The federal privacy gatekeepers identified a new market for identity thieves when they addressed the issue of online posting of decisions of federal administrative and quasi-judicial proceedings in the Annual Report of the Office of the Privacy Commissioner (OPC) of Canada. This report on the Privacy Act was tabled by the Privacy Commissioner of Canada, Jennifer Stoddart, for the period from April 1, 2007 to March 31, 2008. The two federal privacy laws in Canada are the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The former imposes obligations on some federal departments and agencies to limit the collection, use and disclosure of personal information. The latter, on the other hand, sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. It is the Privacy Commissioner of Canada that oversees both the Acts, and receives and investigates related complaints.
Stoddart, in her report, highlights that privacy is not an absolute right and can be subject to override if it enables the protection of a greater good- public health, consumer safety or national security. Achieving a balance between these objectives can be difficult, as illustrated by the following two governmental initiatives- Canada’s Passenger Protect Program or the “no-fly list”, and enhanced driver’s licences with RFID chips permitting location tracking. In both cases, there are profound concerns about privacy, but the good intention and overall benefits of these initiatives are also well comprehensible. The no-fly list is aimed at curbing terrorist activities on planes, and the new licences provide an alternate form of identification for border crossing.
The OPC report paid special attention to the ‘seemingly harmless’ activity of online posting of the decisions of federal administrative and quasi-judicial bodies. The OPC investigated 23 complaints in 2007-2008 with respect to the disclosure of personal information on the Internet by seven Parliament created adjudicative bodies- Canada Appeals Office on Occupational Health and Safety; Military Police Complaints Commission; Pension Appeals Board; Public Service Commission; Public Service Staff Relations Board; RCMP Adjudication Board; and Umpire Benefits decisions (Services Canada). The decisions of these bodies have been found to include private information such as marital status, medical information, education and employment histories, extensive personal health information, source of income, and place of residence. On one hand, this practise of online decision posting seems to uphold the principle of Rule of Law. By posting decisions online or following the “open-court” principle, these bodies claim to uphold fair and transparent decision making, and to keep a check on arbitrary and unconstrained rulings. On the other hand, there is an unfortunate potential of exposing people identified in the rulings to public ridicule and embarrassment, and also the perils of identity theft and stalking.
Some of these investigated bodies argue that they are allowed by the Privacy Act to disclose the personal information under the control of a government body for the purpose for which it was obtained or compiled. In addition, they argue that the publicly accessible nature of administrative proceedings renders the information publically available and not subject to the Act. Some also draw attention to the legislative silence on this issue. Even though the OPC makes convincing rebuttals to these arguments, it ought to be noted that unlike PIPEDA, the Privacy Act does not empower the Privacy Commissioner to enforce her recommendations through legal actions. However, the Stoddart report rightly identifies the need to have a government-wide policy, based on consultations with a wider range of government institutions, as an important next step in protecting privacy.