Privacy Act review- Information Commissioner submission to the Department of Justice (2019)
Nancy Othmer
Assistant Deputy Minister
Department of Justice, Public Law and Legislative Services Sector 284 Wellington Street
Ottawa, Ontario Canada, KlA OHS
Dear Ms. Othmer:
Thank you for the opportunity to provide input as part of Justice Canada's review of the Privacy Act.
As you noted when you reached out as part of this targeted technical engagement, there are specific points of intersection between the Access to Infonnation Act (the "ATI Act'') and the Privacy Act that I, with the backing of over 30 years' experience from the Office of the Information Commissioner of Canada (the OIC), can bring to bear on this review.
My comments in this submission will be limited to just those topics that may have an impact on access to information. In general, the majority of my comments and suggestions are aimed at maintaining an appropriate balance between the right of access and privacy rights.
The ATI Act and the Privacy Act were adopted by Parliament at the same time in 1982, through passage of Bill C-43, and both proclaimed in force on July 1, 1983. The two acts, and two offices, are joined in many ways. For example, the ATI Act incorporates by reference parts of the Privacy Act. Section 19 of the ATI Act, which exempts from disclosure personal information, refers to the definition of "personal information" found in the Privacy Act. Further, s. 19(2) of the ATI Act sets out exceptions to the general prohibition against disclosing personal information, and refers to disclosure that is in accordance with section 8 of the Privacy Act. The ATI Act, as amended by Bill C-58, also requires the Information Commissioner to consult with the Privacy Commissioner when she intends to make an order requiring an institution to disclose a record when the head of the institution refuses to disclose under s.19(1). The Information Commissioner may also consult with the Privacy Commissioner at her discretion in the course of an investigation.
When interpreting the intersection of the ATI Act and the Privacy Act, the Supreme Court of Canada has determined that the two acts are complementary, have equal status and must be read together, having regard to the purposes of both (Dagg v. Canada (Minister of Finance), [1997] 2 SCR 403 at para. 51). Privacy is paramount over access only when it is encompassed by the definition of "personal information" found in the Privacy Act (Husky Oil Operations Limited v. Canada-Newfoundland and Labrador Offshore Petroleum Board, 2018 FCA 10 at para. 25, citing Dagg).
The complementary nature of these two acts underscores each recommendation set out below.
Discussion Paper 1 - Principles and Rules
Generally, this discussion paper asks whether privacy principles should be adopted in the Privacy Act as an effective interpretation tool. I do not intend to comment on the general utility of adopting privacy principles. There are, however, two principles that I wish to address.
First Principle: Reasonableness and proportionality
Question 1(c) asks whether a reasonableness and proportionality principle is a useful and effective way of explicitly bringing into the Privacy Act a legal framework similar to that which guides the balancing of individuals' fundamental rights and interests against important public interests in the Canadian human rights law context and reflects underlying administrative law obligations.
Based on many investigations involving personal information, I have noticed that certain aspects of the Privacy Act that intersect with the ATI Act could benefit from a type of proportionality analysis. However, adopting a set of principles applicable to the entire act will not have the same force and effect as implementing a true legal test into some specific sections at issue.
In particular, there are two places in the Privacy Act where adding balancing tests would be more beneficial than adopting over-arching privacy principles.
Unjustified invasion of privacy test
Where Canadians and the access regime would benefit from an amendment to the Privacy Act is with respect to section 26 of the Privacy Act, and in the parallel section of the ATI Act at section 19. Both of these provisions provide exemptions from disclosure for personal information in response to either a privacy or access request. Under the Privacy Act, the exemption is mandatory for personal information about an individual other than the individual who made the request, subject to certain discretionary exceptions, including consent. Under the ATI Act a similar regime applies, but it applies to all personal information, regardless of who is the requester.
Both exemptions are based on a class test of whether the requested information falls within the definition of "personal information about an identifiable individual".
There is no doubt that the sensitive private information of individuals merits protection. Personal information for which there is an expectation of privacy must be protected under both the Privacy and ATI acts. However, in my office's experience, some information that meets the current definition of "personal information" may not always warrant protection in some specific circumstances. This could be the case for example for personal information about other individuals that is clearly within the knowledge of the access to information requester such as information about family and sponsors supplied to the government by the requester in an immigration application. Under the current legislation, information that was already provided by the access to information requester to the institution must nonetheless be redacted in accordance with the current definition of personal information, which is a time-consuming task. This is particularly problematic given that more than 30 000 access requests are processed each year by Immigration, Refugees and Citizenship Canada.
This is why, in my view, the head of an institution should have the discretion to disclose information when doing so would not constitute an "unjustified invasion of a person's privacy'. This would create a spectrum of protection, based on the particular circumstances and context of the information. This spectrum ensures the protection of sensitive personal information, and maximum disclosure of non-sensitive personal information.
The concept of "unjustified invasion of privacy' is not new. All provincial and territorial privacy and access laws in Canada (except Saskatchewan and Quebec) contain an exception to the personal information exemption where the disclosure would not constitute an "unjustified invasion of privacy." In Ontario, the Freedom of Information and Protection of Privacy Act, RSO 1990, c F.31 lists a series of non-exhaustive circumstances to be considered by the head of an institution in determining whether disclosure of personal information constitutes an unjustified invasion of personal privacy. Adding a balancing test to the exemptions in the Privacy and ATI acts that identifies some of the relevant circumstances to be considered by the head of an institution would ensure that information that does not constitute an unjustified invasion of privacy could be disclosed.
Compassionate disclosure
In a similar vein, based on our investigation files, Canadians and the access regime would also benefit from an amendment to section 26 of the Privacy Act and section 19 of the ATI Act that would give the head of an institution the discretion to disclose personal information to a spouse or close relative about a deceased person for compassionate reasons, as long as the disclosure is not an unreasonable invasion of the deceased's privacy.
Although both acts allows for disclosure of personal information where it is in the public interest to do so, my office has encountered investigations where the deceased's personal information cannot be disclosed because a "public interest" could not be identified.
The disclosure of a deceased person's personal information to his or her close relative should be allowed when it is desirable for compassionate reasons. This exception already exists in many provincial access and privacy laws. (See the laws of Alberta, Saskatchewan, Manitoba, Ontario, New Brunswick, P.E.I., and Newfoundland and Labrador.)
Again, such an amendment would allow the decision-maker to take into account competing contextual factors, and make a decision based on these factors, including compassionate reasons. It would also be consistent with other Canadian jurisdictions.
Second Principle: Opennessand transparency
Another suggested principle is that government institutions be open and transparent about their personal information practices and make information publicly available in clear, accessible and service-oriented formats. Question lU) asks whether adopting a principle such as this would effectively further openness and transparency.
I fully support enhancing the openness and transparency of government and I recognize its value for Canadians. However, this principle cannot achieve its objective to foster transparency and accountability without the right to access information under the ATI Act. If such a principle is to be adopted, it should not be at the expense of the Canadians' right of access under the ATI Act. This means that proactive disclosure should not be a replacement for making a request for the policy documents and other records that underlie institutions' personal information practices.
Discussion Paper 3 - Greater certainty for Canadians and government
There is a high degree of intersection between the Privacy Act and the ATI Act in terms of interpretation. I have therefore carefully considered this discussion paper and have comments on several definitions.
Identifiability
My office's experience with the test for identifiability in Gordon v. Canada (Health}, 2008 FC 258 has not been without issue.1 As stated in the discussion paper, the test is fact specific and certain elements of the test could benefit from greater clarity. For example, in my office's experience, it can be difficult to find agreement on both the standard for identifiability (i.e. from whom should identifiability be measured from) and the definition of "other available information".
Overall, I would be open to further legislative clarity on "identifiability" that speaks to elements such as the likelihood of identifiability, the degree of harm in identification, the standard for identifiability, and what information should be taken into consideration. However, further defining "identifiability" must be done in a way that is coherent with the state of the law that recognizes that an appropriate balance between the right of access and privacy rights must be struck.
Publicly available
In the discussion paper, there is a suggestion to add a definition for "publicly available" as it applies to s. 69(2) of the Privacy Act. Adding such a definition could have an impact on the ATI Act.
Right now under the ATI Act, personal information that would normally be exempt from disclosure can be disclosed, at the discretion of the head of an institution, if the information is publicly available (per s.19 (2) (b)). The term "publicly available" is not defined in the act. If a definition for "publicly available" were added to the Privacy Act, it will likely impact how "publicly available" is interpreted under the ATI Act, as the two statutes are to be interpreted harmoniously.
I acknowledge that social media and the increased digitization of information changed the nature, type and amount of personal information that is publicly available today. I agree that, in light of these changes, what could be considered "publicly available" deserves consideration. However, if government wishes to propose a definition of "publicly available" that seeks to protect the reasonable expectations of individuals, it should do so in a manner that balances the dual objectives of providing access and protecting privacy. I would welcome the opportunity to further consult on any such definition once specific wording is proposed.
1 As explained in the discussion paper, the test to determine that an individual will be "identifiable" in relation to information about them is whether "there is a serious possibility that [the] individual could be identified through the use of that information, alone or in combination with other available information", Gordon at paras. 33-34.
Business contact information
The issue of business identity information is not raised in this discussion paper, but I would like to take the opportunity during this review to address it. This type of information, which can usually be found in an email signature or business card, generally includes the name, title and contact information of an individual.
Several Canadian privacy laws, including the Personal Information and Protection of Electronic Documents Act, as well as the access and privacy laws of Alberta, Ontario and New Brunswick exclude from their definition of "personal information" the names, titles, business addresses and telephone numbers of an employee of an organization that identify the individual in a business, professional or official capacity.
To provide clarity and consistency between the Privacy Act and the Personal Information and Protection of Electronic Documents Act, consideration should be given to exclude titles, business addresses, telephone numbers and email addresses from the definition of personal information under the Privacy Act.
Discussion Paper 5 - Modernizing the Privacy Act's relationship with Canada's Indigenous peoples
In this discussion paper, the question is raised whether the definition of "Indian bands" or "aboriginal government" should be amended to be more inclusive of other forms of traditional First Nations governance.
In my consultation with First Nations' interest groups during my review of Bill C-58, I learned of their dissatisfaction with the list of First Nations whose information is currently protected from disclosure under s. 13 of the ATI Act.
Section 13 allows the head of a government institution to refuse to disclose requested information where the documents contain information that was obtained in confidence from another government, including an "aboriginal government. An "aboriginal government" is defined ins. 13(3) of the ATI Act, and is the same definition as found in the Privacy Act. Both definitions refer to an enumerated list of First Nations who have entered into negotiated comprehensive claims agreements (sometimes referred to as "modern treaties") with the federal government, and exclude Indigenous Nations operating under other forms of traditional governance.
You may want to consult with the Union of B.C. Indian Chiefs, the National Claims Research Directors and the Indigenous Bar Association to fully understand their concerns with this definition, and any other issues they may have in how their interests are treated under both the Privacy and ATI Acts.
In order to maintain a harmonious interpretation between the Privacy and ATI acts, I would only suggest that, if the definition for "aboriginal government" is amended under the Privacy Act, the same definition also be applied under the ATI Act.
Conclusion
Thank you again for the opportunity to comment on these discussion papers. I look forward to undertaking a similar review when the Access to Information Act undergoes a comprehensive review, within one year of Bill C-58 coming into force.
Should you have any questions or wish to receive any further information from my office, please contact Vanessa Moss-Norbury, Manager, Policy and Parliamentary Affairs at 819-994-1891 or vanessa.moss-norburv@oic-ci.gc.ca.
Yours sincerely,
Caroline Maynard
formation Commissioner of Canada
c.c.: Daniel Therrien
Privacy Commissioner of Canada
30 Victoria Street, 1st Floor
Gatineau, Quebec KIA 1H3