President of the Treasury Board appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) – Use of Tools Capable of Extracting Personal Data from Mobile Devices and Computers – March 2024

On this page

1. Scenario Note (ETHI)

Roles and Responsibilities

1. Role of the President of the Treasury Board on Privacy Practices

Other Issues for TBS

2. The Office of the Privacy Commissionner of Canada
3. Government Response to Report 7, entitled, “Device Investigative Tools Used by the Royal Canadian Mounted Police and Related Issues”

Key Issues

4. Use of Tools Capable of Extracting Personal Data from Mobile Devices and Computers: Key Issues

A. Scenario note

Appearance of the President of the Treasury Board and Treasury Board of Canada Secretariat officials before the House of Commons Standing Committee on Access to Information, Privacy and Ethics concerning the study on the use of spyware by federal institutions

Background

• On December 6, 2023, the Standing Committee on Access to Information, Privacy and Ethics (ETHI) adopted a motion to “undertake a study concerning the use of technological tools capable of extracting personal data from telephones and computers in investigative processes conducted by several federal government departments and agencies; that the committee focus in particular on the reasons justifying the use of this investigative equipment by the various government institutions and on the privacy risk assessment process; that the committee devote at least six meetings to this study.”
• The committee has held a total of five meetings as part of this study, and it has heard from various witnesses, including the Offices of the Information and Privacy Commissioners of Canada, National Defence, the Royal Canadian Mounted Police, the Competition Bureau, Shared Services Canada, the Professional Institute of the Public Service of Canada (PIPSC) and the Canadian Association of Professional Employees (CAPE).

Day of: scenario (ETHI)

• The meeting will be held on Thursday, March 21, 2024, and is expected to begin at 11 am, subject to delays due to votes in the Chamber. The Minister, the Chief Information Officer and the Chief Data Officer of Canada are expected to appear without any other witnesses.
• The Minister will issue five minutes of opening remarks and will appear alongside the Chief Information Officer for a total of one hour, between 11 am and 12 pm.
• Officials without a parliamentary pass appearing in person should arrive half an hour early to allow time for security screening.

The rounds will occur as follows:

First round

That, there be allocated six minutes for the first questioner of each party as follows:

• Conservative Party
• Liberal Party
• Bloc Québécois
• New Democratic Party

Second and subsequent rounds

• Conservative Party: five minutes
• Liberal Party: five minutes
• Bloc Québécois: two and a half minutes
• New Democratic Party: two and a half minutes
• Conservative Party: five minutes
• Liberal Party: five minutes

Briefing binder

• A binder has been prepared in anticipation of the appearance, which the President’s office received a week prior. The binder provides an overview of the Directive on Privacy Impact Assessment. The binder also includes a placemat with material on key issues such as the role of privacy in data collection, privacy and the use of data, and the use of surveillance technology on government devices.

Other relevant information

• The Information Commissioner most recently appeared on February 1, 2024, and stressed his recommendation to have privacy impact assessments (PIAs) made a legal obligation for the government under the Privacy Act. He also noted that conducting a PIA prior to using such technology would strengthen privacy, support the public interest and generate trust.
• During the February 15, 2024, ETHI meeting, testimony was heard from CAPE and PIPSC. CAPE expressed “shock and dismay” that spyware has been used by government departments without following government policies. They also called the use of such software a breach of trust and called decisions not to complete PIAs unacceptable. CAPE urged the government to update and consistently follow its digital policy framework, and stated they were calling on the government to:
  • stop the use of spyware on government devices outside of its own established rules
  • be told when the government plans to conduct PIAs and have the results made public
  • have the government conduct a review of all digital policies to ensure the policy framework is robust and protects employees’ digital rights
  PIPSC stressed the need to protect the privacy rights of employees. They also voiced concern with the government’s collection of data from devices, calling the notion that one gives up their right to privacy when using an employer-supplied device “absurd.” It was also argued that the Privacy Commissioner should be consulted prior to the use of digital forensic tools.
• Issues raised during testimony from government departments and agencies included numerous technical questions from members of all parties focusing on the way the software works, what needs to be done to use it and the legal requirements which must be followed. Opposition Members questioned witnesses on their compliance with the PIA process and the rationale behind decisions to forego the process. Interest was also expressed by Opposition Members in whether it was believed that making PIAs a legal requirement would make things easier for departments and agencies and in having organizations consult with the Office of the Privacy Commissioner before the deployment of digital tools. Questions were also raised on a number of issues not directly related to the study, including ArriveCAN, auto theft, and the use of digital investigative tools during the invocation of the Emergencies Act.
• In addition to the study on the use of tools capable of extracting personal data from mobile devices and computers, the committee has a number of ongoing studies at the current time, most notable, the study on social media and foreign entities.

1. Role of the President of the Treasury Board on Privacy Practices

Issue

The President of the Treasury Board’s role in relation to privacy practices and the use of surveillance technologies.

Response

• As designated Minister under the Privacy Act, I am responsible for its administration.
• This includes issuing the policy requirements to which institutions must adhere. The Directive on Privacy Impact Assessment is one of these policy instruments.
• TBS is updating the Directive on Privacy Impact Assessment, which includes streamlining privacy impact assessments (PIAs) and clarifying when a PIA is required, while also expanding the directive’s scope to reflect the government’s digital transformation.
• Work is well underway on this file, and we are currently consulting the Office of the Privacy Commissioner on the changes. The intent is to publish an updated directive in the summer of 2024.
• The Minister of Justice is conducting a substantive review of the Privacy Act, including engagement with Indigenous partners.
• My officials continue to work closely with Department of Justice Canada officials to advance this work.

Background

The President of the Treasury Board is the Designated Minister for the administration of the Access to Information Act and Privacy Act across government, a role which includes:

• issuing direction and guidance to government institutions with respect to the administration of the Acts and approving any exceptions to policy requirements
• prescribing forms and platforms to be used in the administration of the Acts, as well as the form and content of the annual reports to Parliament
• providing the parameters for the annual publishing of institutional indexes that describe government institutions, their responsibilities, programs and information holdings
• reviewing and publishing statistics collected by institutions under the Acts

The Treasury Board of Canada Secretariat (TBS) is responsible for supporting the President of the Treasury Board in fulfilling their responsibility as Minister responsible for the administration of the Privacy Act.

The TBS Directive on Privacy Impact Assessment (directive) sets out the requirements that departments must adhere to with respect to the privacy risk evaluations of their programs. This policy instrument requires that privacy implications be appropriately identified, assessed and resolved before a new or substantially modified program or activity involving personal information is implemented.

TBS has committed to updating the directive, which includes the commitment to streamline PIAs and to seek opportunities for improvement to the 2009 directive. The Department of Justice Canada is also leading a review of the Privacy Act, with the goal of modernizing it to ensure it meets the requirements of the digital age and the privacy expectations of individuals. Substantial policy development and engagement work has taken place in support of this initiative.

An updated directive will clarify the requirements for PIAs while expanding the directive’s scope of application to a wider range of initiatives for which a PIA will be compulsory. Broadly speaking, the updated directive will seek to streamline and standardize the assessment process to make it easier for institutions to submit PIAs, while also requiring that PIAs be done under a wider range of circumstances. Work is well underway on this file, and consultations will take place in the following weeks, including the Office of the Privacy Commissioner. The intent is to publish an updated directive in the summer of 2024.

On March 23, 2023, the President of the Treasury Board tabled the Government Response to the seventh report of the House Standing Committee on Access to Information, Privacy and Ethics (ETHI) entitled Device Investigative Tools Used by the Royal Canadian Mounted Police and Related Issues. Device investigative tools (also known as on-device investigative tools (ODITs) or, more commonly, as “spyware”) are a type of surveillance technology. ETHI’s report recommended that the government amend the Privacy Act to include an explicit obligation for institutions to conduct PIAs before using ODITs to collect personal information. The government’s ongoing work to modernize the Act and the imminent updates to the directive will continue to address ETHI’s recommendation.

2. The Office of the Privacy Commissioner of Canada

Issue

The relationship between TBS and the Privacy Commissioner.

Response

• The government takes the privacy of Canadians seriously and is committed to safeguarding their personal information.
• Agents of Parliament do important work and are at the foundation of an open and transparent government.
• The Treasury Board of Canada Secretariat provides direction to government institutions on protecting personal information.
• The government looks forward to continuing to work with the Privacy Commissioner to help ensure Canadians’ personal information is kept safe and secure.

Background

The Privacy Commissioner oversees the privacy rights of Canadians under the Privacy Act and under the private section legislation, Personal Information Protection and Electronic Documents Act (PIPEDA).

The Office operates under an ombudsman model but has investigatory powers, including to summon and enforce appearances, compel the production of evidence and enter any premises occupied by a government institution.

Institutions are required to consult the Office of the Privacy Commissioner when planned initiatives relate to the Privacy Act or may have an impact on the privacy of Canadians (section 4.2.2 of the Policy on Privacy Protection). They also must provide notices of material privacy breaches and privacy impact assessments to both the Office of the Privacy Commissioner and TBS.

Finances

The OPC’s planned spending for 2023–24 is $29.5 million, with 207 planned full-time equivalents.

The breakdown between the Privacy Act (federal public sector) and PIPEDA (federal private sector) is not known, but allocations by program area in 2023–24 are approximately:

• compliance: $11 million
• policy and promotion: $10 million
• internal services: $8 million

Budget 2023 allocated $6 million over two years for in-depth investigations into privacy breaches and to improve response rates on complaints, as well as $15 million to operationalize new processes associated with Innovation, Science and Economic Development Canada’s Bill C-27: Consumer Privacy Protection Act.

Roles

With respect to the Privacy Act, the Privacy Commissioner:

• investigates complaints, conducts audits and pursues court action where matters remain unresolved
• publicly reports on the personal information-handling practices of public sector organizations and identifies systemic privacy issues that need to be addressed by federal government institutions
• provides advice to help guide Parliament’s review of evolving legislation to ensure respect for individuals’ right to privacy
• supports, undertakes and publishes research into privacy issues and promotes public awareness and understanding of privacy issues
• advises on, and reviews, privacy impact assessments of new and existing government initiatives

3. Government Response to the Seventh Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) entitled Device Investigation Tools Used by the Royal Canadian Mounted Police (RCMP)

Issue

From November to August 2022, ETHI studied the Royal Canadian Mounted Police’s (RCMP’s) use of on-device investigative tools (ODITs). The committee’s report was tabled on November 23, 2022, and the Government’s Response was tabled on March 23, 2023. ETHI’s work on ODITs may be referenced during its ongoing study on the government’s use of technological tools capable of extracting personal data from mobile devices and computers.

Response

• The Government of Canada takes the privacy rights of Canadians seriously and is continuously adopting measures to safeguard their personal information that is held by government institutions.
• The Minister of Justice is conducting a substantive review of the Privacy Act, including engagement with Indigenous partners.
• As the Minister responsible for the administration of the Privacy Act, my department continues to work with the Department of Justice Canada as it leads the modernization of the Privacy Act to ensure contemporary privacy risks, including those related to emerging tools like investigative tools, are considered and addressed in future law.
• Technology is always evolving, and so are the tools used by law enforcement. By strengthening privacy protections and introducing new rules, the Government of Canada is demonstrating its commitment to the privacy rights of Canadians.
• The Treasury Board of Canada Secretariat (TBS) will also continue to support government institutions, including the RCMP, in effectively assessing the privacy risks and implications of emerging technologies by reviewing privacy impact assessments and requests to register personal information banks for programs that use and collect personal information.

Background

From November to August 2022, ETHI studied ODITs used by the RCMP.

ODITs are computer programs that enable a user to covertly monitor and collect incoming, outgoing and stored device data. They can grant remote access to virtually all content on a targeted device in real time. Their use by federal investigators is subject to judicial authorization and occurs only in cases of suspected serious criminality where it can be demonstrated that less intrusive options were explored first.

In the scope of its study, the committee heard testimony from 12 witnesses, including professional researchers and experts, the Office of the Privacy Commissioner of Canada (OPC), the Minister of Public Safety, and senior RCMP officials. Testimony from witnesses highlighted the importance of ensuring privacy legislation keeps up with the digital age and properly assesses the use of new high-risk technology in law enforcement.

On November 23, 2022, the committee presented its report to the House of Commons and requested a comprehensive response from the Government. The report included nine recommendations (listed after the Background section below) aimed at enhancing the regulation of ODITs use by the security and intelligence and law enforcement communities in Canada and called on the government to increase oversight and transparency by strengthening public and private sector privacy laws.

On March 23, 2023, the President of the Treasury Board tabled the Government Response to ETHI’s report. The response was the product of a collaborative effort among implicated government institutions and their agencies:

• TBS
• Department of Justice Canada
• Innovation, Science and Economic Development Canada
• Public Safety Canada
• RCMP
• Global Affairs Canada
• Privy Council Office

The Government Response addressed each of the committee’s recommendations, agreeing with the majority in principle and outlining current government initiatives with which they are aligned. It emphasized that a solid legislative and policy framework is already in place to protect the privacy of individuals and committed to building on that foundation to improve transparency, promote privacy by design, and modernize legislation and policies to protect personal information in a trustworthy and respectful manner.

In its response, the government also acknowledged the potential intrusiveness of ODITs and affirmed that their use by law enforcement agencies during criminal investigations is subject to strict measures. ODITs may only be used responsibly when it can be demonstrated that less intrusive options were explored first and when judicial authorization was sought and granted.

The committee recommended that the Government of Canada:

1. Amend the Privacy Act to include an explicit obligation for government institutions to conduct privacy impact assessments before using high-risk technological tools to collect personal information and to submit them to the OPC for assessment.
2. Create a list of banned spyware vendors and establish clear rules on export controls over surveillance technologies.
3. Review Part VI of the Criminal Code to ensure that it is fit for the digital age.
4. Amend the preamble to the Privacy Act and the Personal Information Protection and Electronic Documents Act to indicate that privacy is a fundamental right.
5. Regularly remind former elected or appointed members or any individuals who have previously worked for a national security agency of their lifetime obligations under the Security of Information Act and obtain acknowledgment of their understanding of these obligations.
6. Grant the OPC the power to make recommendations and issue orders in both the public and private sectors when it finds violations of the laws for which it is responsible.
7. Amend the Privacy Act to include the concept of privacy by design and an obligation for federal institutions subject to the Act to meet this standard when developing and using new technologies.
8. Establish an independent advisory body composed of relevant stakeholders from the legal community, government, police and national security, civil society, and relevant regulatory bodies, like the OPC, to review new technologies used by law enforcement and to establish national standards for their use.
9. Amend the Privacy Act to include explicit transparency requirements for government institutions, except where confidentiality is necessary to protect the methods used by law enforcement authorities and ensure the integrity of their investigations.

4. Use of Tools Capable of Extracting Personal Data from Mobile Devices and Computers: Key Issues

Overview of the Directive on Privacy Impact Assessment

Deputy heads are accountable for application of the Privacy Act as well as requirements under Treasury Board of Canada Secretariat (TBS) privacy policies and determine if a privacy impact assessment (PIA) is required or if they should complete any other formal assessments or procedures.

In its role in supporting compliance with privacy requirements, TBS regularly advises departments when they are unsure if a PIA is required.

A PIA is a policy process for identifying, assessing and mitigating privacy risks and must be completed prior to establishing any new or substantially modified program or activity involving personal information.

Privacy and the use of data

The Government of Canada (GC) is committed to transparency, collaboration and evidence-based decision-making.

TBS, working closely with the Privy Council Office and Statistics Canada, is leading the GC’s data strategy so that it keeps pace with the changing world around us.

The federal public service renewed its data strategy to improve data management across the GC while continuing to ensure the responsible use of data and protection of individual and organizational information and privacy.

As the GC continues its digital government transformation, we will continue to ensure our approach and actions are guided by respect for the privacy of Canadians.

Use of surveillance technology on government devices

The software applications in use by the GC are not considered spyware.

The software being used by the GC falls under the category of digital forensics.

Digital forensics is the application of science to the identification, collection, examination and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. In general, performing digital forensics requires specialized software.

Departments would typically use this type of software to conduct internal investigations, such as when employees are suspected of fraud or workplace harassment, in accordance with internal protocols that govern the collection and storage of personal information to ensure its protection.

Role of privacy in data collection on digital forensics

Departments using specialized software that extract data from government-issued devices are subject to the Privacy Act and must do so in accordance with internal protocols that govern the collection and storage of personal information to ensure its protection.

Departments are to consult with their Access to Information and Privacy Office to ensure compliance and to determine the need for a PIA.

In some cases, the use of digital forensic tools falls within the scope of investigative tools used in support of their existing program mandates to carry out lawful investigations.

Roles and responsibilities on privacy matters

As designated Minister under the Privacy Act, the President of the Treasury Board is responsible for its administration.

This includes issuing the policy requirements to which departments must adhere. TBS is responsible for supporting the President in fulfilling this responsibility.

Deputy heads are accountable for application of the Privacy Act, as well as requirements under TBS privacy policies.

The Minister of Justice is conducting a substantive review of the Privacy Act, including engagement with Indigenous partners.

The Privacy Commissioner provides advice and information for individuals on protecting personal information and oversees compliance of the Privacy Act.