5. Building on the Existing Foundation

Protecting privacy is not new in Canada. In fact, Canada has been a world leader in privacy protection for more than 25 years.

Privacy advocates and government officials in other parts of the world have looked to Canada for leadership in privacy protection because of a series of progressive laws and policies.

The latest measures the government has introduced have been designed to build upon and complement the existing foundation, not to work in isolation from them.

Laws governing information collected by the federal government

The Canadian Charter of Rights and Freedoms: When the federal government outsources a government program or a service-delivery function to a private sector entity, this entity will be required to comply with the Charter in the performance of those functions. It has long been recognized that section 8 of the Charter, which protects against unreasonable searches and seizures, extends to protect informational privacy. When the federal government deals with information about which one holds a reasonable expectation of privacy, some form of reasonable lawful authority is usually required to authorize the intrusion that may be caused by the handling of such information.

The Privacy Act: Privacy was first legislated in 1978 under Part IV of the Canadian Human Rights Act, but in 1983 the Privacy Act was enacted. The Privacy Act created obligations for federal government institutions to respect the privacy rights of Canadians by placing limits on the collection, use, disclosure, retention, and disposal of personal information. It became the standard for privacy legislation in Canada forming the basis for provincial privacy laws that would follow.

Other statues with privacy protection: The Privacy Act is not the only law protecting personal information collected by the federal government. Other laws covering specific information, such as the Income Tax Act, the Statistics Act, the Employment Insurance Act, the Old Age Security Act, and the Canada Pension Plan, include additional protection of the privacy of Canadians.

PIPEDA and the private sector

Companies, associations, labour unions, and non-profit groups must also operate within the law. The private sector law related to privacy is called the Personal Information Protection and Electronic Documents Act (PIPEDA). Starting in 2001, it was introduced in stages and was in full effect by 2004. PIPEDA applies rules to any organization involved in commercial activity for the collection, use, and disclosure of personal information. For example, under PIPEDA, a person has the right to know why a business wants to collect their personal information. Where provinces have privacy laws that are substantially similar to PIPEDA, these govern provincially regulated private sector operations within their borders.

Federal policies

In addition to laws, the federal government also operates under a series of policies and guidelines. Many of these include the consideration of privacy before proceeding with a government program, service, or contract.

Privacy Impact Assessment Policy: The Government of Canada became the first national government in the world to make privacy a mandatory consideration in the creation or changing of government programs and services that collect personal information. Federal institutions must conduct a privacy impact assessment to learn how privacy may be affected, identify any risks to privacy, and create a plan to mitigate those risks.

Government Security Policy: Security is also part of the existing framework. Without a secure infrastructure in place to keep information safe and prevent it from being tampered with or accessed by unauthorized personnel, privacy is at risk. The Government Security Policy outlines procedures for the safeguarding and storage of information.

Additional policies: A wide range of other policies protects both the privacy and security of personal and sensitive information. These include policies on the management of government information, contracting, and risk management.

Roles of federal institutions

In addition to laws and policies, certain federal organizations have mandates that further aid in the protection of privacy and security.

Public Works and Government Services Canada (PWGSC): PWGSC carries out physical on-site inspections of premises that store information under the government's control. These premises must receive a government issued security clearance prior to handling government information and any person with access to the information must also be security cleared.

Office of the Privacy Commissioner of Canada: The Privacy Commissioner of Canada looks out for the privacy rights of Canadians. The Commissioner can investigate complaints that are made under either the Privacy Act or PIPEDA. The Commissioner also serves as an advocate for privacy rights, carries out privacy research, and publishes information about privacy best practices. Upon reasonable grounds, the Commissioner also has the power to audit the information practices of organizations in the private sector.

Federal experience and expertise

Over the years, the federal government has acquired a great deal of experience and expertise in protecting personal information leading to the development of best practices.

A good example of this is the Government On-Line Initiative (GOL). GOL has successfully acquired the trust of Canadians concerned about on-line security and confidentiality. In fact, 70 per cent of Canadians in a recent survey said they used a Government of Canada Web site in the past 12 months.

GOL has earned this trust as a result of a communications infrastructure known as "Secure Channel," which allows secure and reliable electronic transactions with federal departments. Canadians can obtain an epass, a set of electronic credentials that allow secure two-way transmission of sensitive information.

Good communication through privacy statements and notices on department and agency Web sites also contributes to building trust. Such statements and notices tell individuals about the institution's privacy policies and inform visitors of how their personal information will be used before they provide it.

For more information on the existing foundation, please see Appendix B.