Bringing the Privacy Act into the digital age
Canada’s Privacy Act is a middle-aged law long overdue for a makeover.
The Act has failed to keep up with the world around it – societal and technological changes have passed it by, as has parallel legislation aimed at the private sector, notably the Personal Information Protection and Electronic Documents Act.
The CBA has been calling for the Act to be overhauled for years, and was pleased to comment on discussion papers issued this summer by the Justice Department with modernization in mind. The Privacy and Access Law Section referenced a rich body of past submissions and resolutions on the Privacy Act, as well as the Access to Information Act and PIPEDA in its submission, and notes that where the current document differs from the past submissions it is only to incorporate developments that have happened since then.
The discussion papers address questions on everything from privacy by design, whether the Act should be guided by “reasonableness and proportionality principles,” to how long personal data should be retained, whether the Privacy Commissioner can discontinue a complaint investigation, and how the Act could be modernized with respect to Indigenous peoples.
The submission focuses on ensuring data is collected used and shared responsibly, keeping Canadians’ expectations of privacy paramount.
Another key point the submission makes is that the Act should remain technologically neutral.
“Technological neutrality would assist the legislation to stand the test of time in many contexts, while being readily adaptable to future, now unforeseen, digital transformation,” the Section says.
In terms of keeping data secure, the Section reiterates recommendations made in past submissions that the Privacy Act “impose a general duty on government institutions to protect the personal information they hold with safeguards appropriate to the sensitivity of the information being protected,” a feature common to many other Canadian and international privacy laws.
“By adopting a principled approach to security obligations, the Privacy Act would create a technology-neutral but legally enforceable obligation for government institutions to meet.”
As well, the Section recommends strengthening requirements for accountability, openness and transparency in the ways government institutions protect personal information by building those elements into the program design.
The Aboriginal Law Section says, in response to the final discussion paper, Modernizing the Privacy Act’s relationship with Canada’s Indigenous Peoples, that section 8(2)(k) relating to disclosure of personal information to aboriginal governments, bands, associations and others, could be interpreted overly broadly.
“Canadians expect that if personal information will be shared across government institutions and disclosed, they should have an easy and comprehensive way to find out how their information is used, shared and disclosed, as well as details on specific types of collection, use and disclosure.”
The legislation should require, among other things, that government notify people about what information they’re collecting, and why; how long that information will be retained; and with whom it might be shared. The Section also recommends a statutory five -year Parliamentary review of the Act.