Share your views on modernizing Canada’s Privacy Act

Specific obligations could be added in the Act to help federal public bodies demonstrate how they are accountable for their personal information practices

The Act could introduce obligations to support the principle that each federal public body is responsible for personal information under its control. The Act could also set out tools to assist federal public bodies in demonstrating to Canadians, and to the Office of the Privacy Commissioner where required, that they have effective measures in place to comply with the Act and protect personal information. These could include:

• An obligation to ensure that personal information sent outside of Canada is appropriately protected : The Act could impose legal requirements for federal public bodies to ensure that appropriate privacy-protection clauses are included in contracts or agreements that may involve intergovernmental or transborder flows of personal information, consistent with current Government policy. A flexible, risk-based approach to this requirement would take into account the various contexts in which information can be shared outside of Canada, as well as the variety of frameworks for protecting personal information outside of Canada. The Act could require that flows of personal information outside of Canada be governed by a written agreement or arrangement that would include safeguards appropriate to the context of the disclosure, including whether there is already an applicable agreement or arrangement, the nature of the privacy-protection regime where the information is flowing to, and the sensitivity of the personal information being disclosed. Regulations or policy could support this obligation.
  
  
• An obligation to design programs and activities with the protection of personal information in mind : The Act could impose a process for proactively protecting personal information by integrating considerations of how to protect such information into the early stages of the development and implementation of an initiative, such as a new program or service offered by a federal public body. This is also known as privacy by design. Government policies already require federal public bodies to assess and mitigate privacy risks when they develop new or modified government programs and activities. Making this a legislative requirement would reflect the Government’s current practices and commitment to addressing privacy issues from the outset.
  
  
• An obligation to undertake a Privacy Impact Assessment : The Act could impose an obligation on federal public bodies to undertake an analysis to identify and mitigate privacy risks. This type of analysis is commonly known as a privacy impact assessment (PIA) and is currently framed by policy. This obligation would apply to new programs or activities or substantially modified existing programs that involve the collection, use or disclosure of personal information for administrative purposes, for automated or manual profiling activities that involve sensitive personal information, or as otherwise mandated by Government policy. The Act could define “substantially modified” to clarify the circumstances in which such an analysis needs to be undertaken, and the requirements of the Act could be supported by updated policy.
  
  
• An obligation to have a Privacy Management Program : The Act could also impose a new requirement for federal public bodies to create and maintain a Privacy Management Program. This is essentially an organizational plan for protecting personal information that a government public body can use to identify, organize, review and improve its practices relating to personal information. It would serve as an individualized guide for compliance with the Act. The Act could identify the minimal components of what a Privacy Management Program had to include, along with a requirement that they be regularly reviewed and updated. These requirements would be supplemented by supporting regulations or Government policy.
  
  
• Clarifying which federal public body is accountable when multiple public bodies are involved : The Act could clarify which federal public body, or bodies, would be responsible for personal information where two or more federal public bodies have access to the same datasets, such as where a shared database is accessed by a number of federal public bodies.

Specific obligations could be added to the Act for federal public bodies to provide readily available explanations of their personal information protection practices and the information they have about individuals

The Privacy Act could require each federal public body to publish key information in an online, accessible, searchable personal information registry. Such a registry could contain the same type of information that is available through the current personal information bank regime, but in a more user-friendly format. It could also add further information such as summaries of privacy impact assessments, details about information-sharing agreements, and up-to-date personal information notices detailing how the information is used and disclosed in the context of specific programs and activities. In addition, to ensure that the information currently included in a personal information bank is easier to access and understand, federal public bodies could be required to publish an overview of their general practices that is accessible and in plain language in the personal information registry, similar to a privacy policy. Many federal public bodies already follow this best practice, publishing on their websites a general description of their privacy practices and commitments. 

Other new obligations aimed at ensuring greater transparency could include:

• Enhancing transparency around indirect collections and secondary uses : The Act could contain new rules to clarify how a federal public body could satisfy a new “Identifying purposes” principle when there is no opportunity to notify an individual of the purposes for collecting personal information (for example, when indirect collection of personal information is authorized or when personal information is collected for new purposes not known or foreseen at the time of a direct collection). In these cases, a federal public body could be required to publish an updated “personal information notice” in the registry.
  
  
• New proactive publication requirements : Federal public bodies could be required to publish their privacy management programs and any privacy impact assessments they carry out. As well, they could be required to publish annually information prescribed in regulations or government policy pertaining to all new information-sharing agreements entered into and all existing information-sharing agreements actively utilized each year.

Some exceptions to these transparency requirements would be necessary for specialized public sector activities such as law enforcement investigations, intelligence gathering, and national security activities. Where the publication of sensitive operational information is not possible, specific record-keeping requirements could be imposed to allow the Privacy Commissioner or other relevant review or regulatory bodies to play an oversight role. 

For additional details and a more in-depth discussion on the rationale for these suggested changes aimed at modernizing the Act’s transparency regime, please consult our more detailed annex here. 

The Privacy Commissioner could be given additional powers to provide the public with information and guidance on what the Privacy Act requires and how it is enforced

Openness about the operation of the Privacy Act and how it is enforced is important. All key participants in the system – the public, federal public bodies, and the Privacy Commissioner – benefit when clear information about what the Act requires and how it is enforced is widely available.

The Privacy Act could provide the Privacy Commissioner with the authority to engage in public education, as the Commissioner does under the Personal Information Protection and Electronic Documents Act. The Act could also provide the Commissioner with the power to issue guidance on the interpretation and enforcement of the Act, while ensuring that the Commissioner consults with the Government when developing such guidance. 

The Privacy Commissioner could also be given the discretion to issue, on request, a non-binding opinion on what position or interpretation the Commissioner would adopt when assessing compliance with the Privacy Act in an investigation. Additionally, the Commissioner could be allowed to provide federal public bodies with a “regulatory sandbox” environment, which would allow them to test (with the Commissioner) whether novel activities would satisfy the Act or could be improved to address potential issues relating to the protection of personal information.  

The Privacy Commissioner could also be empowered to disclose more information in the public interest, including decisions on processing access requests and the outcomes of complaint investigations, while ensuring the protection of confidential and sensitive information. 

For additional details and a more in-depth discussion on the rationale for these potential changes, please consult our more detailed annex here. 

The Privacy Commissioner could be provided with greater powers to more effectively address complaints and the matters for which individuals can seek legal remedies could be expanded

There are a number of reasons to revisit the Act’s compliance model. Comprehensive, efficient, and accessible legal remedies are essential for situations where compliance cannot be assured. Moreover, a stronger oversight model could better support new principles-based flexibility for novel scenarios involving personal information. Certain of these suggested changes would mirror amendments made to the Access to Information Act in 2019, which provided similar powers to the Information Commissioner of Canada. Aligning the powers of the two commissioners where possible would provide consistency in the processing of requests under both Acts, as well as in the complaint mechanisms for access requests. Proposed changes could include:

• Giving the Privacy Commissioner the discretion to decline to investigate a complaint or to discontinue an active complaint investigation : The Privacy Commissioner could be provided with the discretion to decline to investigate a complaint in a number of circumstances, including where a complaint was vexatious, frivolous or made in bad faith, or where the Commissioner deems an investigation to be unnecessary. These could include cases where a complaint was already the subject of an investigation or had already been the subject of a report by the Privacy Commissioner.
  
  
• Giving federal public bodies the discretion to decline to respond to vexatious or abusive requests for access to personal information : The Act could also authorize federal public bodies, with the Privacy Commissioner’s approval, to decline to process requests for access to personal information under the Privacy Act where the request is vexatious, made in bad faith, or otherwise an abuse of the right to make such a request. This would allow federal public bodies to direct resources away from vexatious or abusive requests.
  
  
• Giving the Privacy Commissioner the power to audit the personal information practices of federal public bodies : Currently, section 37 of the Act gives the Privacy Commissioner the power to review compliance with the provisions of the Act that govern the collection, use, disclosure, and management of personal information. The Act could replace this with the power to audit the personal information management practices of a federal public body on reasonable notice.
  
  
• Giving the Privacy Commissioner the power to collaborate with regulatory counterparts in Canada : The Act could provide the Privacy Commissioner with the power to collaborate with and share information confidentially, including personal information, with other data-protection regulators in Canada and other federal review bodies, where doing so is necessary to advance the Privacy Commissioner’s mandate in the public interest.
  
  
• Requiring the Privacy Commissioner to consult with relevant oversight bodies : Before issuing findings in a complaint or an audit concerning federal public bodies regulated by other oversight entities, the Privacy Commissioner could be required to consult with relevant oversight bodies to ensure a coherent oversight approach and to avoid duplication of efforts.
  
  
• Creating an impartial oversight process for complaints against the Office of the Privacy Commissioner of Canada under the Privacy Act: The Act does not currently contain an impartial process for complaints made against the Privacy Commissioner’s office itself under the Act. To address this legislative gap, the Act could set out a process for independent reviews of such complaints.
  
  
• Providing the Privacy Commissioner with the power to enter into binding compliance agreements with federal public bodies : The Act could provide the Privacy Commissioner with the power to enter into compliance agreements with federal public bodies, consistent with his power to do so under the Personal Information Protection and Electronic Documents Act. This would be a strong tool to ensure a federal public body met commitments made to the Privacy Commissioner in the context of a complaint investigation, and the Privacy Commissioner could initiate court proceedings if a federal public body failed to comply with a compliance agreement.
  
  
• Imposing clear statutory timelines for proceedings before the Privacy Commissioner : The Act could set out clear statutory timelines and other procedural rules to support the efficient resolution of complaints, the conducting of investigations, and the negotiation of compliance agreements.
  
  
• Providing the Privacy Commissioner with the power to issue orders similar to those of the Information Commissioner : Where complaints relating to refusals of access to personal information could not be efficiently and effectively resolved through updated resolution mechanisms, the Act could grant the Privacy Commissioner the same order-making powers the Information Commissioner was recently provided with to resolve access complaints under the Access to Information Act. This would allow the Commissioner to address the bulk of complaints filed with the Office of the Privacy Commissioner.
  
  
• Expanding the Federal Court’s de novo review jurisdiction : Currently, only refusals to provide access to personal information can be brought before the Court following an investigation by the Privacy Commissioner. The Act could be amended to empower the Federal Court to hear, in addition to refusals of access, matters relating to the collection, use, disclosure, retention or safeguarding of personal information where these could not be successfully negotiated or resolved through the Privacy Commissioner’s updated suite of processes and tools.
  
  
• Adding new offences for serious intentional violations of the Act : The Act could include offences for wilful violations of the Act that result in harm to individuals. 

For additional details and a more in-depth discussion on the rationale for these potential changes to the compliance model under the Act, please consult our more detailed annex here.