RCMP blamed after woman denied entry to U.S. over suicide attempt
OTTAWA — A Canadian woman was turned back at the U.S. border after information about her suicide attempt was inappropriately shared with American officials through an RCMP-administered database, the federal privacy watchdog says.
The incident is just one illustration of how government agencies and private businesses must do a better job of safeguarding personal data in the digital era, privacy commissioner Daniel Therrien said Thursday.
Reforms are needed to strengthen the federal privacy law that covers government agencies as well as the companion law for private-sector organizations, said Therrien, who wants new order-making powers and the ability to levy fines, bringing Canada in line with many provincial and international counterparts.
“It is not enough for the government to say that privacy is important while taking no systemic measures to protect it,” the commissioner said in his annual report tabled in Parliament.
“An overwhelming majority of Canadians are concerned about how the digital revolution is infringing on their right to privacy. They do not feel protected by laws that have no teeth and organizations that are held to no more than non-binding recommendations.”
Therrien said he won’t wait for legislative changes, and will begin to improve privacy protections by:
Initiating more investigations on his own, rather than waiting for public complaints, given that his office is often better placed to identify emerging problems;
Specifying four key elements that must be highlighted in privacy notices, which are now often incomprehensible: the information being collected, who it is being shared with, the reasons for collection, use and sharing, and the risk of harm to people;
Spelling out information collection and handling practices that should be prohibited because they’re likely to cause significant harm to people.
Therrien’s latest report comes amid almost daily headlines about digital breaches of personal information due to lax practices by companies and government agencies.
In the attempted suicide case, Therrien’s investigation found the sensitive information was uploaded to the national police database known as CPIC by the Toronto police service, which had responded when the woman called 911.
Certain information in CPIC is shared with American law-enforcement agencies under an agreement between the RCMP and the U.S. Federal Bureau of Investigation. The privacy commissioner therefore concluded the Mounties are responsible for ensuring this sharing complies with the Privacy Act. The information about the attempted suicide was recorded by Toronto police to help officers should they encounter the woman in future. But U.S. Customs and Border Protection used the information for an entirely different purpose — a violation of Canada’s privacy law, the commissioner found.