Thank you, Mr. Speaker. I checked my papers, and I do not have any duplicates, so you only get all 29 pages in this report.
Obligations of Public Bodies
The ATIPP Act places a number of obligations on public bodies. Bill 29 proposes to amend certain of these obligations.
Response to the IPC's Access-Related Recommendations
As set out in Bill 29, clause 31 proposes to require a public body to provide the IPC with a status report on its implementation of the IPC's privacy-related recommendations.
The committee originally supported this proposal because it is something that has been long sought by the IPC. However, committee could see no sound policy reason for this obligation to exist only with respect to privacy-related matters. Committee considered moving a motion which proposed to also place this obligation on public bodies with respect to access-related recommendations by the IPC. However, the subsequent decision to provide the IPC with order-making power, for both access and privacy matters, as set out in motions 12 and 16, supplanted the need for either clause 31 of the bill or an amendment requiring public bodies to report on the status of access-related recommendations.
Motions 12 and 16 require a public body to comply with an order of the IPC within 20 or 40 business days, respectively. Because the IPC's orders become mandatory under these amendments, the IPC will no longer be left wondering to what extent recommendations accepted by a public body are being implemented.
Records That May Be Disclosed Without an Access Request
Section 72 of the ATIPP Act gives public bodies discretionary authority to identify categories of records that do not contain personal information and can, therefore, be made available to the public without the need for a formal access request under the act.
Clause 37 of the bill proposes to make this requirement mandatory, rather than optional, for public bodies. Committee supports this proposal, but wants to ensure that the public has a way of knowing which categories of records may be requested without an access request.
Committee therefore moved Motion 19, which obligates public bodies not only to develop these categories of records, but also to publish them, so that people seeking information held by the government will know which records they may readily access without need to make a formal request under the act.
Privacy Impact Assessments
Input Received
The IPC has spoken to the committee, many times, about the importance of "privacy by design," which is the notion that whenever government is developing a new initiative, it should give consideration, in the earliest planning stages, to the initiative's impacts on the privacy of individuals. One of the ways to achieve this is through the use of a privacy impact assessment (PIA), which describes how individuals, whose personal information will be collected, used or disclosed, would be affected by the initiative.
Committee heard from the IPC on this subject, who said:
"PIAs help ensure that initiatives proceed only if there are no compliance concerns that cannot be mitigated. They enable what is known as privacy by design, with privacy compliance being designed into the initiative at the outset. PIAs also enable public bodies to assess whether, even if an initiative is legally compliant, it is not good policy from a privacy perspective. A PIA is an important and highly-desirable business risk assessment tool that should be mandatory."
Committee sees the value in privacy impact assessments, noting that such assessments are required under the Health Information Act for any proposed change to an information system or communication technology relating to the collection, use or disclosure of personal health information.
Committee Response
Committee was persuaded to seek an amendment to Bill 29 requiring public bodies to conduct privacy impact assessments, not only by the IPC's evidence, but out of consideration for impacts related to "common or integrated programs or services," a concept introduced in Bill 29.
One of the key features of the ATIPP Act is that it places an obligation on public bodies to limit their collection of personal information to only that which is needed to deliver a given program or service. It also requires that each public body must disclose to an individual the reasons for which their personal information is being collected. As a result, public bodies are not authorized to share the personal information they have collected, such that it can be used for purposes other than those for which it was first collected. Bill 29 proposes to change this with the introduction of the concept of a "common or integrated program or service."
A common or integrated program or service is one that provides one or more services through a public body working collaboratively with one or more other public bodies. The rationale for this approach is to break down the silos that tend to occur within government, so that different government departments or agencies may collaborate to deliver programs and services.
While this may be desirable from a program-delivery perspective, it creates challenges for collaborating offices, as they are currently prevented under the act from sharing with one another the personal information they have collected from their clients. As a result, clause 26 of Bill 29 proposes to amend the act to allow public bodies to share personal information they have individually collected for the purpose of collaboratively delivering a common or integrated program or service. Committee sees privacy impact assessments as vitally important in this context.
Mr. Speaker, as a result, committee moved Motion 13 to amend Bill 29. This amendment requires public bodies to develop privacy impact assessments for any proposed enactment, system, project, program or service, including common or integrated programs and services, involving the collection, use or disclosure of personal information. These PIAs must be submitted to the head of the public body for review and comment. It further requires that privacy impact assessments done for common or integrated programs or services be submitted to the IPC for her review and comment. Finally, this motion also requires the head of a public body to notify the IPC at an early stage, when developing common or integrated programs or services.
Thank you, Mr. Speaker. I now pass it on to the Member for Hay River North.