or required under another act of Parliament; or
- where the information is received from another federal public body pursuant to a disclosure authorized under the Privacy Act.
A right for the individual to be notified when his or her personal information is collected by a federal public body, unless an exception applies : The Act could also include a right for individuals to be notified of when their personal information is collected by a federal public body. The Act could set out the minimal elements that would have to be included in a notice to individuals. However, the Act could also set out reasonable limits to this right, such as:
- where the individual already has been notified;
- where the federal public body is authorized to collect personal information from a source other than the individual;
- where the purpose of the collection relates to a law enforcement or national security matter; or
- where providing notice would be practically impossible or would defeat or prejudice the purpose of the collection or result in the collection of inaccurate information.
A right to request that inaccurate personal information be corrected in a timely manner : The Act could broaden the existing obligation to ensure the accuracy of personal information to require that all personal information that could have a direct impact on an individual be kept accurate, in line with a potentially newly broadened definition of an administrative purpose. As well, the right to require correction of personal information could extend to all personal information used for an administrative purpose and it would have to be corrected within a reasonable amount of time.
Certain rights relating to enhanced public awareness of interactions with automated decision-making systems (such as artificial intelligence tools) : Aligning Privacy Act transparency and accountability requirements with leading federal public sector policy instruments guiding the use of automated decision-making systems could help ensure that individuals know when they are interacting with these systems, what types and sources of personal information these systems use, and general information on how they function. It would be important to retain flexibility and technological neutrality in any new framework for automated decision-making, so that any new rules could be adjusted as government experience in this area grows. As well, exceptions could be made for certain contexts, such as law enforcement and national security, where providing details on such information could harm the public interest.
A specific principle to protect personal information with appropriate technical, administrative and physical security safeguards : The Act could include a “Safeguarding” principle, as the Personal Information Protection and Electronic Documents Act does, to ensure that Canadians benefit from the same level of data security protections regardless of which sector or Canadian jurisdiction they are dealing with. Treasury Board Secretariat (“TBS”) policies could translate high-level legal requirements into more detailed operational policies and directives suitable for federal public sector institutions.
An obligation to contain personal information breaches and to subsequently notify the Privacy Commissioner and affected individuals in certain cases : The Act could include obligations for federal public bodies to minimize and mitigate impacts of material breaches and to notify the Privacy Commissioner and affected individuals where there is a risk of significant harm to an individual. The obligation to notify the Privacy Commissioner and affected individuals would arise as soon as practically possible after making efforts to contain and assess the breach.
An obligation to retain information about any personal information breach : The Act could include a new obligation to retain information about all personal information breaches, whether they create a real risk of significant harm to an individual or not. This obligation would allow the Government to more effectively monitor trends and address potential risks that go beyond any single federal public body. It could also allow the Privacy Commissioner to effectively verify compliance.
Share on Facebook
Share on Linkedin
Email this link
Consultation has concluded. Thank you for your contributions.