Thank you, Mr. Speaker.
Mandatory Breach Notification
Input Received
The Northwest Territories Health Information Act, which came into force on October 1, 2015, places an obligation on the custodians of health information to advise affected individuals if the privacy of their health information is breached. Having had experience with this legislation, the IPC has recommended that public bodies under ATIPP should be required to provide the same breach notification for personal information under their control. She says,
"The duty to notify individuals of a breach that meets a statutorily-defined risk of harm is necessary for several reasons. First, it enables those affected to protect themselves from identity theft or fraud, and in some cases from personal harm. Second, the duty to notify affected individuals, and the public, serves as an important incentive for governments to take privacy seriously and avoid breaches in the first place. Third, a breach notification requirement would require public bodies to investigate the details of breaches, notably how they happened, and thus give them a solid information base for steps to prevent similar breaches in the future."
OpenNWT also recommended mandatory breach notification for ATIPP, stating that "Based on the large number of privacy breaches in the NWT it is important that our residents are notified individually."
Committee Response
Committee was persuaded of the value of amending the act to include a mandatory breach notification. To determine how to achieve this, committee looked at the relevant provisions of the NWT's Health Information Act and Nunavut's ATIPP Act, Division E, Data Breach Notification. Committee moved a lengthy Motion 17, to incorporate into Bill 29 a section, largely modeled on the Nunavut example, which provides a definition of "harm" and sets out a process governing public bodies with respect to data breach notifications. In addition, committee moved Motion 20, to provide the Minister with the authority, under section 73 of the act, to make regulations respecting the requirements to be fulfilled by public bodies in the event of a data breach
Protecting the Privacy of Individuals Making Access Requests
Input Received
The IPC has recommended that the identity of access requesters be protected under the act. She notes that "although it is convention not to disclose the identity of access requesters within a public body, there is no legal bar to doing so."
Committee Response
Committee believes that people seeking access to government records should be afforded a right to privacy, especially in a jurisdiction such as ours, where the population is small and many members of the public and the public service are known to one another.
Committee moved motion 3, which amends Bill 29 to provide that the identity of a person requesting access to information constitutes personal information which should be known only to the public body's ATIPP coordinator. It further provides that the identity of an access requester may only be disclosed by the ATIPP coordinator, to other employees in a public body, to the extent required in order to fulfill the access request.
Annual Reporting to the Responsible Minister
Consistent with the GNWT's commitment to openness and transparency, committee sees the value of having public bodies report annually on activities they have undertaken as required by ATIPP. Committee moved motion 23, which requires public bodies to submit a report to the responsible Minister, within 60 days of the fiscal year end, detailing the:
- Number of requests received;
- Time taken to process the requests;
- Number of requests that were denied and the exceptions that were relied upon by the public body, in determining the denial;
- Fees collected;
- Justification relied upon for any extensions of time; and
- Number of privacy impact assessments the public body has conducted in the fiscal year.
Obligations of the Responsible Minister
Annual Reporting to the Legislative Assembly
Motion 23, which requires annual reporting on ATIPP by public bodies, also requires that the Responsible Minister compile the reports submitted by the public bodies into an annual report, to be tabled within 60 business days of receiving the year-end information from the public bodies or, if the Legislative Assembly is not sitting at that time, at the next sitting of the Assembly. This will ensure that the information produced by public bodies as part of their year-end reporting is made available to the public.
Statutory Review of the Act
As noted at the outset of this report, the Northwest Territories' ATIPP legislation is just a few years shy of being a quarter of a century old. While it has been amended from time to time, the legislation has not, until now, been subjected to a comprehensive review.
ATIPP legislation governs the collection, use and disclosure of personal information. Processes used for collecting, exchanging, cataloguing and distributing personal information are intrinsically linked with technological changes. To put the age of the current ATIPP Act into perspective with respect to technological advancement, consider that in the same year it went into force the DVD was launched, smartphones were in their infancy, and there were roughly 45 million Internet users, none of whom had yet heard of Google, as compared with today's 1.4 billion Internet users.
Given the impact of changing technology on ATIPP, committee sees a greater-than-average need to ensure that the legislation is kept current. Clause 39 of Bill 29 achieves this by proposing to amend the act to include a requirement that the responsible Minister undertake a review of the legislation every seven years.
Based on past reviews of the Official Languages Act, committee is aware that mandated reviews of legislation occurring at arbitrary intervals, be it every five years, seven years, or whatever the case may be, do not always lend themselves to producing amended legislation. One reason for this is that, if the date for a review happens to coincide with the final year of an Assembly, there will not be enough time remaining to complete any recommended legislative changes arising from a review.
Committee prefers to see the statutory requirement to review legislation be tied to the lifespan of a sitting assembly. In this way, the review period can be synched to coincide with the four year term of an assembly, allowing enough time for any required changes to the legislation to make their way through the legislative process.
Committee moved motion 21 to amend clause 39 of the bill to require the Minister to carry out the review within 18 months of the start of the 20th Legislative Assembly and within 18 months of every second assembly thereafter. This will result in ongoing reviews of the act at eight-year intervals.
Committee debated whether or not to also amend the proposal in clause 39 of the bill to require that the review be done by a committee of the Legislative Assembly rather than being done by the Minister, as is the case with the Official Languages Act. Regardless of who does the review, it will ultimately be up to the responsible Minister to sponsor amending legislation to implement the findings of the review. On this basis, committee was satisfied with leaving the responsibility for the review in the hands of the Minister, providing that the results of the review be tabled in the Legislative Assembly for the consideration of Members. Committee moved motion 22 to provide for this reporting requirement.
Time Limits
As noted at the start of this report, Bill 29 proposes to revise time limits in the act by restating them as business days rather than calendar days; shortening some turn-around times; and adding time limits for certain actions required under the act that did not previously have them. Committee is proposing changes to a number of the time limits set out in Bill 29.
Time Limit for IPC to Complete Reviews
Input Received
Presently, the ATIPP Act requires the IPC to complete her reviews on access and privacy matters within 180 calendar days, or approximately six months. Clauses 22 and 29 of Bill 29 propose to shorten this timeframe to 60 business days, which is approximately three months. It is perhaps not surprising that the IPC would not be in favour of this amendment. Noting her deep concern, she asserts that the:
"Imposition of such a severe constraint without my office having more resources would either cause my office to fail to meet that standard or, in order to do so, to divert scarce resources from other important tasks, such as privacy complaints under the Health Information Act. Neither outcome is desirable."
She goes on to argue for the complete elimination of her time limit, pointing out that her office's review functions differ from those of other public bodies. Public bodies act on the basis of their own records and the contextual information they receive. In contrast, the IPC is entirely dependent upon public bodies to be timely in their responses to the IPC's requests for information when processing an applicant's request for a review.
Committee Response
The committee considered this input along with the testimony from Department of Justice representatives who pointed out that, in their review of the ATIPP Act, they heard from the public that the entire process is too lengthy.
Committee recognizes that the public should be able to have access to a process that is as expedient as possible. At the same time, committee notes that the cut to the IPC's time limit proposed in Bill 29 is the most severe cut proposed to any of the timelines contained in the act, while her office has far fewer resources than most public bodies. Committee is of the view that a reduction of that size would have a negative impact on the IPC's ability to complete thorough reviews. Committee moved motions 11(a) and (b), which set the IPC's time limit for completing access and privacy reviews respectively at 90 calendar days, which is approximately four and a half months. Committee believes that this will expedite the process for the public while still allowing the IPC adequate time to complete her work.
Mr. Speaker, I would like to hand the reading of the report over to the Member for Kam Lake.