Federal departments violated privacy directive, committee hears

Privacy Commissioner Philippe Dufresne is the first person to appear before a parliamentary standing committee examining federal use of personal data extraction tools.  (CBC - image credit)
Privacy Commissioner Philippe Dufresne is the first person to appear before a parliamentary standing committee examining federal use of personal data extraction tools. (CBC - image credit)

Canada's privacy commissioner told a parliamentary committee looking into the federal government's use of tools capable of extracting personal data from mobile phones, computers and tablets that necessary steps had been skipped.

Philippe Dufresne said he first learned of these tools being used by at least 13 federal departments and agencies through a Radio-Canada report published in November.

His office should not be learning about the use of such technology after the fact, he told the standing committee on access to information, privacy and ethics on Thursday.

The tools being used by those federal departments can recover even encrypted and password-protected data found on mobile phones or computers.

Certain software can also be used to access a user's cloud-based data and reveal their internet search history, deleted content and social media activity.

Digital forensics tools "can be used in ways that do raise important privacy risks," the privacy commissioner said.

A federal directive requires all federal institutions carry out a privacy impact assessment prior to any new activity that involves the collection or handling of personal information. The goal is identifying privacy risks and ways of mitigating or eliminating them.

None of the 13 agencies or departments carried out such an assessment.

These two devices that enable data collection are examples of those purchased by some federal departments and agencies.
These two devices that enable data collection are examples of those purchased by some federal departments and agencies.

These two devices that enable data collection are examples of those purchased by some federal departments and agencies. (Cellebrite/Magnet Forensics)

Privacy assessments needed, commissioner says

Dufresne lamented the fact that this requirement is still not enshrined in the Privacy Act to make it a binding legal obligation.

"Often we'll see the situation where the tool is developed, it's used, and then we do a privacy and impact assessment," he said.

In a time where technology is becoming more and more powerful, Dufresne said privacy protection is even more necessary.

"It's going to be even more important to reassure Canadians," he said. "We need to have that reflex of privacy by design, privacy at the front end."

Dufresne said he's communicated with the 13 federal departments and agencies following Radio-Canada's reporting and is pushing them to carry out privacy impact assessments — but he does not have the necessary powers to force them to.

(CBC)

"Some of these tools can be used appropriately. There are good reasons for it, but we need that privacy check. We need that assessment," Dufresne said.

The 13 departments and agencies in question will have the chance to explain their use of these data extraction tools in front of the committee in the coming weeks. Some say they use this technology to conduct internal investigations or to enforce laws.

Committee member and NDP MP Matthew Green said he's concerned there are potentially more departments also using these technologies.

The committee has agreed to communicate with each of the 137 federal institutions to hold them to account.