Proceedings of the Special Senate Committee on the
Anti-terrorism Act

Issue 12 - Evidence - Evening meeting

OTTAWA, Monday, May 30, 2005

The Special Senate Committee on the Anti-terrorism Act met this day at 7:04 p.m. to undertake a comprehensive review of the provisions and operations of the Anti-terrorism Act, (S.C. 2001, c.41).

Senator Joyce Fairbairn (Chairman) in the chair.


The Chairman: Honourable senators, I call the meeting to order. This is the twenty-seventh meeting with witnesses of the Special Senate Committee on the Anti-terrorism Act. For our viewers, I will explain the purpose of this committee.

In October 2001, in direct response to terrorist attacks in New York City, Washington, DC, and Pennsylvania, and at the request of the United Nations, the Canadian government introduced Bill C-36, the Anti-terrorism Act. Given the urgency of the situation then, Parliament was asked to expedite the study of the legislation. We agreed. The deadline for the passage of that bill was mid-December 2001.

However, concerns were expressed that it was difficult to thoroughly assess the potential impact of this legislation in such a short period of time. For that reason, it was agreed that three years later Parliament would be asked to examine the provisions of the act and its impact on Canadians, with the benefit of hindsight and a less emotionally charged public.

The work of this special committee represents the Senate's efforts to fulfil that obligation. When we have completed the study, we will make a report to the Senate outlining any issue that we believe should be addressed. The results of our work will be available to the government and to the people of Canada. The House of Commons is undertaking a similar process.

To date, the committee has met with government ministers and officials, international and domestic experts on the threat environment, legal experts and those involved in enforcement and intelligence gathering. This evening, we are joined by the Hon. Reg Alcock, President of Treasury Board. We are delighted to have him here. Mr. Alcock is accompanied by Ms. Helen McDonald, Chief Information Officer, and Mr. Donald Lemieux, Senior Director of Security Policy. Unfortunately, honourable senators, the minister is available for only one hour, but I understand that the officials are prepared to remain longer to answer additional questions that senators might have. This is a lively group so it will be a good discussion. Mr. Alcock, please proceed.

The Honourable Reg Alcock, President of the Treasury Board of Canada: Thank you, Madam Chair. I believe this is my fifth appearance before a Senate committee in my short tenure as President of Treasury Board of Canada. I can assure senators that they are always lively, although I do believe Senator Stratton is tracking me, because he seems to appear at each meeting I attend and in my constituency. Before I begin my formal remarks, I would like to make one comment: I am delighted to be here.

In my role as President of Treasury Board, I am the manager of ``stuff'' as opposed to the policyholder on some of these issues. This review is incredibly important. I did review the testimony before the committee this afternoon to understand just what the committee is looking at. I do not add a great deal of value in the broad policy discussions. I will speak specifically to some of the interactions that Treasury Board has in managing the Privacy Act and some of the challenges that we have had in dealing with the USA Patriot Act. I understand that was one interest of the committee. That may give senators a sense of some of the challenges from the perspective of Treasury Board. We will see where the questions take us from there.

It is my pleasure to discuss with senators the issue of the transborder flow of information, which includes concerns related to the USA Patriot Act, and the Canadian government's action plan to continue to ensure the privacy and security of Canadians' personal information.

In my role as President of Treasury Board, I am responsible for the government-wide administration of the Privacy Act. My department is also responsible for government privacy, security, contracting and procurement policies. It is in this capacity that I have led the file on the USA Patriot Act and continue to focus on what is perhaps the more pertinent privacy issue for sovereign countries: flows of personal and sensitive data.

The transborder flow of data is simply defined as the transmission of information across the Canadian border to any foreign jurisdiction. Globalization and the advent of new information technologies have had an unprecedented impact on the flow of and speed at which information crosses sovereign borders, including the personal information of Canadians, by means of what are now considered rather mundane activities, such as email and e-commerce, for example.

For its part, the Government of Canada is responsible for protecting its holdings on the personal information of citizens, its employees and other sensitive information in outsourcing arrangements. We take this role very seriously. Our commitment to the protection of personal information is articulated in existing federal safeguards, including privacy legislation and policies such as the Privacy Act and the Personal Information Protection and Electronic Documents Act, PIPEDA, as well as various multilateral agreements with foreign jurisdictions.

The government believes that concerns about Canadians' privacy should be assessed more adequately in light of this transborder flow of data, rather than through a restricted focus on the USA Patriot Act. Indeed, the act is a very unlikely course for American authorities to access information on Canadians, given the multitude of other channels of cooperation between the two countries.

Nevertheless, the government is responding to concerns about the Patriot Act. Our action plan consists of two streams: a comprehensive assessment of departments' major outsourcing activities, vulnerabilities, mitigation strategies and model clauses. The results of this assessment will be made public sometime early this summer, and will lead to the developing of clauses for requests for proposals and contracts, as well as privacy policy advice for implementation, to deal with the concerns about personal information or other sensitive government information. The Government of Canada is developing these clauses in a manner that is mindful of its international trade responsibilities.

Many federal institutions have indicated that they already have a risk management strategy in place, while other institutions have stated that, as a result of this initiative, they will be reviewing their current risk management practices to ensure that such risks are adequately considered.

The consideration of privacy risks as part of an overall risk management strategy will ensure that any privacy issues are addressed at the planning stage of any initiative, which will, in turn, help officials to make informed decisions on whether or not to contract out or outsource certain personal information. It will also ensure that any potential risks to privacy or other sensitive information can be adequately mitigated throughout the contractual process.

To date, the government has determined that the USA Patriot Act will have no impact on the privacy of the vast majority of Canadians. This determination is based on our findings up to now that indicate that the bulk of government institutions assessed thus far, 84 per cent, have classified their risk as either no risk or low risk in terms of the possibility of application of the USA Patriot Act provisions.

The contracts classified as medium to high risk are limited in scope and are often closely linked to the mandate of the institution. For example, Foreign Affairs Canada and Export Development Canada have offices in the U.S. and overseas and therefore have contracts with companies in foreign jurisdictions where they are located.

In my own department, we have classified our contracts as no risk or low risk. For example, the contract for the Public Service Management Insurance Plan is currently with National Life Assurance Company of Canada, which has no offices in the United States. NL is a wholly owned subsidiary of Industrial Alliance Insurance and Financial Services Inc., a Canadian company incorporated under the laws of Quebec. As such, there is no risk of application of foreign legislation to this contract. The situation was similar for contracts related to the administration of the Public Service Dental Care Plan and Pensioners Dental Services Plan.

An example of a low risk of application of foreign legislation includes a contract with Sun Life Assurance Company of Canada related to the Public Service Health Care Plan and the Disability Insurance Plan. Sun Life uses the services of World Access to adjudicate out-of-country travel and comprehensive claims for the health care plan. Although World Access Canada does not normally share PSHCP data with its U.S. counterpart, the current arrangement allows for calls to be transferred to the Richmond, Virginia office in the event of a disaster in the Waterloo office. In such circumstances, temporary access would be granted to the U.S. office to ensure continuity of service to Canadians.

A similar situation exists in relation to Sun Life's CHESS system, used for claim adjudication and payment under the disability insurance program. Sun Life's U.S. employees could potentially look at disability insurance plan data.

In addition, there is a longstanding record of cooperation between our two countries' authorities. We remain confident in the efficiency and expediency of existing multilateral agreements between our countries to deal with such issues.

The Canadian government will complete its assessment of the reports submitted by departments and agencies in the next month or two to ensure that concerns over the U.S. Patriot Act are considered thoroughly, as well as to determine whether additional policy guidance and tools are required with respect to the broader issue of transborder data flows. The final comprehensive assessment report will be published this summer to reassure Canadians of the protections in place from this or other types of foreign legislation.

Finally, at her May 9 appearance before this committee, the Privacy Commissioner made reference to a number of measures to strengthen the government's privacy management regime that she had previously raised with me. I have since responded to the commissioner, confirming that Treasury Board Secretariat has launched or planned work in these areas and will seek to advance the concept of a privacy management framework.

As indicated earlier, the government is currently reviewing outsourcing involving personal information and is developing comprehensive policy guidance, including some model contract clauses to mitigate privacy risks. The government will continue to work closely with the Office of the Privacy Commissioner to ensure that Canadians' privacy is respected and that personal information is protected from inappropriate disclosure.

The government will also work closely with provincial governments and the private sector to continue to protect the security and privacy of Canadians and the interests of Canadian businesses. We will also maintain an open dialogue with U.S. officials relating to cross-border information sharing to ensure that our governments achieve the right balance between privacy rights and effective law enforcement.

That concludes my remarks and I look forward to your questions.

Senator Stratton: Welcome, minister. It is good to see you again. I hope you are healthy.

The government, by my notes, should have spent some $6.6 billion of the $7.7 billion originally allocated in the2001 budget by the end of this fiscal year.

Can you tell us if this amount of money has in fact been spent to enhance the security of Canada and is the Treasury Board tracking the spending in any fashion that we would be aware of?

Mr. Alcock: I am sorry, Senator Stratton, we did not come prepared to discuss that particular aspect. We were asked to discuss privacy and data protection. The Deputy Prime Minister, I think would be more appropriate —

Senator Stratton: If you are here on privacy, tell me about the process. You are Treasury Board. You are the process person. You get things approved by cabinet. You then take that cabinet approval and you implement the policy. You develop a plan for it. Is that not what takes place?

Mr. Alcock: Are you talking about the budget approvals that were provided to security agencies or are you talking about the privacy and security tracking that we do?

Senator Stratton: Yes.

Mr. Alcock: The second one?

Senator Stratton: I am going by your topic now. How do you track it and ensure that it is on track? I get a little concerned about different reports coming down about privacy. How do you track it?

Mr. Alcock: Let me walk around that a little. We have a policy for the protection and holding of the personal information of Canadians within the Canadian government. The issue that was raised last fall, coming out of British Columbia, was about the potential use of the U.S. Patriot Act to access data on Canadian citizens surreptitiously, without any knowledge that it was being done. I think everyone had a concern initially that if this was indeed happening we should investigate and understand the parameters of it, what the impact would be on Canadians, and then make some decisions.

The first thing that happened is that I met with the Privacy Commissioner. Her indication was — because you may recall there had been some questions in the House about the CIBC potentially moving data into the U.S. — she felt that the PIPEDA, given that it is relatively new legislation, covered the private sector companies adequately and that she had the tools that she needed to act should there be a concern raised about that.

However, in the area of the government, she also indicated that the Privacy Act itself is much older legislation and had not contemplated some of these cross-border flows. In particular, the issue was, in a world where we are all contracting on both sides of the border, data could be held in the U.S. in such a manner that it could be accessed by the U.S. government under the Patriot Act.

We undertook to do a review of all of them. You can imagine the amount of contracting that goes on in the federal government. It has taken us a while to go through each department and to assess if they contract for the holding of personal information outside of their own resources; if so, to what extent, and what is the nature of the contract and the provisions to protect that information? That is the review I was speaking about earlier.

Senator Stratton: Why would Treasury Board get involved? Why particularly your department?

Mr. Alcock: We have the policy responsibility for ensuring the protection. The Privacy Act is the legislation. The Privacy Commissioner acts as a watchdog to that. We have the administrative responsibility for seeing that the government complies with it and has proper regimes in place. We also have responsibility for contracting the procurement policy. The solution that has been identified by the Privacy Commissioner is changes to the wording of the provisions in the contracts that we write when it comes to the holding of data.

Senator Jaffer: Minister, thank you for appearing before us at this late hour. I found your presentation very interesting. I also commend you. When this issue of the Patriot Act came to your attention you started working on it right away.

I have a number of questions. I absolutely accept that you may not have the answers until September-October, when we come back. I will ask the chair if she will kindly invite you back once you have the report in the summer and are able to give us a better idea.

My first question is on the outsourcing, and you have covered it somewhat. On May 9, I had the opportunity to ask the Privacy Commissioner about outsourcing. As you are very well aware, minister, Canadians are very concerned about their information being placed in U.S. companies. As I understand it, under the Patriot Act, U.S. companies must release that information to their governments. Because the information is held by U.S. companies, it is obviously not protected by Canadian law.

I know there are treaties in place to allow us to share information with our allies when need be, but these treaties still give Canadians a role in determining how this information is shared. The concern is that outsourcing removes this role. It takes it out of our hands. The Privacy Commissioner has told us that you are currently reviewing this process, and you have confirmed that. It would be very useful, minister, if you were able to share with us some of the thinking or how the review process is being carried out. I absolutely accept that it is still a work in progress.

Mr. Alcock: I thank you for that, Senator Jaffer. One of the issues in government is there is such a smorgasbord of interesting items. I have opinions on our security legislation also, but I have to avoid being dragged into that because I have no expertise in this area. I have not spent the time studying it that you have.

There is a concern. Some of the concern is a fear of the unknown. It is not a realized fear. It is just a fear of what could happen. In part, it is almost the traditional fear of something big. You commented that U.S. companies holding data could be ordered to release this data under the Patriot Act. I discussed this at some length, and we investigated it at some length, both with the Privacy Commissioner and internally. It is certainly true that the Patriot Act would function in that way if the data were held by a U.S. company doing business in the U.S. There were fears stated by some that the only precondition was that it was a U.S. company or U.S. subsidiary. I have been assured by the Privacy Commissioner and others that that is not the case. U.S. companies doing business in Canada have to function under Canadian law. The new PIPEDA is quite clear on the holding and release of that information.

It should be said that in the legislation that you are reviewing, there are means and provisions for the surreptitious access of information. It is not as though the U.S. is doing something that we are not. We also allow our security services to do that, but we have perhaps a higher bar that they have to clear before they get the permission.

We are also informed that the Patriot Act itself is under review by Congress, and that may result in some changes on that side.

On suggestion that was made to us, and as the Privacy Commissioner wrote to me, was that we develop contractual model language for all government contracts that have to do with the holding of personal information that spells out some of the conditions under which this information is being held and the access to it. There has been a debate. In this particular case, Senator Austin would be more expert than I on some of the trade implications of limiting the ability to hold information offshore when we are moving both ways on that. We hold considerable U.S. information here in Canada under some of these agreements. It is believed that through simple changes to the way we procure that service, we can provide an enhanced level of protection.

I have the Privacy Commissioner's letter in front of me. She also suggests that a strengthening of reporting requirements under section 72 of the Privacy Act would provide more notification when such information is accessed.

Is it a perfect instrument? I do not think so. Is it as good as we are likely to get, given the other concerns behind the review that you are doing? Where is that boundary between accessing information for reasons of public protection and the right to personal confidentiality?

Senator Jaffer: Minister, the concern that people have raised with me is that a U.S. company may be operating here, but they may be outsourcing the data processing in the U.S., which brings them under both Canadian and U.S. law. How do we then protect personal information?

Mr. Alcock: There are two issues here. Ms. McDonald was saying to me that if the information is held by a Canadian company, PIPEDA, the new private sector legislation, applies. Ms. McDonald is saying that even in the case of a company operating in Canada that was storing the data somewhere in the U.S., that information would still be covered. The company would still be liable for the improper access to that information.

Senator Jaffer: So they do not have to release it to the U.S.?

Mr. Alcock: There is a debate about that.

Senator Jaffer: My understanding is they have to.

Mr. Alcock: My understanding, too, is that if the information is physically held in the U.S., it would be difficult for a company to refuse the access to it.

Senator Jaffer: Minister, I know these are difficult issues and you are looking at them, but many Canadians have great concern. Parents have phoned me and said that their child visited the U.S. and, after using their credit card, they have had FBI appear on their doorstep. They have had cases of them being tracked down through the use of their credit card.

I know this is a work in progress and in September it may not be there, but this is a great concern to Canadians.

Minister, other countries also deal with the U.S. Do we have any examples of how other countries are dealing with this issue?

Mr. Alcock: It is interesting. I should say that this discussion arose in British Columbia, as you know. The Privacy Commissioner in British Columbia, with some pressure from and discussion with the public sector unions in British Columbia as the government was moving to outsource some of their data holding, got involved and was the first to raise this. I met with the minister from British Columbia on this.

As we canvas across the country, we have not had a lot of concern raised by other jurisdictions on this particular issue, nor have we had concerns raised internationally.

Senator Jaffer: Not internationally?

Mr. Alcock: No.

Senator Jaffer: I am sure you will have to take some time to answer my next question, and I accept that.

I was pleased to read in your presentation that you are responsible for government-wide administration of the Privacy Act. One of the things that have come out in the Arar hearings is that when Canadians think that they are speaking privately with the counsellor, it is shared by the RCMP and with the RCMP and CSIS. Is this also within your administration?

Mr. Alcock: If you are talking about the sharing of written or recorded information between two jurisdictions, there would be legislation and agreements that govern that sharing between law enforcement agencies and the like. The sharing and accessing of personal data that is held by one department or another would have to be prescribed and supported by either legislative or administrative agreements that we would oversee.

Senator Jaffer: May I please ask that, when you come in September, you determine how that protection happens?

Mr. Alcock: I will endeavour to provide this before we return in September so that honourable senators will have as much time as possible to go through it. We will have completed the review by then and we will make it available immediately. We will do the same on the administrative question.

Senator Jaffer: I will make one short comment. I appreciated very much what you had to say, and I am sure Canadians listening did also.

I know the minister will understand this: Protecting the vast majority of Canadians is not our aim; it is to protect all Canadians. I urge you to see that the privacy of all Canadians is important. It is important that people understand that.

Mr. Alcock: There is no question that privacy, while it is not a right that has been written into the Constitution, is certainly a right that has been read into the Constitution by the Supreme Court, and we act on that basis. We take it seriously.

I think there could be a very interesting discussion with this committee about privacy in general. You are looking at an extraordinary power that encompasses an entire range of issues. You are doing very important work, and I think it is important that we educate both ourselves and Canadians about how these various processes interact.

There is also a discussion to be had about privacy itself and how we manage it in government. A lot of enhancements, service improvements, efficiencies and other things can occur — I am not talking in the judicial or investigative sense, but in the provision of services — if we can share data.

The approach has been quite antiquated, in the sense that if we do not share anything with anybody, we will never violate privacy. In the first place, that is not true. In the second place, we deny ourselves advantages and benefits that come through how we hold information.

How we provide privacy protection and give life to that right is an important discussion and one that I would love to have with this committee.

Senator Fraser: Like the others, I was comforted when you told us that to date the government has determined that the Patriot Act will have no impact on the privacy of the vast majority of Canadians. My degree of comfort was lessened in your next paragraph, where you said that this was based on your findings so far in connection with government institutions.

On what basis did you extrapolate the information held by government institutions to the vast majority of Canadians in general? Did I misunderstand what you were saying?

Mr. Alcock: No, you did not. There are two things I would like to mention. My responsibilities are overseeing the management of information held by government, so my world is the federal public sector. It is governed by the original Privacy Act passed in 1982 as a companion to the Access to Information Act.

We proclaimed in 2004 the new PIPEDA, Personal Information Protection and Electronic Documents Act, directed at the private sector holdings of personal information.

When this issue was first raised, the first thing I did was call the Privacy Commissioner and meet with her. Her sense was that because that legislation was new, it had anticipated or understood better some of this electronic data sharing. She felt she had the tools to investigate and hold to account private sector companies that were holding personal data of Canadians.

Having had that assurance, then we focused our work on the area we manage. The concern there was simply that the Privacy Act itself is 20-plus years old and in need of renewal. There has been some work done on how a new act could be created, but in the meantime we should concentrate on areas where data were being held and use our authority under the procurement policy to try to address the issue.

Senator Fraser: I was particularly struck by this because on my way to Ottawa this morning, I heard a report on CBC Radio concerning a well-known Quebec-based insurance company that had transmitted a health insurance claim to a U.S. subsidiary for some reason. That U.S. subsidiary had contacted the physician in Quebec and demanded not just the specifics on this claim, but the patient's entire medical file, which I gathered, from listening to the physician being interviewed, was an unusual occurrence.

As one of the experts who was interviewed said, the concern that immediately comes to mind is that people would like to use this kind of information to build profiles of greater or lesser sensitivity. It is probably a very high sensitivity. As I think you suggested, once that information is sent down there, we cannot really protect it.

I suspect I am asking you to comment on something that you have not heard about. If you take it as hypothetical situation rather than a real case, does it sound to you like a definite infringement of the law, or do we have a loophole that needs to be fixed?

Mr. Alcock: I thank you for giving me a loophole before I answer the question. I do not know the specifics of that case.

Some of this, like all new law, has not been tested because there have not been a lot of claims. One of the first things the Privacy Commissioner said to me was that there needs to be a complaint for her to act. She felt she had the tools to enter private premises, get the information and hold to account the people responsible when it came to private sector organizations. Beyond that, it is hard for me to answer this one.

Senator Fraser: Clearly this committee has been trying to wrap its collective mind around not just the narrow specifics of what one government department does or what one clause of the legislation says, but the whole context in which we operate. That includes this kind of relationship with our neighbours to the south.

I hope you will tell me I am wrong, but it sounds to me as if we may be operating in our own corporations and their relationships with their partners south of the border on a degree of trust that would have been appropriate prior to September 11, but perhaps should be re-examined now.

Mr. Alcock: You may be right. We have two relatively new developments coming at us. We have this greatly enhanced capability to transmit information quickly anywhere at any time and also this strong desire in both countries for enhanced protection from acts like those that took place on September 11.

In the chairman's opening remarks, she defined part of the issue. This was a horrific event. Both countries reacted swiftly, and this legislation was brought in swiftly with the full knowledge that we would have to do exactly what you are doing, go back and have a look at it when things have cooled down a little, and we have had a little more time, to see whether we have gone too far.

There are two issues here, and I have to be careful not to ride one of my own hobby horses. I definitely want to have a conversation with somebody about privacy itself. Here, you are looking at extraordinary ways to violate privacy in the national purpose. Again, I do not have enough policy background to add much to that conversation, other than to recognize it is an extraordinarily important one, and in carrying out our responsibilities for holding pertinent data on Canadian citizens within the federal government, we are trying to ensure we provide as much protection as we possibly can.

Beyond that, on the issue of the loss of privacy, I think we have tended, because of our fear of the newness of this technology and the enormous rapidity with which information can be shared, to react to that by not sharing information instead of looking at building penalty regimes. I often argue that in the case of medical records, they are only as secure as the dumpster behind your doctor's office, and yet we think that is adequate. We deny ourselves a considerable range of benefits that could come from using information differently. That is a debate for another time. I like to throw it out now and again. I want someone to pick it up.

Senator Joyal: I would like to pick up where you left off. I totally agree with you that we live in a world where communication is on a much wider scale than before. The problem as I see it, and as you have outlined it, is that as long as the information goes to your own government, you are protected by the system of law of Canada.

Mr. Alcock: That is right.

Senator Joyal: Canadians generally trust our system of law, the rule of law and the way it is implemented in Canada.

The uneasiness starts when the information is passed to another government and they are not aware of it, and second, they do not have the same access to the protection of the system that we have in our country. That is where we have a totally different ball game, if I can use the expression. As you said, if we are to continue to cooperate generally with our friendly neighbour in the south, we might want to have additional reassurance that we know what is being done and how. Therefore, citizens of Canada who trust their government by providing the information will trust their government to follow up when they no longer have control of it.

That is where, in our dilemma and the way I see Senator Fraser's dilemma, we realize now there is a different game, because an American company that controls information on Canadian citizens might be ordered by a court to provide it and told not to inform its Canadian customer, i.e., the Government of Canada or any other provider of services in Canada, that they are releasing the information. Therefore, it is the secrecy of the use of the information that is a preoccupation for us.

My other preoccupation is, and I am speaking as a lawyer, if we are to include, as you said on page 3 of your brief, ``Developing clauses for Requests for Proposals and contracts,'' I am tempted to ask how you envisage the extra- territoriality of your own jurisdiction over those clauses. If the violation happens in the United States, where will you seek redress? This is another important element of the efficiency of the system that you might contemplate putting into practice.

Mr. Alcock: Unless the clauses called for the holding of the data in Canada and did not allow the cross-border transmission.

Senator Joyal: What would the penalties be if there is violation of that undertaking by the company?

Mr. Alcock: That does get us into a different area, Senator Joyal, and you would be more expert than I, given your background as a lawyer. I cannot speak to the specific penalty. Maybe others can in the area of the PIPEDA. The same issue applies in the PIPEDA. Then you are faced with breaking the law or breaking the contract. It came up for Statistics Canada, where they had written a contract that provided for holding data outside the country, and when they became aware of the concern they rewrote the contract so the data are held within Canada. Once it is held in Canada, PIPEDA applies, and anyone who then moves it offshore, if you like, is subject to the penalties that apply under that legislation. I do not know what they are off the top of my head.

In the case of our contracting, which is what we would be doing with government information, I would assume, at the very least, it would lead to a violation of the contract or its withdrawal. We would also, in the model contract clauses, because it depends on the kinds of information you are holding, build penalties into the contract.

If you put a clause in the request for proposal that people identify where the information would be held and added some other clauses around the use of that information, it is argued we could provide an adequate level of protection.

Senator Joyal: In other words, you would be developing — and I do not want to use terms that you have not used yourself — contractual language clauses that would specifically establish a prohibition for the foreign company, let us call it that, to transfer any information without the knowledge of the customer, namely, government, you or any other government agencies, without first getting the authorization. If the company ever released that information, it would be subject to the penalty established in the contract in case of non-compliance.

I am sorry. You were nodding, but the minutes will not register that.

Mr. Alcock: They will not show my nod.

Senator Joyal: I do not want to put words in your mouth that describe something you are not really looking at doing or contemplating in the short term.

Mr. Alcock: That is certainly where our thinking is going on this.

It is also in the context of the need to revamp the Privacy Act itself, which would contain further enhancements once we got that done and through the House.

Senator Joyal: That is another approach.

Mr. Alcock: Yes.

Senator Joyal: You have one responsibility as the customer, in that you can establish the sets of obligations that you want your co-contractor to subscribe to because you offer payment in exchange. There is an exchange of demand and offers. On the other hand, you have to establish a follow-up system in case the commitment that your co-contracting party is undertaking is broken. It has to be a real follow-up system; otherwise, people can break the contract and there is no penalty or consequence. In other words, it becomes a pro forma clause, with no teeth.

Mr. Alcock: Given that the contracting we are talking about is within government departments, the Privacy Commissioner's office can be involved in auditing them or investigating complaints. If we have within the contracting language an ability to sanction the company, it is argued that that is the quickest and most efficient way to address this situation.

Senator Joyal: For instance, retaining payments, among other penalties.

So far in your study of the Privacy Act, which is not recent legislation, is it your opinion that the act would need to be amended to make sure that the Privacy Commissioner would be in a position to assume that responsibility, not with the Canadian agencies but with someone outside government operations?

Mr. Alcock: There are two pieces of legislation, one being the original Privacy Act, which the Privacy Commissioner herself would argue is old, and it did not in its inception contemplate some of the things that have occurred. It is 23 years old. However, she believes the new legislation is adequate to deal with companies outside the federal family. Inside the federal envelope, the additional enhancement suggested was, as you have described it, to provide contracting language that determined how data were to be held and penalties for their misuse. She would nonetheless have the ability at any time to investigate complaints about the way personal information was being held and whether personal privacy was being violated. She is fully empowered within the existing legislation, within the federal community. The question comes only once information moves offshore.

Senator Joyal: The remedy.

Mr. Alcock: That is right. The remedy once it moves offshore. She has considerable authority if it is held within Canada. Given that it is government in the case we are talking about, public sector institutions, Government of Canada institutions that are the holders of the information, it is felt that if we simply changed the contracting regime to hold the information within Canada in those cases where there is a substantive concern about the kind of information being held offshore, that would bring us under the umbrella of Canadian legislation. I always argue we have lots of laws that prevent the theft of cars, yet people still steal cars, so you have to have a way of identifying the breaking of the law and a penalty regime to deal with it as best you can, to the extent that a law can provide a solution.

Senator Joyal: Have you contemplated reviewing the NAFTA treaties to cover that aspect now that they have been opened to allow American companies to bid on Canadian government contracts? In the review of the NAFTA there could be some clauses that would cover those aspects of a reality that did not exist before and that we did not contemplate at that time, for obvious reasons, as you said. There were rapid changes. Is it something you are considering?

Mr. Alcock: It is not something we are activity pursuing at this point, although we have explored the question with our U.S. counterparts. This is second- or third-hand, but we are told that in the U.S. there are groups who have substantive concerns about the Patriot Act and its application. That is under review, much like our own legislation is. We are engaged at a number of tables around a variety of these cross-border relationships with the U.S. and Mexico, so it is certainly possible to include this issue in those discussions. There is no question about that. We have not undertaken to do that now, other than raising it. It was raised when President Bush was here.

Senator Joyal: I think this is a very important element in all those discussions to create the kind of trust we need between the two countries.

Mr. Alcock: In fairness to your question, Senator Joyal, let me go back and have a conversation with the folks who are dealing with this. I also chair the smart regulation process, which has a large U.S. sector. Let me get you a more adequate answer on that because you are quite right. It does open up an area for discussion that might be quite fruitful. The problem is that in both cases, here and in the U.S., our security services, in the kind of legislation you are looking at, are really looking for extraordinary powers that are not contemplated in some of these regular agreements.

Senator Smith: I have one narrow area on which I want a reaction from you, minister. This afternoon we heard from the Information Commissioner, Mr. Reid, and he had three of his officials with him. You mentioned in your introduction that you had a chance to review his presentation. Did you read it?

Mr. Alcock: I read a précis of it.

Senator Smith: He was quite clearly making the case for certain amendments that he felt were in the Canadian tradition, and it related to where things could be stopped cold, particularly when the government might have any information that had been received by a foreign government, probably, in most instances, our neighbour to the south, but not necessarily, and various government agencies. Then we got into whether or not he had made the case to the appropriate government officials, and with regard to the minister responsible for this legislation, the answer was no. Your name then came up, and quite positively. He did not use the words ``role model'' but made you sound like that and stated you had been cooperative.

Without getting into the debate about the merits of the case we were hearing from him, obviously you have a role in this issue, as does the Minister of Justice and, very clearly, the Minister of Public Safety and Emergency Preparedness. Where you have an issue that falls within the jurisdiction of several ministers and departments, how do you coordinate the government's policy? Do you paint broad brush strokes that say here is what we want to do? Is there a single big kahuna, which is a Hawaiian word for high priest, coordinating this, or are you all out on your own? Some of us sense today that not everyone sitting around the privacy table has their head in the same place. Maybe you can give us a response about the challenge there.

Mr. Alcock: It is an interesting way of posing the question, senator, because you do get caught. In my role as President of the Treasury Board, I am not the policy person in this case; I am the implementer. There is the policy, and now we have to make it happen in an efficient and effective way. While we may be identifying problems with the policy or legislation for future consideration, we do not play a policy role in that sense.

As a member of the cabinet sitting in some cabinet committees discussing this issue, I certainly have my personal views, as I think most Canadians do. I do not want to make light of it, but it is less of a concern about the information I have willingly said can go here or there. I willingly give my privacy away in many circumstances, but when the government is collecting information involuntarily, there is a higher bar on its protection, and that information can be accessed without us knowing it. It is in the surreptitious sense that it is a concern, and it does take us back into the policy realm to a certain extent. I have a few things to say there, but we are struggling to find the mechanical way to prevent that from occurring. The best we have come up with thus far is what I have described, the internal federal family working with the contracting and procurement rules, which is essentially what the Privacy Commissioner advised us to do.

Senator Smith: At least you met with them. We had the sense that not everyone else does.

Mr. Alcock: It is fair to say in any group of more than two people there will be more than one opinion. The biggest kahuna will call the decision in the end. That would be the Prime Minister.

However, he expects us to work these things out collegially as much as possible, and you are witnessing a strong debate among ministers about this legislation. The very issue that prompts this committee to do this study is felt by many people. This was a departure for Canadians. There is unease because it is a stronger policing action than Canadians have been comfortable with in the past, and it is driven by a stronger set of fears.

You will see that represented by some of the ministers who would appear before you on this question. We are looking to the wisdom of the Senate to sort this out.

Senator Smith: We will be meditating on that.

Senator Stratton: We heard from the Canadian Council for Refugees and the Canadian Bar Association this afternoon. There are five non-Canadians currently being held under the immigration legislation. How do we protect their privacy rights?

You need to look not only at what will happen in the future, but also at what is happening now. Perhaps you should look at that, because it is fairly critical to the questions we were asking this afternoon.

Mr. Alcock: Your question is whether these non-Canadians have the same privacy protection rights as a Canadian citizen. I believe they would, would they not?

Senator Stratton: That is the question. No one really knows. These people have been held for nearly three years. There is a sense that information was shared with other countries about these individuals. What is their status? We should be looking at that. You say you are looking at the future. Why not look at the present and those cases in particular?

Mr. Alcock: As I know nothing about these cases, I will not comment on them, other than to say that I will assess immediately whether the same provisions would apply to them as to a Canadian citizen. The act says that they are covered by the Charter of Rights, as is anyone on our soil.

I will check that out. For a more detailed discussion about those issues, the Minister of Justice is the person you should have before you. I do not have the required level of knowledge.

Senator Stratton: I do not want too much buck passing, and I know you will come back.

Mr. Alcock: I am quite comfortable in saying that the Minister of Justice is a lot smarter than I am on those issues.

The Chairman: We wish to thank you for coming, minister. We will look forward to a longer and perhaps more vigorous meeting with you in the fall after some of these issues have progressed over the summer and changes have been made.

Mr. Alcock: Thank you very much. It is always interesting to appear before Senate committees.

We will share with you now the information that I indicated we would, and we will work with you as we finish this review. I noted that we are 84 per cent done and we will get that to you right away.

We would be interested in your thoughts or recommendations about this. If you need any information from Treasury Board, just ask and I will ensure that you have it.

The Chairman: I understand, honourable senators, that the officials are prepared to stay here and answer our questions.

Senator Fraser: I want to recast my earlier comment, then I would like you to do some research and give us a written response.

Can we be satisfied that existing legislation, which I assume would be PIPEDA, can protect Canadians against the following circumstance: A Canadian company has a business relationship with a foreign company and the government of the country in which that foreign company is located uses that company as a conduit to get information about Canadians. Do we have sufficient protection against that?

Earlier I was talking about health, but there are many industries with very close links to the U.S., including the aerospace and the auto industries. There are all kinds of industries in which it would not be difficult for the American government to do this. There are other companies that have strong links with companies in other countries. I am not pointing a finger only at the American government.

In today's climate, do we think we have sufficient protection against this? This may be completely hypothetical, but my attention has been caught by this possibility and I would like to know what the legal framework would be for that, if there is one.

Ms. Helen McDonald, Chief Information Officer, Treasury Board of Canada: I am not an expert on PIPEDA, but it is my understanding that there is an obligation there that the private sector company must ensure, when it outsources its operations, its processes, its data, et cetera, to another company, that the same levels of protection flow through that contracting process. One could argue that when a Canadian company has a relationship with a foreign company, it is still incumbent on the Canadian company to ensure that the protections follow. That applies to the security of the information as well. There must be no improper access.

In your example, if a foreign government were to require the foreign company with the relationship to release the information without telling anyone, and perhaps it is done in such a way that the Canadian company is unaware of it, then it is difficult to say whether we would know about it and be able to take action. That is the reason for the emphasis we have been placing on contractual solutions that make you question whether you should be outsourcing this information at all, whether you should have your information backed up in a foreign country, whether the risks are such that you should keep it within your four walls and not let anyone else have access to it.

Senator Fraser: I was not thinking only of outsourcing, which is comparatively easy to control if you do your initial contracts properly. I was thinking more of those very close business relationships that increasingly exist in many industries. Perhaps this is a completely off-the-wall concern, but if someone could address themselves to it, I would be grateful.

I have a question with regard to matching of data contained in various federal agencies. Data matching can be a handy investigative tool. I understand that there is no legislation that requires federal organizations that may be doing data matching to notify the Privacy Commissioner, but that the Treasury Board has a policy about data matching. Could you describe that policy?

Ms. McDonald: We do have a policy that requires notification to the Privacy Commissioner of data matching. Mr. Lemieux will describe in more detail how it works.

Mr. Donald Lemieux, Senior Director, Treasury Board of Canada: If a government institution plans to conduct some form of data matching, they must involve the Privacy Commissioner in the process. There is also the privacy impact assessment policy, which is a more recent Treasury Board policy, that engages the Privacy Commissioner in any activity involving the personal information of individuals or employees.

There is an existing framework of privacy policy, but you are correct in saying that it is not in legislation.

Senator Fraser: Would that policy apply, for example, to the much-discussed capturing of data by airlines, which is yet to begin, that would be matched against data banks in CSIS or the RCMP?

Mr. Lemieux: Yes, it could apply to that.

Senator Fraser: In that case, the legislation sets out a number of quite clear criteria. I wondered if it had overridden the Privacy Act.

Mr. Lemieux: There is a policy, but it can be overridden if legislation exists that authorizes an institution to share data with another institution.

Senator Fraser: Are there guidelines on the kinds of matching allowed and not allowed?

Ms. McDonald: We could send you the material that describes under what circumstances matching is done and how we define it. Would that be helpful?

Senator Fraser: That would likely be very helpful.

Senator Jaffer: I have a follow-up question on the airlines' sharing of information. I understand that it is not being shared at this time. Under the Public Safety Act, there is to be a sharing of information on persons travelling from Canadian airports to destinations in the U.S., for example.

Ms. McDonald: I cannot tell you how that happens.

Senator Jaffer: Could you tell the committee how that information would be protected? I understand that you do not have that here today, but I would appreciate your looking into it to provide the committee with the details on how information on airline passengers would be protected under the Public Safety Act. I am sure it is not implemented yet, but I would like to see what the plans are for that.

Ms. McDonald: Yes.

Senator Jaffer: I have another question on the sharing of information. Minister Alcock spoke about the department's comprehensive assessment of outsourcing and a report on the success of that in the case of individuals. At this time, it is important for us to know what questions are being asked, although I do not expect an answer to that today. On page 5 of the minister's comments, in the second-last paragraph, it states that:

The Canadian government will complete its assessment of the reports submitted by departments and agencies in the next month or two to ensure that concerns over the USA Patriot Act are considered thoroughly, as well as to determine whether additional policy guidance and tools are required with respect to the broader issue of transborder data flows.

It would be helpful to the committee to know what questions are being asked before we read that report of the assessment.

Ms. McDonald: We could provide that to the committee. It is in the form of a letter from the then-Secretary of Treasury Board to his colleagues. Essentially, it asks them to identify, assess and, if appropriate, mitigate any possible risks with respect to the USA Patriot Act. Certainly, we can share that.

Senator Jaffer: Thank you. I receive inquiries in my office on a regular basis that I am unable to answer. The calls are from people concerned about personal banking information being stored in the U.S., especially credit card information. When questioning such a practice, people have been told that there is not much can be done about it. I have suggested calling the ombudsman of these banks to ask general questions on this practice. I have been told that there are many ways that the U.S. can access such information, but under the Patriot Act, the persons involved and the Canadian government must be informed of such access to personal information. I absolutely believe everything that Minister Alcock said about Canada asking the Americans how they collect the information under the Patriot Act, but they are not required to respond. In that case, in spite of the assessments we do, how will we protect the personal information of Canadians?

I was unable to advise the woman who called me about this and suggested that perhaps she should switch banks. She said that most banks outsource to the U.S., and so that remains a concern. There are few banks in Canada and it is difficult to tell people to change banks. The same thing applies to health information or any other personal information.

Ms. McDonald: I would say that there are two aspects to it. If information is collected under section 215 of the USA Patriot Act, I am not convinced that we would find out about it. Our reading of the U.S. hearings suggests that it was used in approximately 35 instances in late 2001. We would expect to receive no additional information from the U.S. as to whether that information involved Canadian citizens and what was done with it. We are using whatever meeting tables we can to make clear to the U.S. the concerns of Canadians about the protection of their information when it is collected for any reason.

There is another aspect. People can voluntarily give information, and when they have a U.S. bank account they automatically fall under the set of rules that apply in the U.S. where the enterprises are located. I am not in a position to describe how strong or weak the protections are within the U.S.

Senator Jaffer: It is not simply a case of someone volunteering information in the U.S. Rather, people are voluntarily giving information to banks in Canada and that has been outsourced. That is the concern.

Ms. McDonald: That would be covered under PIPEDA. I do not want to slough you off, senator, but the Privacy Commissioner should be able to help people find the available recourses for such concerns.

Senator Jaffer: I understand that will be included in the assessment you will send to us.

Ms. McDonald: We are focusing on the provisions and protections available for information collected about people by government, and not the information collected by banks. As the President of Treasury Board said, the Information Commissioner believes that under PIPEDA, there is an obligation on private sector companies to protect information as it may flow. Our focus within the secretariat has been on the government's outsourcing of information.

Senator Stratton: I have been listening to the testimony of the President of Treasury Board and you. How does this relate to anti-terrorism? You are talking about privacy and what will happen in the future in terms of providing information and the protection of the information of citizens.

If a person were under suspicion by a government agency, the RCMP or CSIS, what protection would that individual have with respect to privacy? We are talking about terrorism and not what we will do to protect the average citizen in the future. This is a study of the Anti-terrorism Act. If people come under suspicion, what rights do they have that you can talk about to us?

What I have heard so far is just what the average citizen can expect in the future, and nothing to do with anti- terrorism. How do you respond to that?

Ms. McDonald: It is my understanding that anti-terrorism or money-laundering legislation, or any legislation with a specific focus, tends to trump the more general. We are responsible for ensuring that the general policy on the privacy of information collected and used by the Government of Canada is implemented by departments in a consistent and appropriate way. We do not have competence in the case of what happens when someone is detained at the border.

Senator Stratton: That is my point, then. What are you presenting tonight? What I have heard tonight from you really has nothing to do with anti-terrorism. It has everything to do with protecting the rights of individuals not to have their private information distributed in an untoward manner, but it has nothing to do with anti-terrorism, not that I have heard, at any rate.

Senator Joyal: Could you tell us how many data bank matching reports exist in the Canadian government?

Ms. McDonald: Offhand, I could not. There have been over 30 data matching instances reported to the Privacy Commissioner, although I do not know over what time frame.

Senator Joyal: I wonder if we could get that from the Privacy Commissioner. Senator Fraser asked about the airline passengers, and there would be data from CSIS and the RCMP; and the latter, of course, have access to data banks of provincial police. They would have access to the gun control information.

All kinds of information is asked for on the gun permit form, including how many times you have been married; if you are separated, how it happened; whether there have been some complaints about violence in your connubial relationship and so forth.

It is difficult to have an idea of what is encompassed in all that. When I was listening to you, I was saying to myself that the responsibility of the government to maintain privacy might be much bigger than we think, because we do not know where all the data matching happens. Perhaps in asking two or three questions, you get the entire picture because of all the data matching; one set of information links to another branch of information, and then through that branch you get everything else. There is a whole domain of information.

It triggers my curiosity. Has anyone, to your knowledge, ever done that kind of evaluation?

Ms. McDonald: My colleague was pointing out that we do have an online publication and a paper publication called Info Source that is supposed to list instances of data matching. I would have to say that I do not think we have a really good handle on the amount or the impact of data matching.

It is one of the issues that the Privacy Commissioner has flagged to us as being of importance to her, not only cross- border flows of information, but the amount of data matching going on. It is one of the areas that we have agreed with her that we need to work together on.

We are doing a review of our policies, including around data matching. Our suspicion is that data matching is not being reported to the same extent as it is occurring, that perhaps there is greater clarity needed — it is an old policy and needs to be updated — or that we need to help people with tools to answer unambiguously, is this a data match or not, and remind them of the obligation to report such proposed activities to the Privacy Commissioner.

My colleague mentioned a privacy impact assessment tool, which was meant to ensure that when anyone makes a change in how they collect information — they shift from direct collection from the data subject, for example, to getting it from another department, or they change their system in a way that might have an impact on the security of personal information — they will think about whether there is a privacy impact they need to consider. It was a step-by- step process, an electronic training tool that helped ensure people did not make changes to an information system without understanding and mitigating any privacy risks.

Our thinking was that that tool worked well in this setting. Perhaps we should use it for data matching as well. I cannot say that I am comfortable with what we know about data matching. It is an area on which we have agreed to work with Madame Stoddart and her office to try to get a better sense of what is going on and whether there is some remedial action needed.

Senator Joyal: You remember that famous case whereby the Supreme Court accepted the matching of the data between Revenue Canada, or the border agency at that time, with the unemployment insurance data. I am sure that if you have information in the unemployment insurance data, you would have it too probably in the social assistance data, the payments that are made provincially, because of all kinds of situations that might happen in a family, where one of the spouses is unemployed and so forth.

We have a very important obligation to understand that when we give information to one element of public demand — when I say ``public,'' I mean requested by the government — it immediately triggers an entire set of other information coming to the forefront.

We have failed to understand the amplitude of the spider web. In my opinion, by answering two or three questions, you could cover the vast majority of the information that might exist on one person. If we are to ensure that we develop policy that protects privacy, we have to understand well how the system works, how the matching of the information works, if we want to really be effective in our objective of protecting the privacy of citizens, especially in the context of that data sharing that you have described.

Ms. McDonald: I would agree with you. The president talked about his interest in having a conversation about what the new technologies mean for privacy. As we have the ability to offer services in different ways, how do we see that in fitting with good privacy policy? Can we reuse information across certain settings, both for fraud reduction and to ensure that no one falls between the cracks — you are eligible and you are not in receipt of the program. Are there ways in which data matching can help on one side but not the other?

Those are all important questions that you are raising.

Senator Joyal: On page 4 of your brief, you say that of the government institutions assessed thus far, 84 per cent have classified their risk as no risk or low risk. What are the other 16 per cent?

Ms. McDonald: They have a medium to high risk. Which organizations are they?

Senator Joyal: Yes. Which ones are you still investigating at this time?

Ms. McDonald: Our current concern is to try to ensure that those who have not yet responded do so and complete their assessment quickly so that we can have 100 per cent of the agencies covered by this. We are still missing a couple.

In the letter requesting this information, as you will see because we will share it, we are also requiring departments to think it through. If you think there is a risk, medium to high, or even less than that, what can you do about it? Is there something you can do about the way the contract is now structured or the relationship with the contractor? What is possible, given that it is an existing contract? Is it due for renewal at some point and is your strategy to ensure the new contract will not look the same? Our intent was to ensure that mitigation strategies are in place and to try to follow up with departments through the summer, because that was an important point in our request to them.

Senator Joyal: Could you give us some examples of government agencies or departments that are still wrestling with the information they have to provide to you?

Ms. McDonald: Yes. If you insist, I could. Some are small departments or agencies that perhaps do not have the necessary staff or were not too sure what the problem is, but there are other larger, separate organizations like Canada Post that have not responded.

Senator Joyal: What we call Crown corporations.

Ms. McDonald: That is one of them. Canada Food Inspection Agency has not responded. We understand they are working on their response, but it has not been filed with us as of this morning.

Senator Joyal: Is it still your objective to complete your review by the end of the summer?

Ms. McDonald: Yes. We want to publish a report, because I think Canadians are looking for the results of this review, what have we learned and what is the extent of the risk. Our next strategy with those departments who are lagging a little is to say, ``We do not want to publish and leave a blank where you should be. That would suggest the wrong impression.'' We are working with those departments to get this completed and to have a comprehensive report. However, I am torn, in that I do not want to let it lag too long either.

Senator Joyal: You are committed to making a public announcement sometime this fall.

Ms. McDonald: Canadians are also looking for reassurance on what is going on.

Senator Fraser: In your policy on data matching, and indeed your policies concerning privacy in general, does your writ include CSIS and the RCMP, or do they operate under their own policies?

Ms. McDonald: Yes.

Senator Fraser: Yes, you cover CSIS and the RCMP?

Mr. Lemieux: They are on the schedule to the Privacy Act.

Senator Fraser: All your policies apply to them as well as everyone else. That is terrific. What happens when the Government of Canada operates a service that is transferred to a provincial government, as, for example, manpower training was a few years ago? Is it the practice to require that privacy policies continue when a service is taken over by a provincial government? Do you know that?

Ms. McDonald: I am not entirely certain. I suspect it would be. If a program is transferred or devolved, the provincial legislation would take over. I cannot say I was engaged in the example you cite.

Senator Fraser: It is the one that comes to mind now, but there have been other cases. We are given to understand that, as time goes by, there may be more cases of federal programs or activities being devolved to provincial governments. I just wondered what happened when that occurs in terms of privacy policy.

Ms. McDonald: It would be my understanding that if we were getting someone to deliver a service on our behalf, the federal law and policy would apply, because this would be our agent, if you like. However, if the responsibility had been devolved to another level of government, it would be the provincial law, but I can check on that and get back to you if I have this wrong.

Senator Fraser: If you would. The parallel that comes to mind has to do with official languages policy. Early on in the devolution process, it was not always required that the provincial government continue to apply the official language policy to which Canadians had been entitled when a given service was provided by the federal government. Later on, when people started to notice that in some cases the official language policy had just disappeared, then it did become part of the negotiation and the transfer. I wonder if anything like that has been done in terms of privacy.

The Chairman: Thank you very much for staying. Clearly this will be a long-time friendship. We will be hearing from you. Do not hesitate, as you collect information that you think would be interesting to members of the committee, to send it to me and I will circulate it to them. We will also meet again in the fall.

The committee adjourned.