Jul 13, 2026 in Policy and Positions by DIACC
The Privacy Act came into force in 1983 and has never been substantially updated. In April 2026, the Treasury Board of Canada Secretariat launched the first comprehensive review of it, outlining 23 policy proposals across 6 themes and asking two questions: Do you agree with the approach, and is anything missing?
DIACC filed its submission ahead of the July 10 deadline. This page sets out what we said, and why.
The submission is offered as analysis informed by member experience. It is not a position adopted on behalf of any individual member or government, and it does not advocate for any particular vendor or technology.
Theme 1: Enabling integrated services
Proposal 1 (sharing and reuse of personal data across programs, without consent, where a public interest or benefit to individuals is served). We support the direction. Replacing the default of repeated direct collection with a purpose-based approach is consistent with international practice and with the authoritative-source model that underpins modern digital service delivery. The four conditions attached to it are well calibrated: the reuse must be necessary, minimally intrusive, strongly safeguarded, and transparent.
Removing consent from the equation places considerable weight on those four conditions. They are the whole of the protection. Our submission’s position is that the conditions must be demonstrable in practice, not merely stated in statute, and that implementation guidance carries the load.
Proposal 2 (designated official sources of government digital data). This is the proposal we would most want to see survive the drafting process.
It would name certain institutions as the official source for specific types of personal data, and require other programs to obtain that data from the designated source rather than collect it again. The paper is candid that the driver is accuracy as much as convenience: under the current siloed model, a person who updates their information with one program and not with four others leaves the government holding several versions of the same person.
Provinces have been operating versions of this model for years. The BC Services Card serves more than 4.6 million British Columbians.[4] Quebec’s Government Authentication Service supports over 3.5 million accounts.[5] Alberta launched Canada’s first mobile health card in August 2025.[6] In the private sector, Interac’s sign-in service already carries more than 141 million federal government interactions annually.[8]
The consultation paper says designation would be guided by clear criteria and overseen by TBS, and that TBS could maintain a registry of official sources. We asked for three things in that work.
Auditable assurance frameworks should inform designation criteria, so that designation means an institution is held to a consistent and verifiable standard rather than simply named to a list.
The registry should be public and written in plain language, so that a Canadian can find out which institution is the official source of their data. A registry that exists only as an internal administrative instrument does less to build trust than one that people can actually read.
The model should be built for federal-provincial interoperability from the outset. Health, benefits and employment data cross that boundary constantly, and the paper itself allows that the approach could be extended across levels of government. Designing for that later is harder than designing for it now.
Theme 2: Enhancing accountability and transparency
We support all four proposals in this theme.
Elevating Privacy Impact Assessments to a legal requirement (Proposal 3) and publishing plain-language summaries of them strengthens accountability without imposing an unreasonable burden. Replacing the fragmented Personal Information Bank regime with a single centralized registry of personal data holdings (Proposal 4) is a straightforward improvement in service design and in transparency.
Regarding the automated decision proposals (Proposals 5 and 6), we support the direction but think something is missing from them.
The proposals would require institutions to notify individuals when an automated decision system is used and, upon request, explain how a decision was made and what data informed it. As those systems take on more consequential decisions, an institution’s ability to establish who the data subject actually is, and on what basis their consent was captured, does more work than it used to. Identity and consent assurance should be addressed in the Act’s automated decision provisions themselves, working alongside the Directive on Automated Decision-Making rather than being left entirely to it.
Theme 3: Advancing safeguards across the spectrum of data sensitivity
We support all five proposals in this theme.
Recognizing a spectrum of data sensitivity and identifiability in law (Proposal 7) is overdue, and the proposed categories align with international standards and provincial regimes. Creating legal requirements for breach management, notification, and reporting (Proposal 8) brings the Privacy Act into line with PIPEDA and international peers and is foundational.
Requiring safeguards proportionate to sensitivity (Proposal 9) is appropriate. We note that auditable assurance frameworks provide institutions with a demonstrable means of evidencing that physical, technical and administrative safeguards meet the legal requirement, rather than merely asserting that they do.
The necessity test for collection (Proposal 10) and the retention and disposal requirements (Proposal 11) are well calibrated. Institutions applying them will need to document, on a defensible basis, the authority and the retention rule applicable to each category of data they hold.
Theme 4: Modernizing the foundation for privacy and trust
We support all four proposals in this theme.
Recognizing privacy as a fundamental right while also naming service delivery as an objective (Proposal 12) resolves a tension that has never existed. Privacy protection and modern digital service are not competing goods, and a statute that says so plainly permits institutions to pursue both.
Listing privacy principles in the Act (Proposal 13) and aligning them with PIPEDA, the GDPR, and OECD guidelines reduce the interpretive burden for organizations working across federal, provincial, and private-sector regimes at once. We put particular weight on privacy by design, necessity, proportionality, effectiveness, and minimal intrusiveness.
Consistent definitions (Proposal 14) and a harmonized request regime (Proposal 15) are practical improvements that will be felt by anyone who has tried to request the current framework.
Theme 5: Indigenous Peoples’ access to, and protection of, their data
Our answer here was mostly deference.
Provisions governing Indigenous data must be developed in direct partnership with Indigenous governments and organizations, recognizing their distinct rights, perspectives, and priorities. We support the directional intent to recognize Indigenous data sovereignty and enable Indigenous governments to access their citizens’ data through formal agreements. On the substance of how those provisions should be drafted, and on the terminology the Act should adopt, we defer to Indigenous partners.
DIACC is engaged in exploratory dialogue with Indigenous organizations on co-design opportunities in digital trust. DIACC and its members can help build what those partners design. We are not the right authors of it.
Theme 6: Updating the compliance framework
We support the proposals in this theme.
We give particular weight to Proposal 20, which would authorize the Privacy Commissioner to share information with other oversight bodies. Canadians’ data moves among federal, provincial, and international regimes, and coordinated oversight across those regimes is a precondition for trusting that it is consistently protected as it travels.
We also support binding order-making powers and published corrective action plans (Proposal 19), offences for unauthorized re-identification (Proposal 21), expanded Federal Court authority (Proposal 22), and a mandatory five-year review (Proposal 23). Together these move the Act from a framework that describes obligations to one that can enforce them.
The consultation’s second question is the more interesting one. Our answer had four parts.
The proposals stop short of the proof. A statute sets obligations. It does not settle how an institution demonstrates it has met them; that gets worked out afterwards in Treasury Board policy, in implementation guidance, and in whatever frameworks institutions end up using to evidence compliance. The consultation paper is detailed on the obligations and thin on the proof. More than 250 federal institutions will have to supply it.[10]
Auditable, technology-neutral assurance frameworks are one available means of closing that distance, across identity verification, consent management, automated decision-making, designated official sources, and inter-institutional sharing. They can be certified by independent third-party audit. Canadian industry and several provincial governments already operate on them. The Pan-Canadian Trust Framework is one such example, and Appendix B below shows how its components align with individual proposals. We offer that as information as an educational and operational example..
Independent certification is a recognized means of evidencing assurance. Where an institution needs to show that a service meets defined privacy and verification criteria, including in procurement, third-party certification against a published, technology-neutral framework is one auditable means of doing so.
Alignment with provincial regimes should happen at the principles and assurance layer. Canadians do not experience federal, provincial and municipal services as separate jurisdictions. Aligning at the level of principles and assurance, rather than attempting to align the legislative text, would allow a modernized Act to sit alongside BC’s FIPPA, Alberta’s FOIP, Quebec’s Law 25 and Bill 82, and Ontario’s regime without asking any jurisdiction to give up its authority.
Privacy reform is also service reform, and it bears on fraud. Canadians reported more than $704 million in fraud losses in 2025.[1] Synthetic identity fraud has climbed sharply as a share of credit applications.[2] Canada’s suspected digital fraud rate reached 4.4% of attempted transactions in 2025, above the global average of 3.8%.[3] The assurance sitting underneath federal identity and verification affects people’s money as well as their privacy. A modernized Act that supports auditable, interoperable assurance strengthens public trust and bolsters the digital economy, which depends on trusted federal data.
DIACC is Canada’s non-profit public-private forum on digital trust and verification, established in 2012 following the recommendations of Finance Canada’s Electronic Task Force for the Payments System Review. Our membership includes federal institutions, provincial and municipal governments, and the financial, telecommunications and technology partners that build and operate digital services with them.
The Pan-Canadian Trust Framework (PCTF) is an auditable conformance framework for identity, authentication and verification services. It is technology-neutral, built around privacy-by-design principles, and structured to support interoperability across federal, provincial and private-sector regimes.
DIACC’s PCTF Trustmark program certifies services against PCTF criteria through an independent third-party audit. Certified services are listed publicly on the DIACC Trusted List.
DIACC’s strategic priorities for 2026 to 2031 are AI trust and resilience, economic sector acceleration, regulatory alignment and compliance, and inclusive digital sovereignty.
The PCTF was built around principles consistent with the policy approaches in the consultation paper. The following is offered for the reference of anyone interested in how an existing auditable framework maps to the proposals. It is not a recommendation that TBS adopt the PCTF, and DIACC does not advocate for any vendor or technology.
Proposal 1 (responsible sharing and reuse). PCTF identity verification and authentication profiles support the conditions attached to responsible sharing: necessity, minimal intrusiveness, and strong safeguards. The criteria are auditable, providing institutions with a defensible basis for inter-institutional sharing.
Proposal 2 (designated official sources). PCTF provides certifiable assurance criteria for institutions seeking designation, supporting consistent trust standards across designated sources.
Proposal 3 (mandatory PIAs). PCTF profiles include privacy-by-design criteria that map to PIA requirements.
Proposal 5 (transparency for AI and automated decision systems). DIACC’s AI verification and Verified Agent (Know Your Agent) criteria, currently in development, are designed to support transparency and explainability requirements for AI-supported decision systems.
Proposal 6 (strengthened privacy notices). PCTF consent criteria support plain-language notice requirements.
Proposal 7 (sensitivity spectrum). PCTF assurance levels apply proportionate safeguards based on the sensitivity and identifiability of the data being verified or authenticated.
Proposal 8 (breach management and notification). PCTF certification requirements include breach response and notification protocols.
Proposal 9 (legal safeguard requirements). PCTF certification provides auditable evidence that physical, technical and administrative safeguards meet defined criteria.
Proposal 12 (privacy as a fundamental right; service delivery as an objective). The PCTF was designed to support both privacy protection and modern digital service delivery.
Proposal 13 (principles aligned with private sector and international standards). PCTF principles align with PIPEDA, the GDPR and OECD guidelines.
These implementations show how the policy approaches in the consultation paper can work in practice, and where the interoperability opportunity lies for a modernized federal Privacy Act. They are offered as illustrations. DIACC does not speak on behalf of any province or company.
British Columbia. The BC Services Card has been operational since 2013 and now serves more than 4.6 million British Columbians, over 90% of the province.[4] It supports federal interactions, including StudentAid BC and the Canada Revenue Agency. OrgBook BC, launched in January 2019, was the first implementation in North America to use verifiable credentials for organizational identity, and now covers over 1.4 million active legal entities. BC demonstrates the designated-official-source model at provincial scale, including federal-provincial interoperability.
Quebec. The Government Authentication Service, which replaced clicSÉQUR, supports more than 3.5 million accounts. Bill 82, passed on October 28, 2025, establishes the legal framework for a comprehensive digital identity and wallet capability by 2028.[5] Quebec shows that a legal framework for digital identity can be designed to sit comfortably inside a strict privacy regime.
Alberta. Alberta launched Canada’s first mobile health card on August 29, 2025, through the Alberta Wallet app.[6] Parents can hold their children’s cards, and paper alternatives remain available. Alberta shows how sensitive personal data can be made available digitally while upholding privacy-by-design principles and preserving non-digital alternatives.
Industry. Interac’s sign-in service supports more than 141 million federal government interactions annually,[8] and Interac Verified, launched in May 2025, implements a verify-once model that stores data locally on the user’s device.[7] Canadian-controlled assurance infrastructure is operational and already working at federal scale.
International context. The EU Digital Identity Wallet is in active rollout. Commission Implementing Regulation (EU) 2026/798 on wallet enrolment was published on April 8, 2026, and all member states must make at least one compliant wallet available by December 24, 2026.[9] Privacy and digital identity infrastructure are increasingly being designed to interoperate across jurisdictions.
[1] Competition Bureau Canada, “Fraud Prevention Month to bring hidden crime into the spotlight” (March 6, 2026), citing data from the Canadian Anti-Fraud Centre.
[2] Equifax Canada, “Equifax Canada Reports Rise in Automotive Fraud” (September 24, 2024). Synthetic identity fraud rose from 2.8% of credit applications in Q2 2023 to 8% in Q2 2024.
[3] TransUnion, “H1 2026 Update to the Top Fraud Trends Report” (May 13, 2026).
[4] DIACC, “Identity in Action Case Study: BC Services Card” (March 2019); Government of British Columbia, OrgBook BC.
[5] Government of Québec, “About the Government Authentication Service”; ID Tech, “Quebec Passes Landmark Digital ID Law” (October 2025).
[6] ID Tech, “Alberta Launches Canada’s First Mobile Health Card Through Alberta Wallet” (September 2025).
[7] Interac, “Interac launches the Interac Verified credential service” (May 2025).
[8] Interac, “Secure. Trusted. Helping Canada navigate a digital future” (October 2025).
[9] European Commission, Commission Implementing Regulation (EU) 2026/798 on wallet enrolment (published April 8, 2026).
[10] Treasury Board of Canada Secretariat, “2026 Review of the Privacy Act: Policy Approaches” (April 2026).