Rising to the Challenge

8^th Annual Access and Privacy Conference

June 17, 2005
Edmonton, Alberta

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

I would like to speak to you about the current state of health of this right we call privacy, discuss why privacy is more than a little under the weather, and the challenges we face in bringing privacy to a state of more robust health.

In particular, I would like to suggest several ways we can advance the cause of privacy in the face of rapidly moving technology and a political environment heavily focused on addressing national security concerns which is often at odds with the protection of privacy rights.

Ambivalence of views on technology

Change is upon us at an escalating pace. And many of us are left reeling in the wake of that change, unable to fully grasp all its privacy implications, even less able to anticipate future changes, and often struggling at the same time to waken governments from their legislative and policy slumber about privacy.

We know, for example, that the federal government is not dealing as well as it might with privacy issues flowing from e-government, one of Canada's flagship service delivery programs. In a 2005 annual survey on customer service maturity in e-government from Accenture, Canada ranked first among the 22 countries surveyed for the fifth year running. Canada is seen as a world leader in e-government. We have seized the power of technology to improve the delivery of government services. At the same time, however, federal institutions are failing to provide the vital IT security to protect the personal information of Canadians that circulates about the e-government environment.

Many of you will be aware of the findings in the February 2005 report of the Auditor General of Canada on information technology security. Ms. Fraser last audited IT security in 2002 and found that progress since then was still, as she says, "unsatisfactory," despite encouraging signs of improvement. She concluded that the government still does not meet its own minimum standards for IT security. Reviews and assessments of IT security performed in the last two years have indicated serious weaknesses in controls over access to data, programs, and networks.

The Auditor General has urged senior managers in departments to pay more attention to identifying threats and risks adequately, developing action plans to correct the weaknesses, and becoming fully compliant with IT policy and standards.

I endorse her position. IT security is essential if we are to entrust to government the handling of our personal data in its e-government operations.

Interdisciplinary Responses to Privacy Developments

I know that a few members of this audience attended the Computers, Freedom and Privacy conference in Seattle in April, where many other issues relating to technology were raised. An important message emerged from that meeting — one that we as access and privacy professionals may know intuitively, but that bears repeating nonetheless.

We, specialists or aspiring specialists in questions relating to the regulation of personal information, cannot alone understand, or even monitor, all the developments in technology that have privacy implications. The technology sometimes seems generations ahead of legislative responses to it, and frequently far ahead of the responses from us.

We also often do not have the easy access to the expertise we need to understand the privacy implications of these technologies.

Look at the panoply of issues that have confronted Canadian society in recent years — the privacy implications of AIDS, employee drug testing, genetic privacy, including forensic DNA analysis, increased data matching and data mining, surveillance cameras (and now "intelligent surveillance cameras" that further refine surveillance), thermal imaging, phishing (not the aquatic kind), spyware, biometrics, RFID chips — just to name a small number of the total.

We must recognize the interdisciplinary nature of our work. Privacy professionals must be able to work with personal information as it affects the area of operation of their department or agency — national security, human resources, drug policy, technology, biometrics or human rights generally. We cannot expect a quality analysis of data protection issues unless we integrate specialized technical knowledge. At the very least, we need to provide privacy professionals with the means to obtain access to the expertise that will help them understand and confront these issues.

Building Privacy into the Design of Technologies and Code

One solution to the explosion of technology lies in encouraging technologists to build privacy into the design stages of their technology. Alan Borning, a professor in the Department of Computer Science & Engineering at the University of Washington, has spoken of the need to integrate considerations of human values with computer system design — a process he describes as "value sensitive design." Technology is not truly value neutral, he argues. Some technologies are inherently more consistent with preserving human values, including privacy.

Others at the Seattle conference spoke of the need to educate the creators of new technology about the world of privacy. They can then share the burden of assessing the privacy implications of what they are developing, as they develop it.

The Washington-based Center for Democracy and Technology has had a standards development process since 2001, attempting to establish privacy goals for builders of technology. Once these goals are established, and technologists accept them, they can build privacy into the design of new technologies.

Professionalizing Privacy Professionals

The mechanisms introduced to administer the practical aspects of privacy in government — often through ATIP coordinators — have not received the attention or the professional formation they both need and deserve. ATIP coordinators need to see their status elevated, if they are to act as an effective bulwark against the host of privacy intrusions we face.

Those working in the ATIP field need to have a set of verifiable competencies. In other words, we need to professionalize the field. We can do this through more extensive education and a greater recognition of the pivotal role that those involved in ATIP matters bring to the protection of privacy in Canada.

ATIP coordinators must not be seen as administrators, but as privacy professionals who contribute to the development of policy and who are alert to the privacy issues that arise in their departments or agencies. They should perhaps be seen as the governmental equivalent of the Chief Privacy Officers that we increasingly see operating at the upper echelons of the private sector today.

I don't know whether the model for accrediting privacy professionals offered by groups such as the International Association of Privacy Professionals — the IAPP — is the best model, but it bears consideration as long as there is a system for examining and accrediting competencies. We need to elevate the work — and the perception of the work — of privacy professionals to the level it deserves.

Role of NGOs

We also know that the legislatively established privacy specialists or bureaucrats cannot go it alone. Individuals need to be enforcers of their own privacy rights, particularly when many privacy offices were designed to react to complaints, rather than deal with issues proactively.

We also need to recognize the increasingly important role of the NGO sector in highlighting privacy issues and, in many cases, providing some of the expertise that is needed for privacy commissioners to grasp more fully the privacy implications of policies and technologies.

Several examples come to mind — the Canadian Civil Liberties Association and its provincial counterparts, BC Freedom of Information and Privacy Association, Option Consommateurs in Quebec, groups outside Canada such as the Electronic Privacy Information Center — EPIC — and the Electronic Frontier Foundation, the Privacy Rights Clearinghouse, Statewatch and numerous other organizations, such as the Canadian Bar Association, that alert privacy commissioners and the public to emerging privacy issues.

Remember that challenges to many of the major privacy issues confronting us in Canada were often raised first by these communities of NGOs, sometimes NGOs outside Canada. Think of the opposition to the proposed Total Information Awareness championed by the US Defence Advanced Research Project Agency, and the initial alerting of the privacy community to the implications of the USA Patriot Act. These challenges came first from the NGO community, and helped give us the background that information and privacy commissioners in Canada needed to take those challenges further. In short, the NGO community is a vital mechanism for alerting the governmental privacy analysts to issues and providing the expertise and analysis that helps to inform our approaches to the issues.

We also need to encourage industry to come forward on its own with privacy issues. Our goal is not to hamper industry, but rather to establish a peaceful co-existence between privacy values and commercial imperatives.

Privacy Act Reform

I don't wish to sound like a squeaking wheel about Privacy Act reform, but I believe that the old adage still holds, so let me repeat the following message again. Our federal Privacy Act needs significant reform if it is to be more than mere privacy window dressing. The Act and, for that matter, many other laws that seek to protect privacy, are simply not up to the task of countering the thrust for greater surveillance and the intrusive might of new technologies.

Even calling our Act the "Privacy Act" is misleading. It deals only with data protection, a subset of privacy, and is at best a regulatory statute with little bite. Calls for its reform began 18 years ago — an acknowledgment that the Act was inadequate even in the technologically prehistoric days of the 1980s — but the only serious reform has been a measure under the Anti-terrorism Act to weaken its provisions.

Data matching is the current mantra of those promising greater security for Canadians. Yet amidst today's incessant calls for increased governmental powers to match and mine data, the Act is powerless. The Act contains no provisions on this highly intrusive manipulation of personal information.

The Treasury Board of Canada adopted a policy on data matching in 1989. However, this is simply a policy directive and does not have the force of law. It requires federal institutions subject to the Privacy Act to conduct a detailed assessment of any proposed data matches and also requires that my office be notified 60 days before the matches begin.

Unfortunately, this policy seems to be honoured most often in the breach. In 2003-04, we received only 10 notifications of data matches. We have long suspected that most data matching is simply going unreported.

And even in those few cases where I am notified about a data match, I have no power to stop or limit the match.

I was very encouraged two months ago when the government released new reporting requirements which will require Deputy Heads to report on data matching and sharing activities. Annual reports on privacy and access matters will now become more meaningful. This is a very positive and significant step in the right direction which will go a long way to addressing issues of compliance with the Privacy Act. But much remains to be done.

The ombudsman role that has been the foundation for the Privacy Commissioner's activities since 1983 has also been discussed among experts may very well be revisited by Parliament at the legislative review of PIPEDA in 2006. Is the current ombudsman model the most effective way to protect privacy in this world of high-octane surveillance? Let's take the opportunity presented by the review of PIPEDA next year to rethink the ombudsman role at the federal public sector level as well.

The Privacy Act has many other failings. For example, the disclosure provisions in section 8 of the Act read like a how-to list for sharing information with foreign governments, and there is precious little in the Act to control the outsourcing of personal information processing to countries with uncomfortably intrusive police powers.

For these and many other reasons, our Act is simply not up to the expectations of Canadians, nor does it meet the needs of a democracy. Substantial reform of the Act must be part of the package as we step into the future.

Conclusion

Protecting privacy cannot be left to any one person or agency. It must be a collective effort involving people, policies and laws. Otherwise, we will find this fundamental right diminished on many fronts — from intrusive technologies, the push for increased government surveillance, the sharing of personal information across borders and the thirst of the corporate world for ever greater details about our lives.

In particular, if we don't step up to the challenge of preventing the further development of an "all terrorism, all the time" mindset in government, we will inevitably face the unhappy ending of "all surveillance, all the time." If that happens, we may just as well all go home — under the watchful eye of the state, of course.

That is not the outcome we want. But protecting this fundamental human right requires a collective effort. It involves my office, the offices of my provincial and territorial colleagues. It involves other government agencies and departments whose mandates encompass human rights, technology and trade issues. It involves the NGO community; it involves the community of those developing technologies. It involves the private sector. It involves a solid, sufficiently trained and respected cadre of privacy professionals within government. And, finally, it involves individual Canadians who are willing to stand up and challenge the excesses of governments and the private sector.

We work together and privacy has at least a reasonable prospect of surviving. If we do not stay the course, and we will watch the inevitable disappearance of this element of our freedom.