Last Thursday, the Standing Committee on Access to Information, Privacy and Ethics tabled its report on the federal government's use of technological tools capable of extracting personal data from mobile devices and computers.
The next day, Privacy Commissioner of Canada Philippe Dufresne released a statement endorsing many of the recommendations made in the report.
While there are a few mentions here and there about our private sector laws, the report is primarily — and not surprisingly — focused on our ancient and embarrassingly out-of-date public sector law that governs how our federal government deals with personal information.
It would seem everyone who takes a look at our Privacy Act agrees it is in desperate need of updating. It was passed more than 40 years ago. Think back to 1983. Pong was the hit new game. The internet didn't exist. Social media didn't exist. Cell phones didn't exist. Artificial intelligence and machine learning were just sci-fi that George Lucas profited from.
Clearly the world, including Canada, has changed and the value of our personal information, whether it be in the hands of the powerful private sector tech giants or our powerful, well-funded government institutions, is now the most valuable commodity on the planet.
We need modern ways of ensuring those who manipulate our personal information are doing so in ways that we can trust and ways that are ethical. Ways that we can benefit from, not just so they can re-purpose our information and reach some new goal they came up with that is to their benefit only.
The committee's report lists 14 recommendations, indicating to me that at least some of our politicians want to get going, modernize and get ourselves out of the embarrassing position the federal public sector finds itself in.
In his statement, Dufresne highlighted a few recommendations, "Amending the Privacy Act to:
- Create an explicit requirement for government institutions to conduct privacy impact assessments (PIAs) before using high-risk technological tools to collect personal information and to submit them to my Office for review.
- Include the concept of privacy by design and an obligation for federal institutions to meet this standard when developing and using new technologies.
- Require federal government institutions to consult my Office before they launch an initiative, activity or program that could have an impact on privacy.
- Include explicit transparency requirements for government institutions.
- Include the concepts of necessity and proportionality by requiring federal government institutions to demonstrate that any activities and programs they pursue that could have an impact on privacy are necessary to achieve a pressing and substantial purpose and that the intrusion on privacy is proportional to the benefits to be gained."
A good start. Now let's get on with it.
OK. Rant over. Enjoy the rest of the digest and have a great fall weekend. I hope the leaves in your neck of the woods are as beautiful as mine.
Kris Klein, CIPP/C, CIPM, FIP, is the managing director for Canada for the IAPP.