Modernizing Access and Privacy Laws for the 21st Century
Resolution of Canada’s Information and Privacy Commissioners and Ombudspersons
October 9, 2013
Canadians have come to expect greater accountability and transparency on the part of both governments and private-sector organizations with respect to how they gather, create, share, disclose and manage information, including personal information.
There have been many changes in technology, changes to government practices (such as public-private partnerships, outsourcing or shared services models), and Canadians’ expectations over the years. Recent revelations about government surveillance programs have heightened Canadians’ concerns about the erosion of their privacy rights and have prompted calls for increased transparency and greater oversight of national security initiatives.
Most Canadian access and privacy laws have not been fundamentally changed to keep up with these changes and to improve protections and rights since their passage, some more than 20 years ago. Only a few Canadian laws have recently been passed or updated to address modern challenges and to ensure continued protection of individuals’ rights to access and privacy.
At the same time, other laws have been amended or passed that have had the result of undermining or eroding access and privacy rights – the very rights access and privacy laws were intended to protect and guarantee.
Elsewhere in the world, privacy and access laws are being strengthened to meet the realities of the 21st Century – more powerful information and communication technologies, the challenge of managing electronic information and the social and political demands of engaged citizens. Canada’s laws need to do the same.
Information is one of Canada’s most important national resources.
Robust protection of privacy and access to information are defining values for Canadians and underpin our democratic rights and freedoms.
Canadians need to be able to hold public institutions and private organizations to account for their privacy practices, their access decisions and their information management.
Canada must re-establish its position as a leader in both the access and privacy fields.
1) Canada’s Information and Privacy Commissioners and Ombudspersons call on ourrespective governments to recommit to the fundamental democratic values underpinning access and personal privacy legislation by:
- Consulting with the public, civil society and Information and Privacy Commissioners and Ombudspersons on how best to modernize access and privacy legislation in light of modern information technologies, evolving government practices and citizens’ expectations.
- Modernizing and strengthening these laws in keeping with more current and progressive legislation in parts of Canada and around the world, including some or all of the following:In terms of access to information:
- Providing strong monitoring and enforcement powers such as the ability to issue binding orders for disclosure, and penalties for non-compliance;
- Broadening and clarifying which public entities are covered by access laws;
- Creating a legislated duty requiring all public entities to document matters related to deliberations, actions and decisions;
- Legislating strict and enforceable timelines for public entities to respond to access requests in a timely fashion;
- For exemptions where the expectation of harm is in issue, limiting which records are exempt from the general right of access by requiring public entities to prove there is a real and significant harm in their disclosure;
- Requiring all records, including exempt records, be disclosed if it is clearly in the public interest to do so;
- Establishing minimum standards for proactive disclosure, including identifying classes or categories of records that public entities must proactively make available to the public and, in keeping with the goals of Open Data, make them available in a usable format;
- Requiring that any exemptions and exclusions to access that are to be included in laws other than access to information laws be demonstrably necessary and that government consult with Information and Privacy Commissioners and Ombudspersons; and
- Establishing a requirement that for any new systems that are created, public entities create them with access in mind, thus making exporting data possible and easier.
In terms of privacy:
- Providing strong monitoring and enforcement powers and penalties for non-compliance;
- Broadening and clarifying which public entities are covered by privacy laws;
- Establishing legislative requirements for notifying affected individuals when their personal information has been lost, stolen, destroyed, or improperly accessed, used or disclosed (mandatory breach notification);
- Requiring public and private entities to improve the information they provide about their personal information policies and practices;
- Legislating a “necessity test” requiring public and private entities to demonstrate the need for the personal information they collect;
- Providing individuals with effective means to assert their privacy rights and to challenge entities’ compliance with their legislated obligations;
- Strengthening reporting requirements to the public with respect to the disclosure of personal information between private and public entities;
- Legislating a requirement that public and private entities implement privacy management programs to ensure the protection of personal information; and
- Establishing a requirement that for any new legislation, service, program or policy, public entities consider and plan for privacy implications at the outset (for example, privacy impact assessments, privacy by design).
2) Canada’s Information and Privacy Commissioners and Ombudspersons commit to
- Engaging and following up with government, Legislature and Parliament on the issues set out above;
- Continuing to study and make public how access and privacy laws impact all Canadians; and
- Making recommendations to government, Legislature and Parliament based on our areas of expertise.