Treasury Board President Anita Anand said a stronger federal directive would be ready this summer that would require agencies to measure the privacy impact of new technologies.
But so far, the federal government has not committed to making this a legally binding obligation, as many are calling for.
Mr. Anand was appearing Thursday before a parliamentary committee investigating the federal government’s use of tools that can extract data from cellphones and computers.
“Yes, there are problems,” Anand admitted before the Standing Committee on Access to Information, Privacy and Ethics.
“As such, this directive is being updated.”
The directive requires all federal agencies to conduct privacy impact assessments before new programs or activities that involve collecting or handling personal information.
Mr. Anand’s testimony comes in the wake of a Radio-Canada article last November that revealed that some ministries and government agencies did not conduct such assessments before using data extraction tools. It was conducted.
These devices can unlock your phone or computer and access all your data, including encrypted information, even if it is password- or fingerprint-protected. This includes emails, text messages, contacts, photos, travel history, etc.
Many departments say they use these tools as part of post-warrant investigations. Others use them without a warrant for internal investigations when an employee is suspected of wrongdoing.
Some departments have previously explained to Congressional committees that they didn’t feel it was necessary to conduct privacy impact assessments of data extraction tools, because several years ago they He said that this was because such an evaluation had already been conducted.
Anand said the revised directive, which will be rolled out this summer, will clearly state that any new potentially intrusive software must undergo a privacy assessment before the department can use it.
But for many committee members, the directives, even strengthened, are not enough.
“Are you going to include a privacy impact assessment in the law, yes or no?” Bloc Quebecois MP René Villemur asked Anand.
He said binding legal obligations set out in the Privacy Act are necessary to ensure compliance by federal authorities.
Villemur is not alone in calling for such changes.
In testimony before Congressional committees, privacy commissioners, union leaders, and communications and privacy experts made similar comments.
Anand said the matter was “in discussion” with Law Minister Arif Virani and it was too early to comment.
