Privacy Act Modernization: Engagement with Indigenous Partners – What We Have Learned (so far) and Next Steps

Questions for Input

Q1. In what circumstances would you support the inclusion of a purpose clause which recognizes that one purpose of a modernized Privacy Act is advancing reconciliation with Indigenous peoples in Canada by promoting improved sharing of Indigenous individuals’ personal information with First Nations, Inuit and Métis? [see discussion on pages 18-19]

Q2. In what circumstances would you support the addition of a principle recognizing that a federal public body may disclose Indigenous individuals’ personal information under its control to an Indigenous government, organization or entity? [see discussion on pages 19-20]

Q3. For which purposes, in addition to those already included in the Privacy Act, should disclosure of Indigenous individuals’ personal information to Indigenous governments, organizations or entities be authorized? [see discussion on pages 20-21]

Q4. Which approaches would you support to expand the purposes for which Indigenous individuals’ personal information could be disclosed without consent?

A) Would you support (a) listing all the purposes for which disclosure is permitted, (b) allowing disclosure regardless of the purpose, or (c) an alternative approach? [see discussion on pages 20-21]

Q5. Which concepts and definitions would you support to ensure that the Privacy Act appropriately recognizes the diversity of First Nations, Inuit, and Métis Nation governments? [see discussion on page 22]

Q6. If a modernized Privacy Act were to authorize disclosure of Indigenous individuals’ personal information regardless of the purpose, should this broad disclosure authority be for Indigenous governments only or for all Indigenous governments, organizations and entities? [see discussion on pages 22-23]

Q7. If a modernized Privacy Act were to authorize disclosure of Indigenous individuals’ personal information for a new list of specific purposes, which types of Indigenous entities (governments, organizations and/or other entities) should be identified as authorized recipients for each of these purposes? [see discussion on pages 22-23]

Q8. What measures should be used to assist a federal public body in ensuring that an Indigenous government, organization, or entity is authorized to receive the personal information of its citizens or members? [see discussion on pages 22-23]

Q9. In what circumstances would you support expanding the Privacy Act’s disclosure provisions to authorize federal public bodies to transfer personal information?

A) Should the transfer of personal information be authorized in general or limited to specific situations, such as where there is also a transfer of a program or activity?

B) Should federal public bodies be authorized to transfer personal information to all or some Indigenous governments, organizations or entities? [see discussion on pages 23-24]

Q10. What mechanisms should the Privacy Act recognize to support expanded information sharing and to ensure the protection of personal information disclosed or transferred to First Nations, Inuit and Métis governments and organizations in line with federal public bodies’ responsibilities and accountability obligations?

A) Should a new Act explicitly recognize information sharing agreements (ISAs) and Indigenous peoples’ own legislation and privacy codes as mechanisms to support personal information sharing and protection? [see discussion on page 24].

Q11. In what circumstances would you support the development of legislative or regulatory requirements to establish the baseline privacy protections that any chosen mechanism (whether ISAs, Indigenous privacy legislation or code) should include to mitigate the impacts of disclosure and transfer on Indigenous individuals’ privacy interests? [see discussion on pages 24-25].

Q12. What baseline privacy requirements should be discussed after engagement on the potential changes identified in Part 2 has concluded? [see discussion on pages 24-25].