New federal requirements in the works for potentially intrusive software
Revised directive will be ready this summer, says Treasury Board president
A more robust federal directive requiring departments to measure the privacy impact of new technologies will be ready this summer, says Treasury Board President Anita Anand.
However, for now the federal government is not committing to making it a binding legal obligation, as many are calling for.
Anand was appearing Thursday before a parliamentary committee looking into the federal government's use of tools capable of extracting data from mobile phones and computers.
"Yes, there is a problem," acknowledged Anand before the standing committee on access to information, privacy and ethics.
"That is why the directive is being updated."
The directive in question requires all federal institutions carry out a privacy impact assessment prior to any new program or activity that involves the collection or handling of personal information.
Anand's testimony comes in the wake of a Radio-Canada story last November that revealed that several departments and agencies had not carried out such assessments before using data extraction tools.
These instruments can unlock mobile phones and computers, even when protected by passwords or fingerprints, and access all data, including information that has been encrypted. This can include emails, texts, contacts, photos and travel history.
Many departments say they use these tools as part of investigations after obtaining a warrant. Others also use them without a warrant for internal investigations when employees are suspected of wrongdoing.
Some departments explained earlier before the same parliamentary committee that they didn't feel it was necessary to conduct a privacy impact assessment on the data extraction tools because they had already done such an assessment for their entire investigative program years ago.
Anand said the revised directive to be rolled out this summer will clearly specify that any new potentially intrusive software will have to undergo that privacy assessment before a department uses it.
However, for many committee members, a directive — even reinforced — is not sufficient.
"Are you going to include the privacy impact assessments in the law, yes or no?" Bloc Québécois MP René Villemure asked Anand.
He said a binding legal obligation enshrined in the Privacy Act is necessary to guarantee compliance from federal departments.
Villemure is not the only one calling for such a change.
During their testimony before the parliamentary committee, the privacy commissioner, union leaders and an expert in communications and privacy also made similar comments.
Anand said "discussions are ongoing" on this topic with Justice Minister Arif Virani and that it's too early to comment.