18 Apr 2008

Our Top Ten list of Privacy Act fixes

Tool jar

The Privacy Act, the federal privacy law requiring federal government bodies to respect individual privacy rights, hasn’t been substantially updated since 1982 – the same year the Commodore 64 was released and we stopped calling July 1 Dominion Day. What’s interesting about these changes is they could be implemented immediately and relatively easily – and the benefit to Canadians would be a privacy law that is modern, responsive and efficient.

As readers of this blog will know we are quite fond of the Top Ten list. So today, we present you with our list of the Top Ten fixes for the Privacy Act:

10. Parliament could create a legislative requirement for government departments to show the need for collecting personal information.

9. The role of the Federal Court could be broadened to review all grounds under the Privacy Act, not just denial of access.

8. Parliament could enshrine into law the obligation of Deputy Heads to carry out Privacy Impact Assessments prior to implementing new programs and policies.

7. The Act could be amended to provide the Privacy Commissioner with a clear public education mandate. PIPEDA contains such a mandate for private sector privacy matters. Why shouldn’t the Privacy Act for public sector matters?

6. The Act could provide the Privacy Commissioner with greater flexibility to report publicly on the government’s privacy management practices. As it now stands, we are limited to reporting by way of annual and special reports only.

5. The Act could grant the Commissioner greater discretion at the front-end to refuse complaints or discontinue complaints if the investigation would serve no useful purpose or is not in the public interest. This would allow the OPC to focus our investigative resources on those privacy issues that are of broader systemic interest.

4. Parliament could amend the Act and align it with PIPEDA by eliminating the restriction that the Privacy Act applies to recorded information only. At the moment, personal information contained in DNA and other biological samples is not explicitly covered. (But fingerprints are, in case you thought otherwise.)

3. Parliamentarians could strengthen the annual reporting requirements of government departments and agencies under section 72 of the Act, by requiring these institutions to report to Parliament on a broader spectrum of privacy-related activities.

2. The Act could be amended to provide for regular five-year reviews of the legislation, as is the case with PIPEDA.

1. Finally, the Act currently does not impose a duty on Canadian government institutions to identify the precise use for which personal information is being disclosed abroad. An amendment to the Act could require the Canadian government to not only identify the precise use for the transfer of personal information to foreign states, but ensure that adequate measures are taken to maintain the confidentiality of shared information.

Read this for more information.

12 Responses

Christina Says:

This is a good list.

Certainly, the potential for breaches would be greatly reduced if department heads conducted privacy impact assessments as a matter of course (#8), and this could automatically take care of #10 as well.

Ole Juul Says:

I like this list. However, regarding point one. I’m not sure that we should ever disclose personal information to foreign governments. No government has yet shown that they can keep it private and, more importantly, their rules could change at any time. The sad fact is that since the Commodore 64, computers have gotten less and less secure. Yes, I agree that it’s about time that we updated our privacy laws, however I still call it Dominion Day. 🙂

Joseph Thornley Says:

A very interesting post. Thought provoking?

One question: Who is the author? Blog posts are most credible if the author is apparent. In this case, the title uses the royal “we.” A bit of a cop out.

Does the post represent the views of the Privacy Commissioner herself? Or a single author from within her office? Of perhaps the collective views of the group who brown bagged lunch?

Please add the author information.

Colin McKay Says:

Hi Joe.

This blog is the product of a number of people in the Office of the Privacy Commissioner. Here’s the description from the “blog mission” page:

“This blog is not written by the Privacy Commissioner of Canada. Instead, it is group effort by employees working for the Office of the Privacy Commissioner.”

There are a few reasons why authors are not identified on the posts themselves:

– as the creator of the blog, I am ultinmately responsible for the content.

– since some of the authors from the Office are trying blogging for the first time, this allows them to write and post while respecting any qualms about adding to the information available about them online.

– I did not want the posts being assessed on the perceived authority, level of issue awareness, or even corporate rank of the author. The implied authority and influence should be equal among all the posts.

Finally, this blog is still experimental – if a little old for that tag. As the team of bloggers grows larger and more experienced, we may change our policy.


Tyler Says:

Great post.

Number 1 is definitely the most concerning!

Jason Says:

Great list. I agree that #1 is very pressing, and I think #4 is going to become more pressing as we see technologies mature that further enable corporations and policy makers to “leverage” them for control and profits.

Thanks again,

David Says:

So is this an official web site or a private blog?

Daphne Guerrero Says:

Hi David,

This is the official blog of the Office of the Privacy Commissioner. From our blog mission statement:

“With this tool, we hope to make the activities of the Office of the Privacy Commissioner more accessible to Canadians and to increase contact between the Office and Canadians interested about privacy issues and legislation.

As an Officer of Parliament, the Privacy Commissioner has a mandate to protect the privacy rights of individuals and promote the privacy protections available to Canadians.”

We also make a special effort to identify and highlight information and advice that may help Canadians understand their rights under Canada’s privacy legislation.

Richard Sharp Says:

Where did everyone go?

Why is the print on this reply so small I can hardly read it?

mike waddingham Says:

Just reading through some old posts and came across this list. Curious — why is mandatory breach reporting not on the list? Perhaps it’s not something the Privacy Act would govern?

I was prompted by the discovery of the Maryland Attorney General’s site listing breaches: http://www.oag.state.md.us/idtheft/breacheNotices.htm

Seems progressive… what is preventing us from doing the same?


jeanette Says:

For the love of privacy please ask CCRA to discontinue the practice of including our SIN’s in the tax preparation forms. Isn’t this just what identity thieves live for? I suggest any such sensitive information be left out or obscured.

Office of the Privacy Commissioner » Blog Archive » Privacy, Trust and Innovation – submission to the Digital Economy Consultation Says:

[…] of all we recommend strengthening privacy protections within the federal government. We’ve written previously about the need to reform the Privacy Act, but we think the federal government can go even […]

Leave a Reply

If you wish to leave a reply, you will be asked to provide your name and e-mail address. Your e-mail address is required for the purposes of limiting spam and contacting you should we have questions about your comment.

To learn more about why this information is collected and how it will be used, please read our Blog Comment Policy.