Privacy Commissioner Tries to Nudge NS into 21st Century

I think I made the Annual Report of the Office of the Information and Privacy Commissioner (OIPC) of Nova Scotia for 2016-2017. I can’t say for sure, but one of the cases described by the commissioner, Catherine Tully, sounds like an entry from my 2016 diary:

Source: Annual Report of the Office of the Information and Privacy Commissioner of Nova Scotia for 2016-2017. Click to enlarge.

I think the public body is the Cape Breton Regional Municipality, the first reporter is the CBC’s Paul Withers and the “different reporter” (which is probably exactly how the CBRM describes me) is yours truly.

Withers had requested and received information about monies paid to the CBRM’s old port marketers, Paul Richardson Associates. I then requested a copy of the same information. The CBRM, it should be noted, before asking the OIPC if I had to submit my own FOIPOP request told me, in no uncertain terms, that I did have to. (You can read the whole story here.)

But the Privacy Commissioner told the municipality otherwise and — check me out — my case became a teachable moment.


Open, reusable, accessible

Sorry, I didn’t mean to make the privacy commissioner’s report all about me, I just got excited when I recognized that “different reporter.”

The report is not actually a good-news document. Although Tully’s office is closing cases faster than ever and the number of Nova Scotians availing themselves of her services is climbing, the overarching message in the 2016-2017 report is that “Nova Scotia’s access and privacy laws are simply no longer up to the task.”

Why? Oh, so many reasons — one of the most amazing being that our access legislation imposes no “legal obligation to create records in the first place.” And as Tully points out:

A right to access government information is meaningless if no record exists.

Nor, Tully notes, have Nova Scotians been guaranteed the right to receive information “in an electronic format so that the data is open, reusable and accessible.” Tell me about it. I recently spent a ridiculous amount of time going through a list of companies trying to find all mentions of a particular firm — a job my cat could have done had the document, which was electronic, also been searchable. But it wasn’t. I had to resort to printing it out and using a yellow pencil crayon to note all the relevant entries.

Nova Scotia also has “the weakest public interest override of any Canadian jurisdiction.” This adds insult to injury, given how many exemptions to the obligation to disclose we have, because a public interest override with teeth would mean that no matter the exemption, public bodies would always have to consider “whether or not the disclosure would nonetheless be in the public interest.”

Cover illustration from "Accountability for the Digital Age," the report of the NS Information and Privacy Commissioner. Apparently, the government can now directly access our brains.

Cover illustration from “Accountability for the Digital Age,” the report of the NS Information and Privacy Commissioner. Apparently, the government can now directly access our brains.


Kicking & Screaming

When it comes to “modernizing” privacy rights, Tully finds that:

Nova Scotia’s privacy laws lack virtually all of the essential modern privacy protections found in other Canadian jurisdictions.

This matters, as our government enthusiastically embraces Big Data. Look at the information it gathers about students in the provincial education system: everything from their dates of birth to their addresses to their medical records to their disciplinary records to their marks to their personalized learning programs is collected and stored online. And the question of medical records and privacy is so key, it’s governed by its own legislation, the Personal Health Information Act.

Little wonder, then, that Tully says Nova Scotia needs “clear processes and strong privacy protections” if it is to use Big Data to provide services to citizens while ensuring their privacy.

Without those fundamental privacy protections, databases of citizen information are not adequately protected for the 21st century…Nova Scotia’s laws also need to include privacy management program requirements, requirements for collection notification, and effective provisions to ensure that public bodies create an inventory of all of the personal information they collect about citizens.


Oversight & Organization

In the matter of oversight, Tully recommends that the Commissioner be an independent officer of the legislature, as is the case in every other jurisdiction in Canada. As it now stands, the Privacy Commissioner’s budget is approved by the Department of Justice, over which she has oversight, which “significantly undermines the perception and reality of the independence of the office.”

Also, public bodies should not be allowed to ignore her recommendations — to which I would ask leave to append a big “DUH.”

As for the way we organize our information access system, it needs to be more consistent and less confusing — we have four laws governing public sector access and privacy rights in Nova Scotia (FOIPOP, the Municipal Government Act, the Personal Information International Disclosure Protection Act and the Privacy Review Officer Act). Tully says they need to combined into one FOIPOP Act.

And while we’re at it, we must get rid of the numerous exemptions and notwithstanding provisions that have “diluted access to information rights, slowly weakening legislation essential to the health of the province’s democracy.”

The Privacy Commissioner also suggests we create “a clear, criteria-based definition of public body” and while she doesn’t elaborate, I will — that definition should include, as the Centre for Law and Democracy has suggested, entities that receive significant public funding.

You can read the full report here.




The Cape Breton Spectator is entirely reader supported, consider subscribing today!