Canada’s national information and privacy commissioners and the provincial commissioners on Oct. 9 issued an unusual joint resolution saying “Canada must re-establish its position as a leader in both the access and privacy fields” and offering 18 specific suggestions.
Only a few Canadian laws “address modern challenges and to ensure continued protection of individuals’ rights to access and privacy,” according to the resolution.
Pledging to work toward modernizing the laws, the commissioners laid out nine proposals for change in access laws and nine others on privacy.
These include broadening the coverage of the laws, requiring government entities to document their decisions, creating standards for more proactive disclosure and establishing that orders by the commissioners are binding.
Information and privacy commissioners and ombudspersons from across Canada gathered in Vancouver for their annual meeting Oct. 8-9.
Portion of Text of Resolution
Absent the preamble section, the specific recommendations are:
In terms of access to information:
a. Providing strong monitoring and enforcement powers such as the ability to issue binding orders for disclosure, and penalties for non-compliance;
b. Broadening and clarifying which public entities are covered by access laws;
c. Creating a legislated duty requiring all public entities to document matters related to deliberations, actions and decisions;
d. Legislating strict and enforceable timelines for public entities to respond to access requests in a timely fashion;
e. For exemptions where the expectation of harm is in issue, limiting which records are exempt from the general right of access by requiring public entities to prove there is a real and significant harm in their disclosure;
f. Requiring all records, including exempt records, be disclosed if it is clearly in the public interest to do so;
g. Establishing minimum standards for proactive disclosure, including identifying classes or categories of records that public entities must proactively make available to the public and, in keeping with the goals of Open Data, make them available in a usable format;
h. Requiring that any exemptions and exclusions to access that are to be included in laws other than access to information laws be demonstrably necessary and that government consult with Information and Privacy Commissioners and Ombudspersons; and
i. Establishing a requirement that for any new systems that are created, public entities create them with access in mind, thus making exporting data possible and easier.
In terms of privacy:
j. Providing strong monitoring and enforcement powers and penalties for non-compliance;
k. Broadening and clarifying which public entities are covered by privacy laws;
l. Establishing legislative requirements for notifying affected individuals when their personal information has been lost, stolen, destroyed, or improperly accessed, used or disclosed (mandatory breach notification);
m. Requiring public and private entities to improve the information they provide about their personal information policies and practices;
n. Legislating a “necessity test” requiring public and private entities to demonstrate the need for the personal information they collect;
o. Providing individuals with effective means to assert their privacy rights and to challenge entities’ compliance with their legislated obligations;
p. Strengthening reporting requirements to the public with respect to the disclosure of personal information between private and public entities;
q. Legislating a requirement that public and private entities implement privacy management programs to ensure the protection of personal information; and
r. Establishing a requirement that for any new legislation, service, program or policy, public entities consider and plan for privacy implications at the outset (for example, privacy impact assessments, privacy by design).
Filed under: What's New