Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners – June 2, 2021
- The public health emergency arising from the COVID-19 pandemic has seriously impacted access to information and respect for individual’s privacy rights.
- The pandemic has accelerated trends that were ongoing prior to March 2020. It has heightened concerns among the public about increasing surveillance by public bodies and private corporations and has significantly slowed the processing of many access requests and highlighted a need to modernize this system.
- Privacy and access rights are quasi-constitutional rights. Governments have an obligation to protect them. Particularly during an emergency, respect for the privacy and access to information rights of Canadians remains crucial. This also helps demonstrate accountability in times of crisis.
- Access to government information and respect for privacy are essential for governments to be held accountable for their actions and decisions, and to maintain the public’s trust in times of widespread crisis. By ensuring confidence in decision-making, design and implementation of emergency measures and the systems that support them, access to information and privacy laws actually promote and assist the health and well-being of individuals and their families.
- The lessons learned during this global crisis should be used to improve access to information and protection of personal data as we recover from the current crisis, not only to become better prepared for emergency situations in the future, but also to help Canadians adapt to the new normal of a digital era that is here to stay.
- Recovery and resumption of activities - supported by innovation, technology and digitization - will only be successful and sustainable when they also protect the interests and rights of all citizens.
Canada’s Information and Privacy Commissioners call on their respective governments to show leadership and apply the following principles in the implementation and the necessary modernization of governance regimes around freedom of information and protection of privacy:
In terms of Access:
- Federal, provincial and territorial institutions must recognize the importance of transparency, and uphold the right of access to information during an emergency by ensuring business continuity plans include measures for processing requests for access.
- Institutional leaders must provide clear guidance and direction on the ongoing importance of information management in this new operating environment, which may include working remotely. Properly documenting institutional decisions and any resulting actions, and organizing and storing such documentation in a manner that enables timely access to such documentation are central to principles of open, transparent and responsible government.
- Governments should emphasize both the proactive and voluntary disclosure of government information – particularly, information of significant public interest related to policy-making, public health, public safety, economy, procurements and benefits.
- Respecting the privacy of individuals is critically important. Public bodies must be open and transparent with non-personal or aggregate-level information that the public needs to know to make informed choices and decisions about how to protect themselves and to ensure fair distribution of risks and benefits among all members of society, including the most vulnerable and marginalized groups.
- Federal and provincial institutions should leverage technology and innovation now and in the future to advance the principle of transparency in a manner that meets the public interest and accords with the modern needs of a digital society. The modernization of access-to-information systems must focus on innovative approaches and new information technologies, supported by adequate human resources.
In terms of Privacy:
- To appropriately address digital transformation, privacy laws must be interpreted so as to recognize the fundamental nature of the right to privacy and apply it in a modern, sustainable way, by allowing for responsible innovation that is in the public interest and prohibiting uses of technology that are incompatible with our rights and values.
- Exceptions exist in privacy laws to enable the collection, use and disclosure of personal information for public health purposes during a pandemic and other emergencies. Privacy laws should not be characterized by those subject to them as a barrier to appropriate collection, use and sharing of information. Instead, privacy laws, norms and best practices should be viewed as a way to ensure responsible data use and sharing that supports public health and promotes trust in our healthcare system and governments.
- Emergency measures, including those related to economic and social recovery, should incorporate principles of “privacy by design” to ensure the collection, use and disclosure of personal information is done fairly, lawfully, and securely, in a transparent manner that promotes demonstrable accountability.
- Emergency response and recovery measures involving the exceptional collection, use and disclosure of personal information without consent must be necessary and proportionate in scope, meaning they must be evidence-based, necessary for the specific purpose identified, not overbroad and time-limited.
- Personal information collected in support of emergency measures should be destroyed when the crisis ends, except where the purpose for which the information was collected extends beyond the end of the crisis, or for narrow purposes such as research, ongoing healthcare, or ensuring accountability for decisions made during the emergency, particularly decisions about individuals and marginalized groups.
- Public and private entities must respect principles of data minimization and use limitation, and be required to use de-identified or aggregate-level data, whenever possible, when informing others of information they need to know to keep safe, including the general public.