News
Privacy czar blames RCMP after woman denied entry to U.S. over suicide attempt

The incident is just one illustration of how government agencies and private businesses must do a better job of safeguarding personal data in the digital era, privacy commissioner Daniel Therrien said Thursday.

Reforms are needed to strengthen the federal privacy law that covers government agencies as well as the companion law for private-sector organizations, said Therrien, who wants new order-making powers and the ability to levy fines, bringing Canada in line with many provincial and international counterparts.

“It is not enough for the government to say that privacy is important while taking no systemic measures to protect it,” the commissioner said in his annual report tabled in Parliament.

“An overwhelming majority of Canadians are concerned about how the digital revolution is infringing on their right to privacy. They do not feel protected by laws that have no teeth and organizations that are held to no more than non-binding recommendations.”

Therrien said he won’t wait for legislative changes, and will begin to improve privacy protections by:

• Initiating more investigations on his own, rather than waiting for public complaints, given that his office is often better placed to identify emerging problems;

• Specifying four key elements that must be highlighted in privacy notices, which are now often incomprehensible: the information being collected, who it is being shared with, the reasons for collection, use and sharing, and the risk of harm to people;

• Spelling out information collection and handling practices that should be prohibited because they’re likely to cause significant harm to people.

Therrien’s latest report comes amid almost daily headlines about digital breaches of personal information due to lax practices by companies and government agencies.

In it, the commissioner describes lapses involving the information-sharing provisions of controversial anti-terrorism legislation, a federal web tool intended to stimulate discussion of electoral reform and the dysfunctional Phoenix payroll system.

In the attempted suicide case, Therrien’s investigation found the sensitive information was uploaded to the national police database known as CPIC by the Toronto police service, which had responded when the woman called 911.

Certain information in CPIC is shared with American law-enforcement agencies under an agreement between the RCMP and the U.S. Federal Bureau of Investigation. The privacy commissioner therefore concluded the Mounties are responsible for ensuring this sharing complies with the Privacy Act.

The information about the attempted suicide was recorded by Toronto police to help officers should they encounter the woman in future. But U.S. Customs and Border Protection used the information for an entirely different purpose — a violation of Canada’s privacy law, the commissioner found.

“We concluded that information about an attempted suicide can only be shared with U.S. border officials where the individual can reasonably be considered to present a risk to others,” the watchdog said.

In other investigations, Therrien found:

• There were significant record-keeping deficiencies related to the Security of Canada Information Sharing Act, a key element of 2015 omnibus anti-terrorism legislation that expanded information-sharing between key federal agencies.

• The Privy Council Office’s MyDemocracy.ca website, part of a national dialogue on electoral reform, allowed disclosure of personal information of participants to third parties such as Facebook without their consent. However, there was no evidence PCO was using measures to identify participants or to track responses to the survey questions.

• Inadequate testing, coding errors and poor monitoring of the beleaguered Phoenix federal pay system resulted in exposure of personal information of public servants. At least 11 breaches occurred and the information included employee names and salary information.

In some cases, the commissioner found, information in the Phoenix system could be changed and transactions could be conducted. In addition, Therrien determined there may be lingering vulnerabilities that could lead to future breaches.

When the previous Conservative government adopted Phoenix, the goal was to streamline the pay system — and save taxpayers about $70-million a year. But that plan quickly unravelled as more than 80,000 civil servants reported being underpaid, overpaid or not paid at all.

Ottawa has since earmarked around $400 million over two years to address lingering problems related to the program.

– Jim Bronskill

News from © Canadian Press Enterprises Inc. 2017