Overdue Improvements Needed: Canada’s Public Sector Privacy Act (Submission to the Department of Justice, Canada)

Abstract

This submission to the Canadian Department of Justice responds to its Discussion Paper concerning reform of the Privacy Act, which regulates data privacy issues in Canada’s federal public sector. The principal recommendations made in the submission are as follows: • The Discussion Paper is structured around an out-of-date (1980’s) OECD model of data privacy law. A new Privacy Act should instead focus on current international privacy standards exemplified by the EU GDPR and Convention 108+. To the extent that Canada’s private sector laws including Bill C-11) meet these international standards, consistency is desirable. • Definitions require modernisation. ‘Personal information’ must be as broad as in the GDPR, and should include inferred (derived) or created information. ‘Administrative purposes’ have no useful role in limiting the scope of the Act and should be scrapped. ‘Federal public bodies’ should be defined to ensure that nothing ‘falls through the cracks’ between this Act and the private sector laws. ‘Sensitive information’ needs to be recognised and defined. • New rights are needed. Protections proposed for automated decision-making systems are not strong enough, needing a right to a ‘human in the loop’, a right to challenge any such decisions, to obtain a human-understandable explanation. Rights to reasonable security safeguards, and mandatory data breach notification are obviously essential. • Allowing personal data to be used and disclosed wherever reasonably required for any and every function or activity of a federal public body, not only the activity or function for which it is collected, is unjustifiable and ignores international standards of data minimisation. • De-identification proposals have fundamental flaws because they are based on deeming a particular technical process to be effective, irrespective of the reality of re-identification. Making re-identification research a criminal offence is a case of ‘shoot the messenger’. • Failure to define when personal data exports are allowed is dangerous and not sustainable. • The Privacy Commission needs powers to issue orders in relation to any breach of the Act, not just in relation to access questions. To give the Commissioner discretion to decline/discontinue complaint investigations is easily open to abuse. • To allow direct complaints to the Courts, and allow appropriate NGOs to act for complainants, would help give the Act effective teeth.