Government Activities: Legal and Policy Limits
Federal Government
The Privacy Act (Canada) was enacted in 1982 and applies to the laws and policies of the federal government. It is a first-generation privacy law, and unfortunately has not been substantially updated since 1982. Most experts agree that the Privacy Act (Canada) is outdated and provides very weak protection of personal information that is collected, used and disclosed by the Canadian government.
The Privacy Act does impose some requirements on the federal government to protect personal information. The Act controls how the government will collect, use, store, disclose and dispose of personal information. However, it applies only to recorded personal information – it does not protect personal information that is not in a record, such as when biological samples (like DNA) or real-time information (such as live video surveillance that is not recorded) are collected, used and disclosed.
These requirements are fleshed out by the policies of the Treasury Board of Canada which sets the guidelines for the government to follow under the Act. These policy documents are not binding on a court, but they are mandatory for all government institutions.
British Columbia Government
The Freedom of Information and Protection of Privacy Act (BC) ( FOIPPA) limits the purposes for which personal information can be collected, used or disclosed, and sets out penalties for violation of the law.
FOIPPA also requires public bodies to carry out a Privacy Impact Assessment (a “PIA”) on all new programs and initiatives. (S. 69(5) of FOIPPA: The head of a ministry must conduct a privacy impact assessment and prepare an information-sharing agreement in accordance with the directions of the minister responsible for FOIPPA).
The PIA is intended to perform an analytical and an educational function. As an analytical tool, it is supposed to help identify the privacy impacts of new initiatives and programs. As an educational tool, it is supposed to increase awareness among government departments and service providers of the requirements of privacy law. Unfortunately, PIAs are not always done. When they are done, they are often done poorly, or very late in the process. When that happens, their analytical or educational value is doubtful.