|
|
|
|
|
|
|
|
|
|
|
|
|
|
 PrivacyCommissionerANNUAL REPORT1997-1998
The Privacy Commissioner of Canada (613) 995-2410, 1-800-267-0441 © Minister of Public Works and Government Services Canada 1998 This publication is available on audio cassette, computer diskette and on the Office's Internet home page at http://infoweb.magi.com/~privcan/ 
Privacy Commissioner of Canada July 1998 The Honourable Gildas L. Molgat Dear Mr. Molgat: I have the honour to submit to Parliament my annual report which covers the period from April 1, 1997 to March 31, 1998.
Yours sincerely, Bruce Phillips
Privacy Commissioner of Canada July 1998 The Honourable Gilbert Parent The Speaker The House of Commons Ottawa
Dear Mr. Parent: I have the honour to submit to Parliament my annual report which covers the period from April 1, 1997 to March 31, 1998.
Yours sincerely, Bruce Phillips Table of contents Some Unfinished Business This annual report marks both the end of my seven-year term and the beginning of a two year extension. It seems an appropriate moment to express my gratitude to Parliament for this opportunity to deal with two pressing issues.The first is seeing an effective and enforceable privacy law in place in the private sector. The second: ensuring that the planned health information infrastructure does not lead to open season on patients' medical information. About which, more in a moment. Certainly the information landscape has been transformed during this term but it is a transformation well underway seven years ago. Computer technology led the revolution in information management, bringing with it all the promise and peril of massive new collection and use of personal information. All the prophecies made at the time, both for good and for ill, have been borne out.The personal information of millions of people is being collected, manipulated, massaged, bought and sold, used and abused at a rate now many times faster than was possible seven years ago. We have seen the maturation of perhaps history's greatest and potentially most liberating communications system, the Internet. Millions more users join the Net each year, and surely it will soon become as much a commonplace as - and may well supplant - the telephone for much of the world's commercial transactions and personal communications. But Internet has also brought new problems; threats to privacy, decency and truth (and possibly to individual safety).With the abuses comes a corresponding effort by society generally, and governments particularly, to gain some control. Some of these efforts, such as those aimed at eliminating the traffic in pornography, are entirely commendable. Others are unappealing. One of the latter is the government's appetite to control and override encryption, the most-promising technique for assuring adequate privacy for individual users and security for electronic commerce. Strong-arm initiatives such as these might well prove a suffocating inhibition, and destroy much of Internet's value as an open and wonderfully flexible method for the world to communicate. Meantime, the drift toward increasing surveillance of our society has become a flood. Almost every day, we read of more spy-cameras in another community. More streets, more businesses, more workplaces are subjected to the baleful stare of these electronic Little Brothers. As usual, the surveillance is done in the name of greater security and safety. Sometimes it may even be justified. More often it is not, witness the recent decision of one bar owner to install cameras to record the unruly behaviour of some patrons. This pervasive surveillance signals a rapid approach to rock-bottom in our respect for individual rights. Easier to resort to a quick surveillance fix and diminish everyone's right to some private enjoyment, rather than accept responsibility for maintaining a civilized atmosphere by refusing admission to, or turfing out the rowdy. But even more depressing is our uncritical acceptance of this spreading surveillance. We can achieve perfect safety and security to be sure. And, of course, we have nothing to hide. All we have to do is give up any notion of personal freedom. On the Road to Damascus That hope did not long survive. By 1995 I confessed "Reluctantly, and by stages" to having concluded that "voluntarism is inadequate". I pressed for both federal and provincial action to bring the private sector under the umbrella of privacy laws. (Quebec had already done so). This evolution in thinking occurred partly (but not entirely) because of the inadequate response of the private sector. Other important influences were at work. These include growing government and private sector exchanges of information, privatization of government operations with the resulting loss of existing privacy protection, and the developing European Union common data law which risks restricting information flow to countries with inadequate private standards - of which Canada is one. By 1996, the government had reached the same broad conclusions. This happy event perhaps was not born solely out of concern for an individual right, but also due to a determination to see Canada ahead of the pack in developing electronic commerce. One is an inevitable consequence of the other; Canadians will not shop, bank and file taxes on line knowing they risk sharing their lives with more than 40 million people. While we may quibble over the motivation, we welcome this means to our end. With the support of this office, other privacy commissioners and advocates and, above all, its own appointed Information Highway Advisory Council, the government committed itself to bringing in what then-Justice Minister Allan Rock described as "effective and enforceable" privacy laws in the private sector by the year 2000. Industry Canada and the Department of Justice issued a discussion paper, The Protection of Personal Information - Building Canada's Information Economy and Society, and called for public input. The departments are now digesting the responses (including ours - see page 11) and distilling their findings into a draft bill, aiming at publication in October, 1998. It is no exaggeration to call this the most important and promising Canadian development in privacy protection since the government's 1971 report Privacy and Computers (which set the stage for the first privacy protection law in Part IV of the Canadian Human Rights Act). A good bill, living up to Mr. Rock's "effective and enforceable" objective, will place Canada among the world's leaders in defence of basic privacy rights. A bad one, studded with exceptions, exemptions and loopholes - and absent effective independent oversight - would be a disaster. This office thus lives in high if somewhat nervous hopes. We observe powerful lobbies being organized by some elements of the private sector. And we have healthy if grudging respect for their ability to obtain favourable treatment for their special interests. Another hurdle for this gestating legislation is the belief in some quarters that nothing effective can be done unless federal and provincial governments act together. It is true that much business falls under provincial jurisdiction. And it is evident that a harmonized approach and laws are extremely desirable. Consistent national standards would make life easier for both business and government, understandable for individuals and avoid the spectre of data havens within the federation. This is the ideal. Nevertheless, if others cannot be convinced to protect their citizens' privacy rights in the marketplace, then the federal government must lead by example; a role the federal government seems poised to fill.The spotlight now shifts to the provinces which have jurisdiction over much of the private sector. A Medical Internet? Work on this project continues apace, animated by a special federally-appointed advisory council whose membership includes no privacy specialists. Surprisingly little public attention has attached to this project considering how it will touch the lives of all of us. The forces driving this project are several. They include the health bureaucracy at all levels - federal, provincial/territorial and municipal - which anticipates substantial cost savings, better anti-fraud controls, more efficient delivery of services. But they are not alone: health researchers argue that a more complete profile of the state of Canadians' health will lead to greater progress in all fields of medicine, particularly preventive. Canadian doctors, however, while conceding some potential benefits, are extremely concerned. They fear the possible erosion, if not destruction, of the basic ethic of their profession: absolute confidentiality of the patient-doctor relationship. On that account, the Canadian Medical Association has devised a comprehensive privacy code which posits as its basic principle the need to obtain patient consent for almost every form of informational exchange. The draft is thoughtful and thorough. Should it stand it will be nothing less than a Hippocratic Oath for the information age. This is a critical step at a crucial point in the evolution of health information management. It obliges proponents of a national health system to bring forward a proposal which meets decent privacy standards or risk the united opposition of the medical community. It must be said that the advisory council is well aware of the privacy issue. The Co-chairman, Dr. Tom Noseworthy of Calgary, has publicly committed himself to a high level of privacy protection and, naturally, he enjoys the whole-hearted support of this and similar offices in its pursuit. But it would be naive and unrealistic to underrate the difficulties and complexities implicit in creating such an intricate web of health information exchanges in a way that protects the right of individuals. It bears repeating: the corollary of a publicly funded health care system is not abdication of that bedrock principle of our right to a confidential relationship with our doctors. We therefore offer this advice: Use the privacy expertise already available to the maximum. Get it right the first time and public (and privacy commissioners') support will follow. Fail, and eroding public confidence will take the system down with it. We follow the progress of this work with anxious care, firm in our conviction that if it cannot be done without the wholesale abolition of existing rights, it ought not to be done at all. A sidebar to the CMA's promising code, and an early indication that health information codes are both desirable and do-able with members' commitment, is the new privacy component of the Canadian Dental Association's Code of Ethics. The Code (which is enforceable in some provinces) establishes dental patients right to seek dental care in "a confidential setting free of third-party intrusion". Patients have the right to examine and copy their records, control disclosure, and know with whom the information may be shared (with their consent).Third parties (such as Revenue Canada or insurance companies) may only access patient records for audits after identifiers and unrelated health information have been removed. This laudable effort underscores the CDA's ongoing commitment to its patients' interests. Members will not be sorry. Updating the Privacy Act: another Year 2000 challenge Perhaps lost in the shadow of these grand projects is the now-pressing need to modernize the existing Privacy Act. The act controls only the information handling of many - but not all - federal government agencies. It was a good bill in its time; major aspects of it have stood well the test of the last 15 years. However, the changing nature of privacy threats has also exposed some flaws and weaknesses. The primary one of which is the law's focus on protecting information. It is not truly a privacy law but a data protection statute. In fact privacy has surprisingly little protection in Canadian law; torts in some provinces and - as a last resort - the Charter (see page 91). If it needs a road map to comprehensive privacy protection, the government need look no further than last year's report, Privacy: Where Do We Draw the Line, issued by the Commons Committee on Human Rights. But to focus on the current act: first we need to clarify the definition of "personal information" to bring it up to speed with new technology. For example, DNA samples - tissue, blood, semen - should be defined as personal information for the purposes of the Act. And the Act needs more precision in its definition of what information about public servants "relates to the position or functions of the individual". A clear definition might have avoided costly Court cases like those dealing with access to weekend sign-in sheets and parking privileges. The Act's provisions establishing a person's right to access his or her personal records, and to require consent before disclosing personal information, are hedged round with numerous exemptions and exceptions which beg review. Most exemptions are justified. For example, it makes no sense to allow a person under investigation for a criminal offence to be allowed access to investigative records. Nor would one allow suspected terrorists to examine their records in CSIS files. But some exemptions are altogether too all-inclusive. Section 22(1)(a) of the Act, for instance, authorizes federal investigative bodies to refuse to disclose information "pertaining to the enforcement of any law of Canada or a province". This is sufficiently sweeping as to permit nine investigative bodies to refuse to release virtually all personal information. I find particularly offensive the notion that departments can withhold information from applicants simply because the law allows it, even though disclosure would cause no demonstrable injury. All exemptions should be subject to an injury test, meaning investigative bodies should be required to demonstrate how granting access to an individual would harm a law or their investigations. Next, given the fundamental importance of Sections 4 to 8 (the fair information code), Parliament should expand individuals' rights to appeal to the Courts about government collection, use and disclosure of personal data. This could include injunctive rights, or a privacy tort allowing individuals to sue for damages. Also needed is a much tighter concept of the notion of "control" of personal records. This would prevent government institutions from circumventing the act by contracting out such products and services as investigations and surveys, or distancing themselves from personal records such as board members' notes. Another serious weakness in the Act lies in information-sharing agreements and arrangements between the federal government and other levels of government (including governments of other nations), and the private sector. Many of these agreements are essential for the conduct of government operations, and are authorized by many statutes, including the Privacy Act. However, the scope of sharing permitted by the Act's broad language is an open barn door for even the slowest horse. There are hundreds of such agreements in existence, of which this office has only fragmentary knowledge. But what we do know is not comforting. Much of the sharing is virtually invisible to taxpayers, and often to the departments themselves. Also, given the routine and detailed exchanges underway, it is essential that federal departments be required to ensure that any personal information they disclose enjoys proper privacy protection in the hands of the recipients. At a minimum, the Act should require departments to obtain a contractual commitment to provide privacy protection equivalent to that offered by the federal Privacy Act, coupled with a right to take those measures necessary to ensure that the commitments are honoured. Similar legal requirements should be placed on any private enterprise taking over any program or activity previously conducted by the government of Canada. The government has responded in part. The Treasury Board has directed departments to include in privatization agreements some protection for the personal information being transferred. New bodies which remain in federal jurisdiction will be subject to the Privacy Act. Organizations that are privatized and come under provincial jurisidiction will have privacy clauses written into the sale contract. Time for some housekeepingThere is also an urgent need to review the powers and mandate of the Office. In the beginning, the Office functioned principally as a complaint investigation bureau.That remains its primary statutory duty - and the only one for which it is funded. But the intervening years have imposed many new demands on the office not contemplated by the Privacy Act. One of these is the capacity for policy analysis and research so essential to keeping Parliament and the public abreast of important privacy developments: this was the term of Internet, digital fingerprinting, datamining and the National Health Information Infrastructure. This Office would be irrelevant to both legislators and taxpayers without such a service, one we struggle to provide now without any resources or legal mandate. Even our core investigation function is under serious strain. During this seven year term, the size of the office remained virtually static, despite a complaint load now more than twice as large as at the outset. Similarly, there is a growing public appetite for more information about the impact of technology on society. While Parliament may not have anticipated the public turning to us for answers, no-one told the public - witness the explosion of inquiries in the period.This Office has no mandate for public education, and thus no funding. Nevertheless, we strive to meet these demands, conscious only that our best efforts are a marginal response at best. These problems were examined and solutions proposed in a review of the Act by the Commons Justice Committee in 1987, then again in the special report Privacy:Where do We Draw the Line. No action so far, although the Justice Department, which is responsible for privacy law, has been considering amendments during the last two years. One can only wish that these particular judicial mills did not grind quite so slowly. This review concludes with a footnote; a seven-year itch which the Commissioner would now like to scratch. Repeatedly during this period proposals have bubbled up to "merge" the Offices of the Information and Privacy Commissioners. Although the idea has been repeatedly stoked and fed by others, I have held my public peace, thinking it better to mind my own business and hoping that others would mind theirs. It is time now to put this issue to bed. Privacy and access to information laws are not flip sides of the same coin. They have this in common: both provide Canadians right of access to records held by the federal government. But there the similarity ends. Access by definition is the limit of the Access to Information Act - does the applicant get the records or not? And, if the records at issue are personal, they are governed by the Privacy Act. Otherwise, the two acts have about as much in common as soccer and succotash. Access to general government records is an administrative right, recently taking root in modern democracies, which sets out terms under which citizens can see government files. But many democracies do not have such laws. Privacy, however, is a core value, a basic human right which touches almost every aspect of life. It is, as the Supreme Court of Canada has said, a basic element in establishing individual freedom. Such is the freedom this office works to preserve. Indeed, all modern democracies protect the value in law and appoint an arbitrator/overseer. Only in Canada - and only in the provinces - does that arbitrator wear both the privacy and information hats. The coming of private sector legislation and the Office's possible role in its oversight makes the time ripe for a clean amicable divorce. Business needs to know that the regulator has but one priority and that is its handling of the personal information of its clients and employees. There can be no suspicion that a single commissioner might have an interest in general records. Finally Parliament needs to fix an unforeseen weakness in the structure, reporting mechanism and accountability of the Office which have a debilitating effect. The Privacy Commissioner's office is an orphan. Despite his status as a Parliamentary officer, Parliament makes only occasional and cursory examination of the issues and our operations.The budget is set as part of the Department of Justice envelope. Thus my only avenue of budgetary appeal is to ask the Minister of Justice (whose operations I may have to investigate) to beggar her own program.This arrangement sends all the wrong messages about the Office's independence and makes the principals profoundly uncomfortable. It is time the Act established a clear line of responsibility and accountability to Parliament, and it may also be the moment for Parliament to consider a consistent reporting and funding regime for all its officers. Finally, allow me to give public expression of profound gratitude to an exceptional staff of devoted colleagues. Whatever credit accrues to this Office, or to me personally, is due to their high sense of purpose and professionalism. No commissioner was ever better served by or more deeply indebted to his staff. Comprehensive legislation to protect personal information in Canada's private sector has been both long needed and much anticipated. However, until very recently, private sector legislation appeared destined to be the perennial bridesmaid of the legislative process, always hovering near the altar, but never quite getting there. Now there is renewed hope, largely due to two initiatives. The first is the government's discussion paper, entitled The Protection of Personal Information: Building Canada's Information Economy and Society which was released in January 1998. The paper sought public comment on a proposed model for legislation to protect personal information in the federally-regulated private sector. The second is a draft Private Sector Protection of Personal Information Act now being prepared by the Uniform Law Conference of Canada which could serve as the basis for consistent private sector law across Canada. The history of attempts to bring private sector data protection legislation to Canadians dates from the early 1980s. When the bill that became the federal Privacy Act was introduced for third reading in June 1982, the then-Minister of Communications observed that "the next stage in the development of privacy legislation, [is] extension of the principles respecting the protection of personal information to the federally- regulated private sector." Since then, protection of personal information in the private sector has raised its head several times:
The government's proposal: a good start The joint Industry Canada/Department of Justice discussion paper describes the present state of privacy law in Canada and why it is insufficient to protect Canadians in the current environment. It establishes the basic principles of effective privacy legislation, then discusses some options for implementing such a law and providing independent oversight. However, the paper's thrust is less about protecting personal information than it is an encouragement to feel confident in engaging in electronic commerce. It is revealing that the paper's introductory quotation, from the September 1997 Speech from the Throne, makes no reference to privacy or data protection. Legislation to govern the federally-regulated private sector is important for several reasons.The distinction between the private and public sectors is blurring. Increasingly the federal government, like many others, is privatizing, commercializing and contracting out government functions. In some instances this had moved personal data outside the scope of federal privacy law. In addition, technology has raised the stakes, intervening in the relationship among Canadians, the private sector and government and permitting an unprecedented collection, use and disclosure of personal information. Providing legal protection for personal information in the federally-regulated private sector is a goal that can be accomplished now. The ideal solution, of course, would be to have consistent privacy and data protection laws in the provinces and territories. Quebec already has put such legislation in place - the only North American jurisdiction to have done so. A level playing field The discussion paper advocates harmonizing privacy and data protection laws in all Canadian jurisdictions.This is essential if the rules are to be consistent across the country and if we are to avoid building data havens - jurisdictions where less stringent laws could attract some businesses seeking to avoid their privacy obligations. Private sector legislation in the provinces should be modeled on the best features of federal private sector legislation, Quebec's private sector law, the Uniform Law Conference of Canada draft Private Sector Protection of Personal Information Act, and the Canadian Standards Association's Model Privacy Code. Protection of personal information might also be considered a federal matter under the trade and commerce heading in the Constitution; this interpretation of the Constitution would enable the federal government to legislate uniform data protection across the entire private sector. On the CSA Model The discussion paper highlights the work of the Canadian Standards Association (CSA) in bringing together representatives of the public sector, business, consumers and unions to draft a model code. The code establishes principles for private sector collection, use, disclosure and protection of personal data, as well as ensuring individual access to, and correction of, the information when necessary. The Standards Council of Canada adopted the CSA code as a national standard in 1996. Given the necessary teeth, the broad principles of the CSA Code provide a solid foundation for building privacy legislation. And the CSA Code has the added benefit of having won the endorsement of several provincial privacy commissioners. However, there remain a number of deficiencies that would result in a legislated data protection standard that is not sufficiently rigorous and would offer only the illusion of effective protection for personal information. For example, it is insufficient simply to identify the purposes for which personal information is collected. Individuals should also be told whether providing the information is obligatory or optional, the consequences of failing to provide the information, who will receive it and how they will use it. Designing a new privacy law begs several questions about its administration and oversight. If it is to work, the law cannot be burdensome and bureaucratic for business. Nor can it impose on consumers an accountability process by exhaustion.The paper discusses several options. Sectoral Codes & Registration While some countries require or encourage industry sectors to draw up more specific codes tailored to the demands of their industry and clients, we do not support codes as part of Canada's regulatory scheme. While undoubtedly helpful to guide individual businesses, sectoral codes would be impractical. For a start, defining sectors would be difficult as industries continue to converge and re-align. It would also be difficult to ensure that the codes of each individual business were consistent with the sectoral standard. Finally, sectoral codes may be unnecessary. Quebec's private sector data protection law makes no use of sectoral codes and yet has not suffered since it came into force in January 1994. Another feature of some national laws is the requirement that private businesses register their personal databases with a central authority. Registration would be unnecessarily costly and bureaucratic. It may also be a misapplication of resources that could better be used else-where to protect privacy interests. Oversight Whatever the features of the law, it will need independent oversight; a body to review compliance and resolve disputes.The options range from requiring complainants to go to court - costly and burdensome for all parties (including the courts), to quasi-judicial tribunals, to data commissioners with order-making powers. The ombudsman model, the scheme in place under the federal Privacy Act, offers the most effective approach. An ombudsman ensures administrative fairness using knowledge, impartiality and strong investigative powers. The essence of successful oversight is maximum reliance on consultation, conciliation and negotiation, and minimum resort to coercion and compulsion. The ombudsman's stick is the possibility of bad publicity - an effective tool if judiciously applied. The Privacy Commissioner's oversight would entail promoting fair information practices, resolving complaints, and conducting audits.The Commissioner should also have the specific authority to identify and assess issues that may affect privacy - for example, workplace surveillance, personal identification technologies and the tracking of purchase information, even if these issues have not caused complaints. Given adequate infrastructure and resources, this office would be an effective oversight agency. Extending the Privacy Commissioner's jurisdiction to the federally-regulated private sector would also be consistent with the scope of other federal oversight bodies such as the Office of the Commissioner of Official Languages. Some business sectors suggested that oversight might be acceptable if conducted by existing regulators - such as the Superintendent of Financial Institutions for banks. However, this would lead to multiple regulators, without data protection experience, and inevitably result in uneven application, and thus uneven compliance with privacy standards. Public Education No legislation will be effective without its being understood by public and business. Organizations and their respective associations should bear the primary responsibility for educating employees, management and the public. Informed consumers and employees are more likely to encourage organizations to adopt fair information practices. However, the proposed legislation should also give the Commissioner a specific mandate and resources to increase public awareness about issues and new technologies that could affect privacy. Complaints Process The complaints process must be administratively simple for both the complainant and the business which holds the personal information. Individuals should begin by trying to resolve their complaints directly with the organization. Since disputes often result from misunderstandings, many can be resolved at this stage. However, the organization should be free to refer the complaint directly to the Commissioner if it would prefer to have the complaint handled through the Commissioner's complaint resolution process. Time limits should be set for each stage in the resolution process to avoid unwarranted delays. The Commissioner would make recommendations, as necessary, about the collection, retention, use or disclosure of personal information, as well as about any denial of access or correction. The Commissioner should further have the right to identify any appropriate redress for the complainant. The Office should be vested with powers to investigate and resolve complaints, such as those currently available under the federal Privacy Act. The law should oblige the parties to participate in mediation facilitated by the Office. The Commissioner would then issue a non-binding evaluation of the parties' respective positions. Compliance Audits The legislation should require organizations to undergo periodic information practices audits. The organization would be free to appoint the auditor of its choice and would be expected to take corrective action within a reasonable time after receiving the audit recommendations. In addition, legislation should authorize the Commissioner to conduct an issue-based audit of one or several organizations if the Commissioner has reasonable cause to suspect that their information handling practices are inadequate, or if the Commissioner receives multiple complaints about similar deficiencies. Privacy Impact Assessments The Commissioner should provide organizations with the tools necessary to conduct privacy impact assessments on any activity that may affect privacy. This will help organizations avoid costly redesigns that may be necessary if fair information practices are not considered at the design phase of their activities. In addition, the Commissioner should have the authority to monitor disclosures for research and statistical purposes.
Last year's annual report spelled out the privacy implications of one aspect of the government's proposed national health strategy - a national health data network.We seem to have touched a nerve. The loudest voices supporting the network are those seeking access to confidential medical records - for more efficient spending of limited health care dollars, improved flow of information between jurisdictions, and better evidence of what influences Canadians' health. All are worthy aims. However, making patient information available on-line (and integrating it with socio-economic data to create patient profiles) risks turning patient care into a "spectator sport". There are hopeful signs that others are listening. First, February's National Conference on Health Info-Structure brought together government representatives, health professionals, academics, consumers and business to develop action plans for establishing the info-structure. At the head of the list of policy issues discussed were "Privacy, security and confidentiality". In his opening remarks, Health Minister Allan Rock cited privacy as "perhaps the crucial issue. The credibility of a national strategy hinges on public confidence that privacy will be protected." He acknowledged that many in the health sector were concerned that "stringent privacy rules could impose unreasonable limits on the information they need", nevertheless he announced himself determined to see that Canadians "get the right protection for their most personal information". In the working session, other voices joined in to protest that effective and meaningful health care does not have to be compromised to protect patient privacy. However, network supporters argued that good security is the answer to real privacy protection. They urged that we build the systems first, then "fix" the privacy issue afterwards. (At press time, there has been no public report of the conference proceedings or of any subsequent action plans.) Developers of this network need reminding that using a patient's medical information without his or her knowledge and consent is an invasion of privacy, regardless of the system's security. That is the distinction between ensuring security and preserving privacy that must be maintained at all costs. Medical information - and the circumstances under which much of it is provided - are unique. We are a captive audience when we are sick or hurt. At that vulnerable moment when we want our health restored, we feel compelled to provide intimate details of our lives we would otherwise choose to keep private. Health care providers need any and all personal information that might be helpful during a crisis. But this intimate information, once revealed, may become part of a "womb-to-tomb" electronic medical record. At that point, the patient (and, arguably, the doctor) will have lost control. The details could become accessible far beyond the physician with whom the patient has established a trust relationship. Information could be shared with the broader health care system and perhaps also a present or future employer, an insurance company and the credit bureau. Information we volunteered for medical treatment could be used for unrelated purposes, with devastating effect. There seems to be a view that a public health system justifies greater intrusions. As the links between life style, poverty and health become clearer, so grow the temptations to follow, assess, and then influence our choices so that we will not become a burden on the system. While understandable, this is the first step to a loss of autonomy. Making educated health decisions is one thing - being coerced quite another. Canadian Medical Association Draft Code In a background paper, the CMA recognizes that "initiatives advertised under the rubric of 'protection of privacy' often have less to do with privacy protection than with ensuring access for secondary use" and that "...[i]f 'authorization' is not in the hands of patients, then it is 'doublespeak' to say that ensuring access only as 'authorized' protects the right of privacy." The incentive for the CMA to promote privacy is obvious: ensuring the integrity of the doctor-patient relationship. Physicians swear in the Hippocratic Oath "what I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself holding such things shameful to be spoken about." As the CMA paper observes "... [p]hysicians, in light of patients' high level of trust and confidence in them, could therefore become unwitting instruments of betrayal. Behind physicians would stand any number of secondary users who are strangers to the patient-physician relationship but eager to share in information secured by physicians." As we go to press, the Code is expected to be presented to the CMA's General Council for debate this September. The record-setting complaint intake continues apace - 2,455, compared with 2,235 received last year. This increase is in keeping with the average growth of 10 per cent annually over the past ten years. Staff completed 1,821 investigations, close to 900 fewer than last year. Last year's accomplishment was directly attributable to the Office's efforts to reduce a backlog of older complaints by streamlining the process, introducing a fast-track procedure for selected complaints, and using resources drawn temporarily from other parts of the organization. Those resources were not available this year. For the past several years, the Office has first tinkered - then substantially revamped - its investigation process to eliminate bottlenecks and speed the process. However, more than tinkering is needed; as quickly as new approaches are tried, our clientele becomes more sophisticated and their complaints more complex. As the intake of new cases continues to grow, investigators are confronted with caseloads that are excessive, time consuming and unmanageable. The result for complainants is resolution delayed and, for investigators, burnout. Coupled with this unmanageable caseload, increasingly investigators must deal with departmental privacy staff who are also overloaded and often impatient and uncooperative. Frustrated with repeated requests from some applicants who use the Privacy Act as a tool to conduct personal vendettas against selected departments, staff effectively stall investigators by rescheduling or delaying meetings, delaying identifying departmental contacts, or failing to produce the records for the investigator's review. The Office is not unsympathetic to the departments' plight; some applicants do indeed make repeated requests that border on abuse of the system.They also make repeated complaints. However, the law makes no provision for either departments or the Commissioner to ignore or stall repeated requests or "trivial and vexatious" complaints. Nor does the Commissioner believe it should.The act obliges us to do our respective jobs; departments to respond in a timely manner and this Office to investigate any subsequent complaints. The Commissioner cannot and will not tolerate departments stalling his investigators. The open caseload at the end of the reporting year - 1780 - has also climbed from the 1147 open at the end of the previous year. One issue contributes 956 of these complaints; government's matching of Customs Traveller Declaration Cards with the Employment Insurance data base. This match is now before the Court (see page 89 for more detail). Lingering investigations also contribute to some complainants' disappointment when the Commissioner concludes there has been no breach of the act. It is little consolation to someone who has waited months for the Commissioner's review only to be told that the department's actions did not offend their privacy rights. Some conclude that we have been of little help. In fact, the Office's rate of well-founded complaints, 48 per cent, is high compared with the traditional one-third ombudsmen's average. The cases described below illustrate the type of concerns Canadians bring to the Commissioner.
A journalist's question about Citizenship & Immigration demanding tax information from Canadian hosts before issuing a visa to their visitors, prompted an Ottawa couple to complain.The husband's sister was planning a business trip to the United States and wanted to spend a week with him in Canada. When she applied for her visa to the Canadian High Commission in Colombo, Sri Lanka, they refused to process her application without an income tax document confirming the income of both the host and spouse for the last three years The tax documents were "REQUIRED" (their emphasis). She was also asked who would pay for her trip to Canada. The couple had provided proof of Canadian citizenship and their employment but objected to producing the income tax documents. According to C&I, before issuing visitors' visas, it wants to be sure that the visitor will return home and not become a burden on Canadian society. The documents were meant to establish that the hosts could afford to support the visitor. Apparently each high commission decides which documents visa applicants need, depending on local circumstances. The Columbo high commission began demanding a Revenue Canada Notice of Assessment in March 1997 to assess the financial situation of the hosts. They argued that bank statements and letters of employment are subject to abuse and inaccuracies, and are hard to verify. As well, affidavits simply cannot be enforced. The Notice of Assessment contains the tax-payer's amount of income and taxes paid and, since it is official, needs no further verification. However, it was clear that tax documents were not essential to processing a visa application - although they could speed the process. High commission officials acknowledged that providing tax information is "voluntary" and have now emphasized this for all staff. At the Office's request, they have also amended the application form to remove the statement that the information is required. The investigator asked C&I to determine what other embassies and high commissions ask on their visa applications. Of the 61 responses received, five showed tax information as "REQUIRED". C&I agreed to contact each of the five and have them amend their forms. It is questionable whether knowing someone's gross income helps assess his or her "financial situation"; some families live very comfortably on $60,000 while others struggle with $100,000.The complaint was well-founded and resolved. Employee accesses woman's credit file The notion that federal government departments have access to individual credit files is puzzling to many. The explanation is simple: many government positions have security requirements, ranging from the least demanding "enhanced reliability" up to various levels of Special Access reserved for highly sensitive intelligence work. Employers check employees' credit references to ensure their finances are not in such a precarious state that they may be susceptible to financial "inducements" or blackmail. To prevent abuse, only a handful of departmental staff may have access to credit files - usually staff in the security units which are responsible for security clearances. This restricted access sent alarm bells ringing when a woman complained that someone at a department where she neither worked or sought a job, had accessed her file at the local Ottawa credit bureau. Attached to her letter was a copy of her credit report listing those organizations which had obtained access. It included a departmental telephone number and the identification "Security Serv". The woman was going through a divorce and feared that her estranged husband, who worked in the department's Security Services, had queried her credit file. Although the investigator confirmed at both the credit bureau and Security Services that the woman's file had been accessed, it was impossible to determine by whom. The department's credit checks are conducted by three employees, usually by computer-modem access using three telephone numbers. The same credit access password served all three computers and it was programmed into the automated query process. (Telephone queries require the caller's name which is recorded at the bureau.) During an internal investigation, staff found a hard copy of the woman's credit report in her husband's office, however it was in a different format from routine on-line queries. The husband categorically denied having accessed his wife's file, arguing that he did not know how to conduct an on-line check and he believed he was at a regular Friday staff lunch when the query was made. The investigator's interviews with unit staff established that the husband's computer was not one of the three with access to credit files, that no-one had seen him at one of the terminals, nor had he asked them to conduct the check. However, the instructions for making an on-line query were readily available in employee in-baskets. A query to the government telephone system (GTIS) to establish precisely on which line the call was made came up empty because GTIS logs only long-distance not local calls. The experience was a first for the department which has Privacy Directives available on every computer. The department responded by conducting its own internal investigation and tightening its credit access procedures. These include changing the system access code, introducing individual passwords for staff so that any future queries will identify the caller, and restricting access to the instructions for entering the system. It also reassigned the employee. The Commissioner concluded that there was no doubt that the woman's credit file had been improperly accessed and that the complaint was well-founded. Although there was no remedy, the more stringent security measures should help prevent a recurrence. The Commissioner urges other security units to take note. (Although the Office routinely identifies departments against which complaints are made, doing so in this case would effectively identify the individuals concerned, breaching the Commissioner's legal obligation to investigate in private.) Commissioner's complaint tightens HRDC collection process A provincial government manager alerted the Office to a Human Resources Development Canada (HRDC) collection which disturbed him. He had received more than a dozen requests from HRDC collection officers for information about former employees of his department and questioned their method of seeking the information, the amount of detail, and his obligation to respond. Subsequently two federal government departments - Health Canada and National Archives - were faced with similar requests and also called the Office with concerns. Given the investigator's findings, these two were likely the tip of an iceberg. With sufficient information in hand, the Commissioner initiated his own complaint. HRDC collection officers attempt to collect established overpayments of (un)Employment Insurance (EI). Approximately 80 per cent of the cases constitute fraud and some involve substantial sums of money. The EI legislation allows HRDC up to six years to recover the overpayment. Although HRDC's demands for information varied from one city to another, most asked for the person's term of employment, reason for leaving, home address and telephone number, bank address, and name and address of current employer if known. HRDC officials in Winnipeg and Moncton also asked for the name and address of the person the former employee designated be called in cases of emergency. The provincial manager had also received a request for detailed information about an individual's bank accounts and balances, RRSPs, GICs, term deposits, accounts at other branches and any company accounts. It was clear that this was an error since an employer would be unlikely to have such information. The request was intended for the employee's financial institution, not the employer. The investigator sifted through all the information and allegations and focussed on six aspects of the case. An allegation that the requests were being faxed was found not to be true. Had HRDC followed the proper procedure for collecting the information? The EI Act requires collection officers to request the information from any person "by notice served personally or by confirmed delivery service".This provides proof that any individual, employer or financial institution received the notice. It was evident that HRDC was not following the procedure because it was more expensive and more onerous than regular mail. Could HRDC ask for names and addresses of emergency contacts? In effect, HRDC was seeking information about "unnamed persons" - information supplied for a specific and limited purpose about individuals who are not a party to the case. The EI Act stipulates that HRDC cannot require any third party to provide information about "unnamed persons" without a judge's authorization.This had not been obtained. Can HRDC collect detailed financial information on clients from financial institutions? The broad authority to collect information from "any person" is clearly established in the EI Act. Having the financial details allows HRDC to seize financial assets once they mature - usually a last resort. Knowing account balances and other short term assets allows HRDC to calculate a repayment schedule or the amount which could be garnished from the clients' pay (once they are located) without causing undue hardship. Apparently some financial institutions, which once routinely provided the information in response to mailed requests, have now begun questioning HRDC's requests for financial information. Had collection staff cited the correct legal authority? Some letters (incorrectly) cited subsection 126(15) of the EI Act. This section deals with those unnamed persons and requires the judge's authorization. The correct citation is 126(14). Were requests to federal departments flagged "protected"? Personal information in the hands of federal government departments must be labelled "protected" to help guard against unauthorized opening or access to personal data. The requests to Health Canada and National Archives were not properly flagged. Why collect the reason for departure? If the employee worked for the government, HRDC can collect the debt by offsetting the amount against any severance, unused leave or pension payments. Do collection officers have the authority to demand the information? The Employment Insurance Commission has the power to authorize "any person or body, or member of a class of persons or bodies" to exercise its powers. A list of those exercising delegated powers includes "Collection Officer, Overpayment Recovery". Clearly these staff have the authority to demand the information. HRDC dealt with three of the four problems in a December 1997 memo from the chief of collection services. He reminded staff to deliver the letters personally or by confirmed delivery service; not to ask for the client's emergency contact without a judge's authorization, and to use the correct legal citation. HRDC staff are also reviewing the letters to attempt to standardize the language as much as possible, thus avoiding a repeat. They will also add a "protected" designation to help prevent unnecessary disclosures. The Commissioner appreciates the department's ready cooperation and quick response to his recommendations to tighten the process. Three-hour Family Expenditure Survey voluntary - next time Statistics Canada surveys often cause ripples, particularly those dealing with individuals' finances. This year, a StatsCan decision to make one of its regular surveys compulsory prompted three complaints to the Commissioner and considerable public interest in British Columbia (but little elsewhere). What distinguishes the Family Expenditure Survey (FAMEX) from many others the agency conducts is its length - almost three hours, the extent of the detail - 39 long pages, and its venue - the respondent's home. FAMEX examines household spending patterns and gathers information on their income, assets, debts, occupation and education. One complainant described the survey as "grossly intrusive". He questioned whether StatsCan had the authority to compel responses and observed that the detail demanded was far beyond the scope required for the Consumer Price Index.Two questions cited in the ensuing publicity were those asking for "...sanitary and incontinence supplies..." and "condoms, syringes, etc.". (In fact, these products - while unfortunate choices - were simply examples to illustrate the types of expenses in the respective categories.) The complainant also argued that it was both a "conflict of interest and a gross abuse of power to compel by law an individual (to) provide this information, then market it for business to use in developing their own markets". StatsCan uses some of the information to update the Consumer Price Index, a shopping basket of some 600 goods and services it tracks to measure inflation. The data can lead to changing the items in the basket or altering their relative weight in the total cost. Government can also use the data to relate people's spending patterns to their age, family size and income. These factors influence policy on welfare reform, wage settlements and support payments.The results also help government compare living costs and standards between various regions, and between Canada and other countries. However, there is no doubt that the information is sold. In its promotional material to business, StatsCan extols its ability to tailor the data from FAMEX "to meet your specific needs". The data is not personal, of course, but "can be cross-referenced by household income, metropolitan area, age, dwelling owned or rented, household composition, or other selected household segments". This allows business to target its marketing to appropriate groups. Responding to all StatsCan surveys is compulsory unless the Minister decides otherwise. The Statistics Act imposes penalties on those who refuse although StatsCan is loath to be heavy-handed. Regular FAMEX surveys began in 1952. Participation became voluntary in 1984, then reverted to compulsory in 1996 when StatsCan felt that the response rate, which had dropped to 74 per cent, was too low. The 1996 survey selected 16,000 households across the country in proportion to population. The already lengthy survey could take even longer for those with higher incomes if they have a greater range of expenditures and more complex finances. The survey questions are divided in broad categories of expenditures on:
The level of detail is intense: house furnishings includes such purchases as "sheets and pillowcases" and "plastic garbage bags"; health care details include "e.g. first aid kits, bandages, condoms, syringes etc." and "razors and razor blades"; women's clothing includes "lingerie"; recreational expenses seeks "photographic film, processing, extra prints and enlargements"; reading materials wants "paperbacks and pamphlets", the income category asks for the value of gifts received from non-family members. One might well wonder how many Canadians could possibly recall these expenditure details a year later, nevertheless the expansive language of the Statistics Act gives StatsCan the power to compel responses. The investigator had to quickly disabuse the complainants of any notion that the Commissioner could exempt them from responding. However, there were aspects of the process which need clarifying, primarily concerning its transparency. First was the assertion that the survey had to be conducted in the form of an interview. This requires respondents to furnish personal details to a stranger rather than simply complete a form on their own time. StatsCan clearly prefers personal interviews to clarify questions, prompt responses and ensure the form is completed. It is also concerned about the quality of the data. However, simply completing the questionnaire meets both the respondent's legal requirements and StatsCan's needs. Individuals who feel competent to do so on their own, should be offered that option at the outset. A second concern was an apparent requirement that the interview take place at home. Letters alerting local police, politicians and residential property managers to the survey (in case of calls) make it clear that interviewers "will visit their (respondent's) home to conduct the interview". However, the advance letter to the respondent is less forthright - the "interviewer will visit you to enlist your support in this important study". Being subjected to such detailed questions in one's own home can seem very intrusive. Although StatsCan interviewers would be prepared to meet respondents elsewhere, it argues that most people would need their records to complete the survey and clearly prefers, and "sells", the in-home interview. Nevertheless, respondents are clearly not compelled to agree. Respondents can take some comfort in knowing that the interviewers undergo an "Enhanced Reliability Check" (which includes a criminal history check) and are subject to the same legal obligations as all StatsCan employees. They carry identity which can be verified by calling a telephone number supplied. The individuals' identity is not entered into the data base and the data is encrypted before transmission to Ottawa. At that point, the paper questionnaires are sent for archiving where staff detach the householder information. The only link between paper and data is an identifying number on the questionnaire which could be linked back to the paper responses. However, StatsCan has no interest in identifying respondents, except for data verification. Making the survey mandatory achieved the desired objective of increasing participation (the rate rose by about 12 per cent) but may have affected the statistical accuracy by encouraging some unhappy respondents to be less than candid (or thorough). StatsCan has decided to return to voluntary participation for the next survey and to compensate by increasing the sample size to 27,000. Unfortunately the informational material for the new Survey of Household Spending is less than forthright on the legal options available to selected respondents. The notification letter advises that the interviewer "will visit you" and asks for "your support in completing a questionnaire" but does not explain that participation is voluntary. An accompanying brochure acknowledges "while your participation is voluntary, it is important for all selected households to participate...". It continues assuming that "the interviewer comes to your home..." and that "the interviewer will go though the questionnaire with you". No alternatives are offered. The Commissioner concluded that while Statistics Canada undoubtedly has the legal authority to conduct the FAMEX survey, it had not been frank with respondents about why it was collecting the information and how it would be used. On that basis he considered the complaint well-founded. No tax information without the taxpayer's consent The introduction of new seniors benefit plans in Alberta and Ontario led to a number of complaints that the federal government was disclosing individuals' income tax information to the provincial organizations administering the plans. Since the benefits of both plans are linked to income, the provincial bodies wanted confirmation of the applicant's income - the most dependable source being income tax files. Revenue Canada enters agreements with provincial government organizations to provide specified tax information - but only with the taxpayer's consent. Among the issues raised by these complaints was:
The Alberta Seniors Benefit Program This program entitles low-income seniors to certain financial benefits. However, to qualify the senior must establish that their income is below the level set by the Alberta Ministry of Community Development (ACD) which administers the program. In an October 1994 Memorandum of Understanding, Revenue Canada and ACD agreed to "large volume transfers of taxpayer information in electronic media" on condition that ACD obtained taxpayers' "proper written authorization". Applicants were asked to sign a consent clause authorizing Revenue Canada's disclosure to ACD. ACD kept the forms and, using seniors' Social Insurance Numbers, submitted a bulk request to Revenue Canada beginning in November 1994. Unfortunately, ACD did not check that all consent clauses were signed and simply submitted the entire list of applicants to Revenue Canada. Among the 60,000 of the 194,000 total applications checked, 4,000 lacked completed consents - and 12 contained outright refusals, several of whom complained to Alberta Privacy Commissioner Bob Clarke. Given the implications for so many seniors, the complaints were merged into a general complaint sponsored by the Alberta Council on Aging to both the provincial and federal privacy commissioners. The two commissioners followed the trail from each end of their respective jurisdictions and met in the middle. Mr. Clarke examined ACD's collection of the forms and request to Revenue Canada.This Office investigated whether Revenue Canada disclosed tax information without consent; whether it disclosed more information than was required, and whether the original authorization form for Revenue Canada's disclosure to ACD met the requirements of the Privacy Act. The federal investigator found that the first condition of the federal/provincial understanding was not met; ACD did not get proper taxpayer authorization before seeking the information from Revenue Canada. Revenue Canada assumed that all individuals on the ACD list had consented and replied with a standardized printout on everyone, containing 75 fields of data. It was evident that Revenue Canada had disclosed the information improperly, albeit on the assumption that ACD had kept its part of the bargain. However, it was also obvious that Revenue Canada had disclosed far more information than was needed to confirm the taxpayers' income - 75 lines of information rather than 12. The 75 lines include detailed breakdowns of income sources and exemptions (including alimony, charitable donations and medical expenses). The investigator was able to dispel suspicions that Revenue Canada was also disclosing "T-slip" information about non-filers to ACD. T-slips are statements of income sent to Revenue Canada about individuals who may not file a return; for example, a bank reporting a small amount of interest on a savings account. The complaint investigation led ACD to purge the 1993 and 1994 tax information from its files and to first freeze, and then destroy, 1995 data in December 1997. Revenue Canada now supplies just the minimum required data, and routinely audits selected individual's files to ensure they consented. The Commissioner considered well-founded the complaints of improper disclosure against Revenue Canada but by destroying the data, amending the memorandum of understanding, restricting the amount of future disclosures, and conducting regular audits of consent forms, the department had acted effectively to prevent a recurrence. He dismissed the complaint that the ACD form was not a valid consent under the Privacy Act. The Ontario Drug Benefit Plan Following introduction of the plan which subsidizes drug costs for low-income seniors, the Commissioner received 25 complaints about the federal government disclosing income information to the Ontario government - and through the computer system - to pharmacists filling seniors' prescriptions. Some complainants cited Revenue Canada; others, Human Resources Development Canada (HRDC). The investigator quickly determined that Revenue Canada had been approached by the Ontario government but refused to provide individuals' tax data unless they consented.The focus then turned to HRDC. Income information became critical when the new plan took effect in July 1996. Now single seniors with incomes less than $16,018, and married seniors with incomes under $24,175, must pay a $2 dispensing fee. Those with higher incomes pay the first $100 each year, then a $6.11 dispensing fee for each subsequent prescription. HRDC obtains income information when individual seniors apply for the federal Guaranteed Income Supplement or Spouse's Allowance. Because these benefits are linked to income, the application form asks for the senior's income and indicates that it will be verified with Revenue Canada under an information sharing agreement. The match is not described in Info Source - as the government data matching policy requires - or in the program's information brochures. Info Source does describe sharing information with the provinces as a "consistent use". HRDC has provided the Ontario Ministry of Finance with monthly computer tapes of Guaranteed Income Supplement recipients since 1975 under a sharing agreement to administer the provincial Guaranteed Annual Income Supplement (GAINS).These agreements are allowed under the Old Age Security Act to administer social, income assistance and health insurance programs. However, the agreement stipulated that the information would be used only for GAINS. The following year it was amended to allow the Ontario Ministry of Revenue to share the information with the provincial health ministry to issue an OHIP card entitling seniors to free drugs. At some point, for convenience, HRDC began sending separate tapes to the Ministry of Finance for GAINS, and to the Ministry of Health for OHIP. Since the drug card was available to all seniors, the OHIP tape included all Old Age Security recipients, not just low-income seniors, and contained new fields including date of birth, sex, language, SIN, dates of any deaths, and the amounts of both OAS and any supplements received for the current year. No other income information was provided. Then, in January 1996, the Ontario Ministry of Finance asked HRDC whether the 1976 agreement would cover information sharing for the new income-linked drug plan. HRDC responded that the information could be used for the purposes specified in the original agreement.The Ontario Health Ministry concluded that the purpose was the same and used the OHIP tape to establish the drug benefit program. In August 1996, HRDC determined that the existing sharing agreement did not authorize the new use. A series of meetings ensued to consider a new agreement, then were suspended until the parties could agree specifically what information the province needed to administer the new program. It was evident that a new agreement would have been essential to launch an income-linked program had HRDC not been routinely sending OAS and GIS payments information to OHIP. Without this information, OHIP could not have determined definitively who met the income test. It was also evident that HRDC had been regularly disclosing unneeded benefit information and that seniors had not been told. Resolution of the complaints led HRDC to stop sending OAS information to the Ministry of Health, to rescind the 1976 sharing agreement allowing the Ontario Ministry of Finance to disclose information to the Ministry of Health, and to amend the OAS/GIS forms and explanatory material to make it clear to applicants that information is shared with the province. The complainants were particularly concerned about pharmacists knowing their income in order to bill the correct amount. Although pharmacies are not subject to federal (or indeed any) privacy law, the investigator asked a local pharmacist for a demonstration of the on-line billing system. This pharmacist registered all clients into his/her computer system. When a senior filled a prescription, the pharmacist identified the client, entered the flat $6.10 fee and the cost of the drug and transmitted the information to the ODBP data base. ODBP responded with confirmation of the amount the customer is to pay; either the full cost of the prescription, the $6.10 fee if the $100 limit has been reached, or the subsidized $2.00 fee. While the pharmacist can infer the senior's income from the fee charged, there is no disclosure of specific income. Revenue Canada shares some tax data for B.C. Family Bonus Financial information - particularly income tax data - is very sensitive. Any suspicion that Revenue Canada may be sharing tax information prompts complaints, even when the recipient is a provincial government. One Revenue Canada disclosure led a member of Parliament to complain on his own and a constituent's behalf. Revenue Canada was alleged to have shared individuals' income tax data with British Columbia to determine who was eligible for the B.C. Family Bonus. The plan, which is income linked, is designed to help low income families with child-rearing costs. B.C. residents are notified that they do not have to apply for the bonus "as it is sent automatically based on the family's yearly income tax return". Revenue Canada administers income tax for all provinces (except Quebec) under agreements between the provinces and the federal Department of Finance. It also administers the B.C. family bonus entirely, identifying qualifying families from family income and a pre-determined formula and mailing out the monthly cheques. It notifies the Department of Finance of the total amount which is then deducted from the provincial share of taxes remitted to the B.C. Department of Finance. Finally, Revenue Canada sends recipients' names and addresses to the B.C. government which, in turn, sends out notices to qualifying families so as to gain provincial visibility for the program. The limited sharing of information took place under an interim agreement while a permanent Memorandum of Understanding was being drafted. The Income Tax Act allows Revenue Canada to disclose taxpayer information to a province "to administer a law of a province for which it can collect taxes" and to officials "of a province entitled to receive a payment".The Privacy Act specifically allows this type of sharing "under an agreement or arrangement between the Government of Canada and the government of a province" (sub-section 8(2)(f)). As well, it allows disclosures permitted in any other Act of Parliament. The Commissioner concluded that the information sharing was permissable and the complaint not well-founded. Names and addresses not disclosed to mail order drug firms Late in 1995, personally addressed solicitations from a mail order pharmacy began arriving in the mailboxes of many public servants.The letters from MEDITrust or (in Quebec) La Pharmacie MARCEL Dubuc announced their agreement with the federal public service health care plan to supply prescription medications to members by mail. During the following weeks, 65 employees complained to the Commissioner that someone had disclosed their names, addresses and public service status to the companies - their suspicions focused on their individual employers. The investigation revealed that in August 1991, the National Joint Council (representing management and public service unions) recommended changes to the employees' health plan to make it self-insured. The Treasury Board (the public service employer) awarded the contract for the new plan to Mutual Life Assurance Company. In an attempt to control costs, the Council opted to use a mail order pharmacy to lower dispensing fees and medication prices. The successful bidders for the contract were MEDItrust and La Pharmacie MARCEL Dubuc. In order to inform members of the new service, the Council asked the pharmacies to provide literature and blank envelopes to Mutual Life and the public service unions. The unions then mailed the literature to their members, and Mutual Life to members who had submitted medical claims since it took over the plan. The Commissioner was satisfied that there had been no improper disclosure because employees' names and addresses were not given to the pharmacies. However, he was concerned that the old health plan contract contained no privacy protection clauses. With the contract under review again, he asked Treasury Board to incorporate clauses dealing with government control and individual access to the medical data. Over several months, while the investigator pursued the contract provisions with the Treasury Board, the Council began reviewing its support of the mail order pharmacy. In March 1997, the Council advised members that "only a small number of plan members chose to enrol" and thus the hoped-for savings had not materialized. Apparently the Council had not anticipated such a negative reaction to the use of mail order pharmacies. The plan was discontinued. Progress on the contract provisions was slow because Treasury Board staff were not convinced that privacy clauses were needed. As well, the new health plan provider, Sun Life Insurance Company of Canada, had not factored in any costs to put the clauses in place. Asked to review the proposed clauses the following summer, Office staff suggested that since Sun Life was a signatory to the Privacy Guidelines of the Canadian Life and Health Insurance Association, it use that model for the contract clauses. Ultimately, the contract signed in the fall of 1997 bound Sun Life to the Canadian Standards Association Privacy Code. The code gives individuals access to their plan records and limits disclosures of personal information to the employer (except for legal action, fraud or audit). Parks Canada plays nanny An Alberta woman complained to the Commissioner that Parks Canada (part of Canadian Heritage) had her supervisor monitor her comings and goings while she was on unpaid leave to care for her child. Notes on her whereabouts, including her visits to the supervisor's neighbour, a museum and a local gas station - and observing whether the child was with her - were found in the work diary of the woman's supervisor. Apparently a human resources manager had instructed the supervisor to record the details because the woman was a "problem employee". The information came to light in the department's response to a comprehensive and formal privacy request the woman filed at the privacy investigator's suggestion. Several earlier informal requests to see her personal files had not turned up several documents she believed existed. Why the woman's behaviour needed documenting was a puzzle. "Leave without pay" is granted under the public service collective agreement and cannot be refused. Employees' jobs are not kept open during this type of leave (they have priority for available jobs should they choose to return to work). Parks Canada maintained that since it had granted the woman "care and nurturing" leave, it was responsible for ensuring that she was indeed looking after her child - an extraordinary incursion into an employee's private life. There is no conceivable reason for an employer to be concerned with an employee's daily routine while on unpaid leave because there can be no "abuse" of the leave. Even surveillance of current paid employees would need to meet the most stringent tests - employers should have no right to dictate how employees live their private lives. The Commissioner described the diary entries as "a form of surveillance" which the department had no justification for conducting.The complaint was well-founded. The department agreed to remove and destroy the information in the administrative files as part of its resolution of the woman's grievance. However, officials resisted the Office's request to also remove the material from its privacy unit files, arguing that it should be kept for at least two years after the last administrative action which was resolving her complaint. This two year minimum is designed to allow individuals a reasonable time to access personal information in government records. Since the information should not have been collected, and the complainant has seen it and wanted it destroyed, the Commissioner urged the department to grant her request. The department eventually agreed and the Commissioner considered the matter resolved. Video surveillance "excessively intrusive" - and unjustified Of all the tools in an employer's arsenal, covert surveillance of its employees is surely one of the most intrusive and thus should meet the most rigorous tests. A complaint against the Immigration Refugee Board (IRB) illustrates. A lawyer representing a refugee applicant told the IRB that within hours of her client's in camera hearing, a third party told the refugee that her application had been approved. According to the refugee, the third party had been seen in the company of an IRB employee whom she described.The lawyer complained to IRB. Concerned about the leak of information and a possible internal source, Board security staff began an internal investigation. Security staff focused on the employee based on the refugee's description which appeared to match the employee - a clerk in one of the regional offices. IRB senior management approved the use of a camera which remained in place until a Public Works technician moved some ceiling tiles during routine maintenance and dislodged it in the employee's presence. IRB then removed it. The Commissioner concluded that the Board's evidence was insufficient to warrant such excessively intrusive surveillance; it amounted to hearsay and the employee's acquaintance with the third party. The investigator determined that security staff had never considered confronting or consulting the employee. As well, using a video camera (without audio capability) trained on the clerk's desk begs the question of what useful information it could possibly have captured. Presumably an employee leaking information would not do so in the middle of the employer's premises in full sight of everyone. And, without audio, the camera would not capture compromising phone calls. The Commissioner questioned the Board's resorting to covert surveillance on mere suspicion. "In my view, surveillance should only be carried out after conducting a thorough preliminary investigation that would lead an employer to have reasonable cause to suspect an employee of wrongdoing, and only after all other investigative techniques have been exhausted or considered to be ineffective" he wrote. He asked for the Board's representations. The Board responded, acknowledging that "in hindsight, an investigation by a law enforcement agency would have been preferable".The Board had apologized to the employee and drafted a policy to guide staff in any future incidents. While the Commissioner applauded the intent, he had several recommendations on the specifics. (See below.) The Commissioner concluded that although the Board had reason to be concerned about leaks, and an obligation to protect personal information, its investigation method was excessive given the dearth of evidence. He considered the complaint well-founded. Needed: A government policy on employee surveillance Not content to leave the matter there, the Commissioner wrote to the Treasury Board urging it to draft a government-wide policy on covert employee surveillance. As a foundation, he offered the recommendations made to IRB. His recommendations were both general - concerning any investigation of employees - and specific. Any policy on covert video surveillance should satisfy all the following requirements:
Using postcards risks immigration disclosures Like anyone else faced with workload volume and time limits, public servants look for faster and more efficient ways of doing business. All to the good providing individuals rights are respected. However, when the Canadian Consulate in Buffalo, N.Y. began acknowledging immigration applications on an open postcard rather than in a sealed envelope, a Toronto consultant complained that using postcards effectively disclosed that the person was an applicant. The investigator found that the Buffalo consulate was temporarily snowed under with 5000 immigration applications. The sudden influx was caused by applicants trying to have their cases locked in under old regulations before the new ones took effect on May 1, 1997.The Buffalo office is the only mission in the United States which can accept immigration applications. To acknowledge the applications quickly, the consulate had resorted to cards on the face of which appeared the applicant's name, file number and the notation that the individual's "application for permanent residence has been received". Citizenship and Immigration headquarters alerted both the Buffalo consulate and all missions abroad that open cards risk improper disclosures of personal information. The consulate switched back to sealed form letters and the complainant was satisfied. The complaint was considered resolved during investigation. CRTC refers cable billing complaints to industry council Many Canadians are under the impression that complaints aboutbroadcast content and cable billing are the turf of the Canadian Radio-Television & Telecommunications Commission (CRTC). Not so. The misunderstanding led a Toronto man to complain that the CRTC had improperly disclosed his complaint about a local cable supplier to the Cable Television Standards Council, and to the cable company. As part of its 1988 regulatory reform, the CRTC encouraged the broadcasting industry to assume responsibility for dealing with disputes over such issues as subliminal and sexist advertising, violence, content of children's programming and lotteries. The cable sector was also to deal with billing and service complaints. Broadcasting sectors were asked to develop industry standards and submit these for CRTC acceptance. Compliance with the standards and complaint resolution is overseen by industry councils for each sector - in the case of cable TV, the Cable Television Standards Council (CTSC). The man's complaint to the CRTC about billing irregularities and rude treatment by company staff was forwarded to the council which, in turn, sent it to the cable company. The company is required to respond in writing and, if its response is unsatisfactory, the complainant can take the matter to the council. Member cable companies are bound by council decisions. Given the new scheme, the disclosure allowed the company to respond and the council to see that the problems were resolved. The complaint was not well-founded. Although the man was satisfied with the investigator's explanations, he continued to be upset that neither the CRTC or the council had followed up with him. The CRTC considers billing arrangements a matter between subscriber and cable company and closed its file. New personnel numbers will end disclosure of SINs to union Another complaint about the ubiquitous number concerned Canada Post's disclosure of employees' SINs to the Canadian Union of Postal Workers (CUPW).The employee's union membership card displayed his SIN and it had also been given to an insurance company. The investigator established quickly that Canada Post had disclosed the information and was simply complying with the terms of its collective agreement with CUPW. Canada Post's payroll system uses SINs and the union argues that it needs to identify its members in the system. As well, members in good standing are covered by an insurance policy held by the union, and can buy additional coverage. Since administration of this coverage is also tied into the Canada Post payroll system, CUPW gives members' SINs to the insurance company. The Public Service Staff Relations Board has ruled on several occasions that employees' SINs must be provided to unions, despite the restrictions in the Privacy Act. Nevertheless, the Commissioner is concerned about the practice and encouraged the Department of Justice to appeal one of the cases. In the meantime, Canada Post is converting to a Human Resources Identification Number to replace the SIN. The conversion was on hold at that point as Canada Post prepared for the strike. Once completed, disclosures of SIN will end. Any question about union or insurance company use of the numbers is outside of the Commissioner's jurisdiction. Inquiries are all those calls and letters which do not fit the definition of "complaints" to the Privacy Commissioner. Inquiries can include requests for general information and publications about the act, complaints about organizations not covered by the Act - Crown corporations, provincial and municipal governments or the private sector and privacy issues beyond protecting personal information. This past year, the two inquiries officers handled 10,331 requests on everything from access to adoption records, to disclosure of credit and financial information, and use of surveillance cameras on street corners. Many calls dealt with questions surrounding the matching of Canada Customs' Travellers Declaration Cards with Employment Insurance data, some of them seeking advice on handling appearances before Boards of Referees and Umpires. While the Office cannot give legal advice to individuals caught up in the process, staff did provide callers copies of a letter setting out the Commissioner's position on the match. The mailing of the B.C. Benefits consent letter with its comprehensive collection statement (see page 82) flooded the telephone lines with calls, some of them seeking the federal commissioner's intervention to effectively "overrule" the provincial government. Of course, the federal commissioner has no jurisdiction in provincial matters and referred calls to both the provincial privacy commissioner and the caller's MLA. The Toronto Dominion Bank's new privacy brochure also moved many to call, objecting to the bank's requirement that customers opt out of its plans to share information with subsidiaries. Customers had until October 1997 to indicate their preference. No news meant the information would be shared. While privacy advocates prefer active over passive consent, opting out meets the consent test set out in the Canadian Bankers Association Privacy Code, and the Canadian Standards Association Code on which it is modelled. Inquiries officers have been enlisted in the Office's quest to deal with some matters quickly and informally, whenever possible. In one case an MP's office called to alert the Commissioner that Human Resources Centres in Newfoundland were asking EI claimants picking up cheques during the postal strike, to sign a receipt which listed all claimants and the amounts of the cheques. Everyone picking up a cheque could see who else was drawing EI and how much. The inquiries officer confirmed the story with HRDC staff and asked them to intervene quickly. Apparently the practice was confined to Newfoundland and the Windsor, Ontario area. HRDC headquarters staff alerted the regions which switched to individual receipts, the practice in the rest of the country. The problem was resolved the following day. The following table breaks down the inquiries into broad categories.
Origin of Completed Investigations
Top Ten Departments by Complaints Received
Completed Investigations by Grounds and ResultsDisposition
The Privacy Commissioner's main function is to investigate complaints stemming from alleged breaches to the Privacy Act. But the Commissioner does more: two other components of his mission are to be an effective privacy guardian on Parliament's behalf, and to be Parliament's and Canadians' window on privacy issues. These two roles demand that the Privacy Commissioner be able to give a professional assessment of the quality of the federal government's adherence to the Privacy Act, and his research and communications activities provide legislators and the general public with the facts necessary to make informed privacy judgments.These two responsibilities have now been merged in a single branch called Issues Management and Assessment/Fair Information Practices. In 1994, following a major overhaul of all government institutions, the Office's former Compliance Branch changed the way it did business. Its small staff could no longer afford to conduct traditional reactive audit and follow-up activities. A new branch was created to focus on monitoring new legislation and programs and providing active advice and guidance to federal agencies. These agencies were grouped into four main envelopes, each assigned to a portfolio leader. The past four years, however, have demanded further changes to enable the Commissioner to accomplish this part of his mission. Experience has taught portfolio leaders that not all agencies in their portfolios require equal attention. And major issues have recently surfaced in the federal government that require considerable involvement from portfolio leaders, often working as a team with one agency. A good example is the still-ongoing restructuring of all of Human Resources Development Canada activities. As manager and delivery agent of many social programs, the department has the most extensive personal information holdings in all of the federal government. It also relies heavily on application of state-of-the-art information technology. Reviewing its performance required a coordinated effort of all portfolio leaders, with input from policy and research staff. While the notion of portfolios remains useful, it can no longer be absolute; portfolio leaders will increasingly work on critical issues, whether confined to one agency or spread across government. As well, the Office relies on a handful of policy analysts and research staff to perform four other key activities: monitoring issues and developments in Canada and abroad, researching specific topics of interest or urgency, developing positions and policies on new legislation, programs and issues. The branch is also a critical component of the Commissioner's public communications efforts, offering presentations and speeches to federal agencies and businesses, doing media interviews, replying to inquiries, monitoring new legislation and preparing submissions to Parliamentary Committees and government agencies, and participating in joint projects involving public or private sector agencies. These activities may well have had the most public impact in the Office's 16 years of existence. But with the pace of societal and technological change accelerating in Canada and abroad, the Office must now step up and refocus its research and policy work. Our answer has been to merge portfolio and research/policy staff to help feed and support one another. Essentially all of this report's material not dealing with specific complaints or legal matters are the product of this unit.
The advent of "electronic commerce" virtually transforms the way we shop and do business. Electronic, or e-commerce, generally means the commercial transactions that take place between individuals and organizations over computer networks. Certainly, this new kind of commerce offers huge potential for businesses to reach new customers, and for customers to reach businesses. Although much of current e-commerce focusses on buying services - such as banking on-line - rather than products, governments and businesses around the world are actively engaged in establishing a framework for purchasing goods electronically. To help prepare Canada for the electronic marketplace, the federal government recently released two discussion papers; one dealing with protecting personal information in the private sector, and the other with encryption of electronic communications. Depite the initiatives, a lot of work remains to be done to protect the privacy of Canadians. Please see pages 11 and 60 for more detail on, and the Commissioner's response to, these initiatives. These discussion papers, and the initiatives they propose, are on a tight schedule. They form part of the federal government's preparation for the Organization for Economic Co-operation and Development (OECD) and Government of Canada Ministerial-level conference on electronic commerce to be held in Ottawa in October 1998. Thankfully, protecting privacy is on the conference agenda. Work is also underway to tailor the OECD's 1980 Privacy Guidelines to today's global networks. The OECD proposes presenting these guidelines to the Ottawa Conference in October for endorsement. OECD member countries seeking to build effective privacy protection should consider a more recent and forceful initiative than the old OECD guidelines that were developed before electronic commerce was ever contemplated. An excellent foundation could be the EU Directive on protecting personal information which, beginning in October 1998, will protect the privacy of over 350 million European citizens in both the public and private sectors. The federal government wants to be seen to be a world leader in electronic commerce, and understands that Canadians' trust in networks is fundamental to their participation. However, central to the interaction between information technology and the personal information it processes is the degree to which we respect each other as individuals. We know that technological change is making a shambles of the right to privacy. The measures the federal government has taken to date will be insufficient to protect privacy given the dangers that are inherent in electronic commerce. Consider one of the newest methods of collecting personal information - capturing data sent over the Internet. Any move we make and information we submit online feeds valuable information to a huge market for personal information. Without your knowledge, and certainly without seeking your consent, a record is kept of every screen on every Web site you visit. Collecting this so-called "clickstream" data allows others to gather information on all the services or products that you buy online. But this information could also be matched with your Web surfing habits to develop a very personal profile of your preferences and dislikes - a marketer's dream. A consensus seems to have formed that people should be forced to identify themselves when they want to buy something on a network. However, many of the face to face transactions that we now conduct are anonymous - a cash purchase, for example. Insisting that we reveal our identity to engage in electronic commerce would end a long history of anonymity and create new and more detailed trails of personal data that would chart our every move. The development of new services (see Internet - still no privacy, page 65) may well enhance users' privacy. However, it is difficult to evaluate their merit because thinking about privacy in electronic communications is still in its infancy. One thing is certain; Canadians must become better informed about how technologies can lead to the misuse of their personal information. Once we understand that organizations can choose to use technology responsibly or irresponsibly, then we can hold organizations' management - rather than the technology - accountable. In this age of computers, personal communications devices and global networks like the Internet, we rely heavily on a technology that is not secure. Anyone can access our data and our communications unless we take special steps. Fortunately, the technology also exists to prevent unauthorized access. Encryption transforms our voice communications, electronic mail, computer documents or fax communications into code during transmission and storage. Even if others gain access to the message, they cannot understand it without the proper code. Encryption provides an added benefit; it also allows us to confirm the identity of the sender, and that the communication has not been altered in transit. An encryption primer There are two main cryptographic methods. The first, "private key", uses the same code (or "key") both to transform information into meaningless strings of characters, and to undo the transformation. Both sender and receiver must protect their key. The second method,"public key", uses two keys working together: a public key which the sender uses to transform the information before sending it, and a secret key, known only to the recipient, which is used to decode the message. The secret key can unlock only the information transformed by its corresponding public key. This method is increasingly popular because it is much easier to use on a large scale. Publishing a public key is a one-time step, rather like publishing one's telephone number. Disclosing our private key to every person with whom we might want to communicate could become onerous and, once disclosed, the key could be beyond our control. The effectiveness of a cryptographic product relies on the length of the keys it uses, measured in "bits" (one letter or digit in a word or number is a bit). Cryptographic keys are mathematical formulas which can range from eight to over 2000 bits in length (most are between 40 and 128 bits).The higher the number of bits, the more secure the key because the longer it would take to decode. To illustrate, it would take less than four hours to decipher a 56-bit key using today's technology, but multi-million years to decode a 112-bit key! On the other hand... So cryptography may have solved the electronic security problems. But there, according to law enforcement officials, is the rub; if you can protect your communications by encrypting them, so can criminals. And if they cannot access and understand coded information, police argue, they cannot enforce the law effectively. Thus law enforcement officials want us to use cryptography only if they can have the keys to unlock the coded information.This proposal is not unique to Canada: police forces from many Western industrialized countries seek similar conditions, and have agreed (in the "Wassenaar Arrangement") to control the use of cryptography. In this instance, however, law enforcement interests run directly counter to the individual's privacy and to business interests. Few will want to use the Internet to send sensitive information such as a medical record, a credit card number or proprietary secrets if this information is not protected.The proposal is somewhat akin to requiring everyone to give local police the keys to our homes in case we might commit a crime in the future and they need to enter. The scope of this proposed access is unparalleled and moves us a step towards a police state. The proposal could also be counterproductive. Public knowledge that our electronic communications would be either unprotected or open to law enforcement interception could weaken public confidence and thus reduce the power and appeal of such projects as electronic commerce. With an evident need for a policy, and the debate raging, the federal government issued a discussion paper in February to consult Canadians. The government focused on the use of cryptography for electronic commerce, and sought comments in three policy areas: access to stored information, access to communications, and restrictions on the export of cryptography products using keys longer than 40 or 56 bits. The Privacy Commissioner's submission observed that "the broad interception and decryption capabilities sought by law enforcement agencies may not be the most appropriate solution to the problem of criminal activities, and may violate Canada's Charter of Rights and Freedoms. Indeed, law enforcement agencies have not proven that the interception and decryption capabilities they are seeking will lead to a decrease in criminal activities. "The onus is on government to demonstrate an overwhelming public interest before overriding our right to have private communications. The Commissioner also recommended that:
Treasury Board Secretariat Policy on the Use of Electronic Networks The federal government increasingly relies on electronic networks - the Internet and electronic mail systems, among them - to conduct its operations. Understandably, government is concerned that employees use these networks only for government business and not for unlawful or unacceptable purposes. In February 1998,Treasury Board Secretariat published its "Policy on the Use of Electronic Networks". Among the requirements the policy imposes is a duty for each organization's senior official to develop statements for employees indicating that unlawful activity is not permitted on these networks, and that certain other activities may be lawful but, nonetheless, unacceptable. We applaud the policy on this point, since these statements will help clarify the expectations of employers and the rights of employees. The policy allows an organization to refer suspected misuse of networks to an appropriate official for investigation under two conditions: if it receives a complaint; or if its routine analysis of electronic networks (which does not involve reading the content of electronic files or mail) leads it to suspect that a person is misusing the network. Investigation may involve special monitoring or reading of the contents of electronic mail and files. The policy also deals with government employees' expectation of privacy. It notes the Charter of Rights guarantees that give government employees a right to a reasonable expectation of privacy, even if the employees are using government computers. However, the policy seems to suggest that an employer can diminish that reasonable expectation of privacy by telling employees that monitoring will occur. This position seems to imply that simply telling employees that their electronic activities will be put under increased surveillance reduces the right to a reasonable expectation of privacy. If that were the case, then other types of highly intrusive employer surveillance - such as putting cameras in washrooms - might also be permitted simply by telling employees it would happen. Such an interpretation (we hope unintended by the Secretariat) could lead to the serious and arbitrary erosion of the privacy of government employees. We are not saying that surveillance of employees is never justified. However, we are deeply concerned about a policy that might see federal employers assuming a broad right to monitor the electronic activities of employees without specific justification. At a meeting with Treasury Board staff to discuss an earlier draft of the policy, we raised several points, including the following:
Treasury Board Secretariat did make some adjustments based on our recommendations. However, the final policy still contains excessive powers of intrusion. In particular, the Secretariat appears to have rejected our call to use the least intrusive measure first, moving to greater intrusion only if the less intrusive measures proves ineffective. The policy clearly contemplates monitoring the contents of e-mail and the Internet web sites visited, yet does not provide sufficient limits on when such intrusive measures can be used. In addition, the Secretariat appears to consider e-mail inherently less private than a telephone conversation, since the policy envisages monitoring e-mail without the consent of the sender or recipient. Monitoring of a telephone in this manner would be a criminal offence. Federal employees may not all be angels. Some, like their private sector counterparts, may not be entirely productive or honest in their dealings. However, that does not justify making all federal employees, most of whom can be trusted to act perfectly responsibly, the target of heavy handed monitoring. The 1995-96 Annual Report gave readers some tips on how to protect their privacy on electronic networks (Privacy in Cyberspace: a Surfer's Guide). Two years later, the Internet has become much more commercial (to the point that some governments are looking at ways to tax on-line purchases!), and privacy is at even greater risk.There are currently four main types of privacy invasions on the Internet: On the World Wide Web The biggest Internet privacy invasion is the collection of your personal information without your knowledge - information that can be used, rented or sold to on-line and other direct marketers. And this applies to both information about yourself and about your activities on the Web...
Web sites may also store some of this information on your own computer in the form of a "cookie" file. This allows the site to retrieve the information at your next visit, and "personalize" its greetings. However, you can instruct your computer to refuse such cookie files. As well, some municipalities and government institutions are increasingly interested in using the World Wide Web to post information for the general public. While the intended convenience is usually laudable, the end result can be disastrous. The cities of Victoria, B.C. and Aylmer, Québec (among others) had to remove sensitive financial information from the Web following the public outcry that ensued.While tax rolls are usually publicly available information, it is a quantum leap from a personal consultation of tax records at a local city hall to providing over 40 million computer users worldwide a person's address, property value, taxes owing and (in some jurisdictions) religious affiliation - all from the comfort of their homes. Similarly, Manitoba Telephone Systems had to remove billing information from the Web following protests by its subscribers. On the Usenet Participating in discussion groups on the Usenet can lead to a second, less well known privacy invasion. Every message you post to a discussion group is archived for others to search. Not only are your personal views on a given topic stored permanently, it is also possible to search the Usenet to find out which discussion groups you participate in, and thus determine your interests (DejaNews - the message archivist - does allow you to delete selected messages). Even worse, it is also possible to find out who is looking at a message at a given moment! Writing e-mail You will never hear it enough: e-mail on the Internet is as private and secure as a post card in the "snail mail". Everyone from your Internet provider staff to your correspondent's friends or colleagues can read your electronic message from the moment you click "SEND" on your computer. Unless you and your correspondent use encryption (see Can we keep a secret? page 60), avoid including sensitive information such as credit card numbers, vacation dates or medical information in your electronic messages. You could also use anonymous remailers which forward your message, and sometimes the reply, without including any personal information. Among others, you can find a good list of those remailers at our Web site. Another privacy invasion prompted by e-mail is junk electronic messages, better known as "spam". Once an on-line direct marketer gets hold of your e-mail address, you will find unsolicited electronic advertising in your mail box. Because junk e-mail is as much a nuisance as regular junk mail, and because it is costly to you (keeping you connected while you receive, read and delete the junk messages), most Internet Service Providers (ISPs) have devised ways to block spam from your e-mail box. Inquire! Hacking Hacking is the unauthorized access to computer systems and files. And the best electronic protections (such as "gateways" and "firewalls") can, and do, fail. Because the Internet is nothing more (and nothing less) than a worldwide electronic computer network, it is a hacker's paradise. Getting access to your ISP's file listing of all of its users' names and passwords would be a dream for a hacker who could then read, redirect, change or delete your e-mail without your knowledge. Some hackers prefer shopping and try to hack ISP or Web site files containing credit card numbers. Others are more interested in company or personal secrets and will look for interesting business or personal information they could resell or misuse. This is not just the stuff of movies: last year alone the best protected computers in the world; those of the Pentagon, the FBI and NASA were successfully hacked hundreds of times! And if you think your information is of little interest, think again: some hackers specialize in stealing enough information about you to impersonate you; ordering credit cards in your name, renting or buying in your name, holding a job in your name - leaving all the bills and income tax to pay (not to mention a reputation to rebuild) also all in your name! This is the growing problem of "identity theft" which is exacerbated by electronic transactions. Are there solutions to all of these privacy invasions? Aside from these tips, there is little to protect your privacy on the Internet. Laws would be of little use because laws change from one country to the next, and the Internet knows no borders. Codes of ethics (like the December 1996 Code of the Canadian Association of Internet Providers) are nice statements of intent but they are voluntary and useless if they are breached. Yet, two new solutions have recently appeared which could make a difference - if they work. The first is TRUSTe. Launched by a group of American companies and advocacy groups in June 1997, the program encourages Web sites to tell surfers about their privacy protection practices and what they do with the personal information they collect. Sites that subscribe to TRUSTe display the program logo or "trustmark" on their welcome page (and can be audited at random for compliance). Unfortunately, few sites have joined the program - by April 1998 it had attracted only 75 participants. Apparently one major factor in companies' hesitation is TRUSTe's sanctions for those which do not comply with the guidelines. However, businesses that are serious about gaining clients' trust by protecting their privacy in an electronic environment should embrace this attempt at self-regulation, rather than waiting for legislation to force them to comply. The second solution is the Platform for Privacy Preferences Project (or "P3P" for short). Begun in May 1997 by the consortium that oversees the development of the Web, the project allows surfers to specify their privacy protection preferences (through their browser), and Web sites their privacy protection practices. Surfers can then access compatible sites, and choose to either stay away from, or negotiate with, incompatible sites. P3P is still under development, however, and will not become fully operational for several months. Its future is uncertain, as is its popularity with Web site owners. When it comes to the Internet, the sad truth is that there still more money to be made by invading your privacy than by protecting it. Until that changes, beware! Privacy Forum - an Experiment in Electronic Democracy For those who missed it, the government's discussion paper on private sector legislation (see page 11) was made public January 24, and the window for comments closed on March 27! That left little time to get busy people from across the country involved in debating how the private sector should protect their personal information. But a coalition of public interest and consumer advocates from across Canada managed it.They mobilized at lightning speed to respond to the paper's call for comments by building an interactive web site and discussion group called the Privacy Forum. The project was spearheaded by the Media Awareness Network, the Public Interest Advocacy Centre, Canada's Coalition for Public Information, the Consumers' Association of Canada, the Fédération nationale des associations de consommateurs du Québec, the Ottawa Public Library, and Telecommunities Canada.This Office provided administrative support. The Web site contained background information on privacy issues and links to other relevant sites, as well as an online survey for Canadians to express their views on privacy protection. The Forum also hosted a discussion group to allow people to talk to one another about privacy issues. The purpose of the Forum's survey was not to gather scientific polling data but rather to determine people's responses to strongly worded statements about information privacy protection. The survey results revealed a strong consensus on several issues. One of the clearest messages - and one this Office heartily supports - is that respondents are dissatisfied with current information practices in the private sector. They expressed particular annoyance with telephone solicitations, junk mail, data trails and the general exchange and sale of personal information. While respondents were quick to acknowledge that the government has privacy laws, many expressed concern about how governments collect and use personal information. Survey respondents also voiced strong support for keeping control over their personal information and not being penalized by companies for refusing to provide it. In addition, respondents felt that the complaint process should be simple and it should have safeguards to ensure that companies are in compliance. Finally, virtually all respondents saw a need for education about privacy issues. Overall, the Privacy Forum web site was a great tool both to inform Canadians about privacy issues and to assess their responses. Hosted through a part of the Media Awareness Network's web site called the Privacy Pages, the Privacy Forum had links and background material to spare. And inform it did. More than half of the 266 survey respondents said the Privacy Forum had both increased their understanding of and - perhaps more importantly - changed their minds about, privacy issues. Now that's results. Who knows how many more people would have participated had there been more time; another 100 people completed the survey after the deadline had passed. This experiment in electronic democracy was a resounding success, all the more considering the tight deadline. The coalition's extraordinary effort to engage Canadians in the debate was one of the highlights of the whole exercise. A Privacy Playground for kids Making kids more informed Cybersurfers has been a priority of the Media Awareness Network since its launch in 1996. Now the Network has found a way to teach young children to protect their privacy on the Internet. In mid-May the Network released its Privacy Playground: the First Adventure of the Three Little CyberPigs game on CD-ROM. The game features the three little cyber-pigs and a big, bad cyber-wolf in interactive situations to teach children how to recognize invasive and deceptive online advertising, and the importance of not divulging personal information online. The Media Awareness privacy web site is also worth a visit for the largest Canadian collection of online educational materials on privacy. Looking forward to Private Eyes High school students have not been forgotten. Beginning this Fall they can participate in the Private Eyes Project which celebrates the 50th anniversary of the signing of the United Nations Universal Declaration of Human Rights. The Declaration recognizes the importance that privacy plays in protecting human rights. The project is the brainchild of the Human Rights Research and Education Centre at the University of Ottawa with generous support from the Royal Bank of Canada, Canadian Heritage department, Sheila Finestone, MP, former chairperson of the Standing Committee on Human Rights and the Status of Persons with Disabilities, as well as this Office. The Law Room site is part of Canada's SchoolNet. It provides site visitors with several scenarios which challenge us to weigh the evidence and draw our own conclusions about the value of protecting our personal information. An added bonus is the project's practical information about the process of Parliamentary committee hearings and intergovernmental negotiation. Students will be make practical use of the information this Fall when schools across Canada participate in the interactive unit of the project. Schools are invited to conduct their own mock parliamentary hearings on privacy rights in the next century and then publish their findings in the Law Room. The next step will be to discuss the issues in a national online forum, then selected schools will negotiate an intergovernmental agreement on privacy rights over the Internet. The agreement will then be submitted to participating schools for ratification. The entire Law Room site delivers high-quality educational materials on justice and human rights issues to teachers and students. Although designed for high school students, the site merits a visit from everyone who has questioned how technology is changing our lives, and how to balance technological progress and human values such as privacy. Links to both these sites are available through the Office's Web site. The Privacy Pages - Industry Canada's Online Commitment to Privacy Industry Canada's Task Force on Electronic Commerce has also developed a web site which both explains the need for privacy when conducting electronic transactions, and provides a "Privacy Toolkit" to help people protect their personal information. The toolkit provides information on Consumer Education, Codes of Practice, Legislation and Privacy-Enhancing Technologies and, of course, a link to the Discussion Paper on private sector legislation entitled The Protection of Personal Information: Building Canada's Information Economy and Society. You can link to Industry Canada's Privacy Pages on our Web site. Last year's annual report discussed at some length the DNA legislation that had just then been introduced in the House of Commons.The proposed DNA Identification Act sought to establish a DNA databank of samples taken from convicted offenders to help police identify those responsible for unsolved crimes.The bill was the second phase of the government's plan to regulate DNA testing as a tool to identify unknown offenders who leave traces of DNA at the crime scene. The first phase of the law allowed police to obtain a warrant to obtain DNA samples from suspects and was enacted in 1995. With the April 1997 general election, the databank bill died on the order paper. In September 1997 the government introduced almost identical legislation, Bill C-3, several aspects of which give cause for concern. In his March 1998, appearance before the Standing Committee on Justice and Human Rights, the Commissioner made several recommendations, among them:
We remain troubled by pressure from some groups and politicians to impose automatic forensic DNA testing on anyone charged with an indictable offence, which could include acts as relatively minor and non-violent as swearing a false affidavit. DNA would then be taken from most criminal suspects (since most Criminal Code offences are indictable) almost automatically, as are traditional fingerprints. The Department of Justice strongly opposed this attempt to expand the scope of DNA testing of suspects on constitutional grounds. We oppose expanded testing because it constitutes an excessive and unnecessary use of intrusive state powers that should be exercised only in tightly controlled situations, and only after a judge's warrant authorizes the intrusion. As this report goes to press, the bill had been withdrawn*. Position papers on both issues, compulsory collection of DNA samples from suspects in a specific crime, and establishment of a DNA database, are available from our office and at our Internet web site. * Erratum "bill C-3 has not been withdrawn. It is at third reading which should be completed when the house reconvenes in the Fall. We apoligize for the error." Canada Labour Code Bill C-19 This legislation governs labour relations in federally regulated industries such as banking, telecommunications and transportation. The Commissioner expressed reservations about a number of amendments to the code contained in Bill 66 in the previous Parliament.With the calling of the 1997 election, the bill died on the order paper. A slightly modified Bill (now C-19) was introduced in November 1997. In his appearance before the Parliamentary committee, the Commissioner highlighted two clauses which caused concern.The first, clause 50, states that unions will be able to communicate with off-site workers. Since this requires employers, and occasionally the Canada Labour Relations Board (CLRB), to provide the off-site workers' place of work, for many that meant disclosing their home addresses. Pointing out that most individuals have a high expectation of privacy at home, the Commissioner asked that the bill require workers' active consent to disclose a home address, rather than an opt out. Union membership is not compulsory and unions could canvass off-site workers at the employer's business address. For example, the Public Service Staff Relations Act requires federal government agencies to provide new employees with a union registration card which they can complete and return as they wish. Public service unions do not receive home addresses from the employer. The second clause (54) specifically prevents individuals from having access to their personal information contained in notes taken by appointees of the CLRB or the Minister without the appointees' consent. This appeared to provide the Board members, arbitrators or anyone assisting the Board with special relief from both the Privacy Act and the Access to Information Act. While boards and agencies may sometimes find it administratively inconvenient to operate under the openness provisions of both laws, they are "there to protect Canadians, not bureaucrats and appointees", the Commissioner told the committee. He urged the committee not to let individuals or institutions craft their own little set-asides and exemptions from laws such as the Privacy Act. Of greater immediacy, perhaps, was that this very issue is before the Courts. A man complained to the Commissioner of being denied access to personal information in the notes of the CLRB member who heard his case. The Board argues that members' notes are not under CLRB control. The Commissioner considered the complaint well founded and appealed the Board's continuing refusal to the Court. He urged the Committee to await the Court's ruling before proceeding on this amendment. As we go to press, the bill has received Royal Assent. The legislation now gives the Board the power to order employers to provide names and addresses of off-site workers to unions. The order must specify the method of communication, times of day and periods during which the communication is authorized and the conditions which must be met to safeguard the employees' privacy. If the Board considers that employees' privacy and safety cannot otherwise be protected, it may seek their consent for the disclosure. The weakness of this solution is that it acknowledges the privacy issue at stake, but resolves it by giving discretion to the Board to make the privacy determination for the employee. Parliament also rejected the recommendation to await the court's decision on access to Board members' notes. Not only may these be accessed only with the member's consent, the exemption is extended to anyone appointed by the minister and the Board to help in resolving complaints or issues in dispute before the Board. Canada Pension Plan Act Among extensive amendments to the Canada Pension Plan Act, were several dealing with access to, and disclosure of, individuals' personal information in pension files. In an effort to loosen the stringent protection provided this information by existing Canada Pension and Old Age Security legislation (which Human Resource Development Canada - HRDC - argued hampered its internal operations), it proposed substantially broader discretion for the Minister and greatly expanded permissible collection, uses and disclosures. The bill also contained a sort of truncated - and flawed - Privacy Act which appeared to hedge individuals access rights and built in no notification to the Privacy Commissioner for public interest disclosures. The greatest danger in this approach is that clauses dealing with disclosures of personal information in other acts of Parliament override the specific limitations in the Privacy Act. In short, in the interest of achieving greater flexibility in its own enabling legislation, the department risked gutting the Privacy Act. The Commissioner acknowledged that while that may not have been the intent, it was indeed the effect. He recommended HRDC require that any uses and disclosures be "consistent with" the original purpose for collection rather the blanket permission allowing the Minister to disclose "for the administration of another federal law, a provincial law or an activity". The Commissioner suggested the department consider the approach taken in the Income Tax Act which sets out the limited and specific disclosures allowed. The bill allowed similarly broad collection from federal and provincial governments, their public bodies and non-government bodies without any attempt to limit the collection to information relevant to administering the CPP, or even to any HRDC program. Following several meetings, and on the eve of the Commissioner's scheduled appearance before the Standing Committee on Finance, HRDC and Office staff negotiated several amendments. These included making it clear in law that individuals retain all existing Privacy Act rights, limiting sharing with federal institutions to those required to administer the CPP Act, removing references to provincial "activities" as legitimate for disclosures, and including specific references to non-HRDC programs which require CPP data to administer programs. Similar changes were made to the Old Age Security Act proposals. As in any negotiation, no-one got everything they wanted, but all got something they could live with.We commend HRDC staff for their sensitivity to their clients' privacy and their determination to do the drafting properly. Task Force on the Future of Financial Institutions The Task Force was created to examine the structure and policy issues surrounding the financial institutions and non-traditional providers of financial services. It is expected to report in September 1998. The Commissioner made his first submission to Parliament about protecting the privacy of customer records in 1992 when new legislation changed the whole regulatory scheme for financial institutions.The report discussed the privacy threats posed by newly permitted crossownership of financial services. These include sharing customers' personal information among affiliated institutions, as well as the technological capacity these institutions have to collect and assimilate the personal data and profile their customers. In this report and subsequent submissions to Parliamentary Committees, the Commissioner recommended the government act on its power to make regulations to protect customer records. In the meantime, financial institutions have entered yet another line of business processing other companies' data. The upshot of several committee hearings and reports was to write regulations requiring financial institutions to establish procedures governing the collection, retention, use and disclosure of customer information, to inform customers of these procedures, to appoint an internal officer to deal with complaints, and report annually on the complaints - all steps the industry had already taken. The Canadian Bankers Association has implemented the Canadian Standards Association Model Code and appointed an industry ombudsman. While this appears to be progress, two essential ingredients are missing: actionable rights and independent oversight. Nothing requires a financial institution to open its doors to independent arbitration or audit. Without these components there is merely a mirage of privacy protection. Six years labour seemed to have brought forth a mouse. Hope for effective privacy protection in financial institutions now rests on an effective law for the federally-regulated private sector, promised for the year 2000 (see page 11). Private Phone Directories: the End of the Saga As previous annual reports have demonstrated, subscribers' personal information as published in telephone company directories, is worth its weight in gold. But, happily, subscribers have won back some control over this information. Four years ago, independent directory publisher White Directories of Canada asked telephone companies for their customer databases in order to publish its own directories. The Canadian Radio-Television and Telecommunications Commission (CRTC) agreed on condition that subscribers' consent be sought.White Directories appealed the CRTC decision to the Governor-in-Council arguing that this could make White's directories less complete. The Governor-in-Council agreed with White but ordered the CRTC to examine the broad privacy protection of subscribers' personal information. In December 1996, the CRTC reported back to the Governor in Council, acknowledging the privacy problems and signalling its intent to hold public hearings on the whole issue of opting out of directory listings. Among the Commissioner's recommendations to last Fall's hearings was one suggesting that the CRTC examine the cost of being unlisted which - at more than five dollars monthly in some provinces was a deterrent to some who might otherwise choose to opt out. In its Order 98-109 (February 1998), the CRTC set a maximum monthly charge of two dollars for unlisted service and ordered telephone companies to allow subcribers to pay in installments any charges for changing their numbers. The CRTC rejected the Commissioner's other recommendations that unlisted service be free and, for the fourth time, that unlisted subscribers have automatic line blocking to prevent their number's display. This refusal means that unlisted subscribers must remember to dial *67 (or 1167 for rotary dials) every time they call. Although less than we hoped, this latest order may help reenforce subscribers' privacy by bringing unlisted charges within reach of more who may be interested. But don't let down your guard yet. Everyone should read carefully the introductory pages of the local telephone directory which explains the company's special services and how they affect privacy. Too few people take the time to learn about how to remove their names from paper directories, call display, electronic directories on Internet (such as Canada411) and lists sold to marketing companies. Ten minutes spent reading may help prevent some of those annoying carpet cleaning solicitations at dinnertime, or stem the tide of junk mail in our mailboxes. Permanent Electors Register Elections Canada continues to keep the Office abreast of its administration of the permanent voters' list. The list, created for the last federal election from a final enumeration, can be updated from citizenship and income tax databases with individual's consent, and from various provincial sources. The Elections Act also allows Elections Canada to enter agreements to share lists of local voters with provinces and municipalities to help them draw up lists for local elections - providing individual voters consent.These lists (minus names of those who did not consent) have already been given to several provinces and municipalities which have signed agreements with Elections Canada. Shortly after lists were given to the New Brunswick and Winnipeg governments, several voters wrote to Elections Canada to opt out. Since it was too late to remove the names from the federal list, Elections Canada asked both governments to remove the names from local lists if the federal list was their only source. Given that this was in itself a disclosure of personal information, but one that is consistent with individuals' exercising consent, Elections Canada also advised that it would amend its description of the bank in Info Source to make clear the possible disclosures. Elections Canada has assured the Commissioner that all future agreements will include clauses requiring other levels of government to comply with these requests (existing agreements will also be amended). On another note, the project to seek taxpayers' consent for updating the electoral list from their income tax files appears to have succeeded. Despite some early nervousness, about 81 per cent of taxfilers agreed to the transfer - an indication that informed consent does work. Incidents The Canadian Wheat Board alerted the Commissioner in early March 1998 that an MP and the Canadian Farm Enterprises Network had given the media a list containing exact salaries of all Board staff and members. The list included all staff, management and Governor-in-Council appointees - some 400 people. While the Privacy Act allows some information about employees to be released - specifically exempting it from the definition of "personal information" in the interest of public accountability - exact salaries are protected. Apparently the list was drawn up annually until 1996 to place new staff in the appropriate salary range according to their experience and qualifications, and the range of existing employees doing the same work. Senior management also used the list during annual performance reviews to ensure consistency across the organization. Access to the list was tightly controlled to two senior executives and their secretaries, the person who prepared the list and another who analysed it for reports to senior management, and the director general of personnel. The Board confirmed that the list in the hands of an MP and the Canadian Farm Enterprises Network is a copy of the original. Given the intense political debate in Western Canada over Board staff salaries and its mandate, the disclosure was likely the classic plain brown envelope leak. The Board has hired a private company to investigate and will keep the Office informed as investigation progresses. It will also provide a copy of the investigation report. The Commissioner agreed to await the outcome of that investigation but reserves the right to make his own inquiries. "Sharing agreements" become visible Virtually all privacy legislation contains clauses allowing governments to share information to administer or "enforce" various benefit programs. While some sharing is understandable, its extent is mushrooming. Much of it is virtually invisible to a public not regular readers of the Canada Gazette or other arcane government publications. And Info Source, the federal government's directory of personal information holdings, describes sharing in very general terms. Sharing is not confined to the federal government, of course. In fact, data is often shared among federal, provincial, municipal - and sometimes even international - governments. The Privacy Act allows sharing "under an agreement or arrangement" to administer or enforce any law or carry out a lawful investigation. These agreements do not require the individuals' consent and, although they oblige the government to advise the public, notice usually appears only in Info Source. Clear notification can have interesting consequences. A recent example is a provincial sharing agreement which, once spelled out for the public, unleashed a firestorm of criticism in British Columbia.When new legislation came into force in April 1997, the BC Ministries of Human Resources (MHR) and Education Skills and Training (MEST) wrote to those receiving Income Assistance,Youth Works and Disability benefits. The letter advised that recipients were "required to consent" to the ministries collecting information about them from various other organizations. The operative paragraph reads: "I give my permission to any person having such relevant information or documents to release them upon written or verbal request to employees of MHR or MEST. I understand examples include, but are not restricted to, information or documents from: Human Resources Development Canada, Workers Compensation Board, Insurance Corporation of British Columbia, British Columbia Student Assistance Program, Motor Vehicle Branch, British Columbia Assessment Authority, Registrar of Companies, Land Titles, Lottery Corporation of British Columbia, Vital Statistics, Old Age Security, Canada Pension Plan, federal, provincial or municipal government departments, and the Department of Citizenship and Immigration Canada, police, federal or state related aid agencies from the United States of America or any other country, Equifax, any bank, credit union, cheque cashing service or other financial institution, any landlord, and past, present or future employers of myself or my family members." A separate box authorized Revenue Canada to disclose "income tax returns and other taxpayer information". Astonishing as the list is, it may well be the first forthright description by any government of the scope of its information collection to police social programs. Collection on this scale would not have been possible without the advent of powerful information systems which match data from one system to another, usually by exchanging computer tapes. Shortly after the letters went out, the Office's telephones began ringing. Given the scope and the lack of specifics on what was to be collected from the federal departments - Human Resources Development Canada (HRDC) and Citizenship and Immigration (C&I), Office staff asked for details. HRDC reviewed the form and alerted its BC Region staff that "The form is not acceptable for the disclosure of information held by HRDC as it fails to provide sufficient facts to allow individuals to make an informed decision to consent or to refuse".The department will continue releasing specific information under a longstanding agreement with the MHR. Information is shared to ensure that applicants are not drawing both employment insurance and welfare, or that their benefits are adjusted accordingly. All the information is drawn from the (Un)employment Insurance Claim File, Record of Employment File and/or Benefit and Overpayment Master File. It includes name and last known address, Social Insurance Number, case identification and various details on when benefits were begun, the weekly rate, claim status and type, waiting period and previous occupation. HRDC may also provide other details "for investigative purposes" on "written request"; however, these disclosures require Headquarters' authorization. Any disclosures to MEST require the individual's consent. Citizenship and Immigration Public Rights staff faxed an advisory to its BC staff, reminding them to release personal data to MHR only in accordance with the 1997 Memorandum of Understanding. The memorandum sets out clearly what information may be released, how and when, and overrides any individual's signed consent form. The Office is investigating several formal complaints against Revenue Canada. Apparently the proposed collection was discussed with BC Information and Privacy Commissioner David Flaherty who reviewed the legislation and sharing agreements. Despite his concern, he had to conclude that the ministry had the "legislative authority to contact any agency that it considers necessary in order to verify eligibility for benefits". Dr. Flaherty was instrumental in having the application and consent forms spell out the details, thus making it "transparent". In a public statement (issued January 27, 1998), he observed "That data collection is sanctioned by law does not in any way lessen its negative privacy impact on those receiving benefits. However my power is effectively limited by the fact that the Legislature can invade personal privacy by law or regulation, if this is determined to be in the public interest". Several anti-poverty groups launched a legal action against the collection. In the face of the controversy, the MHR has revised the consent form, which is now an integral part of the application form, issued a fact sheet and a series of questions and answers on the benefits process for applicants. The sparse data matching activity in the past year has been limited to Human Resources Development Canada (HRDC).While other institutions sent out feelers, often in the form of general questions on the process, once the whole approval procedure is explained - detailed assessments, cost benefit analysis and submission to the Privacy Commissioner - departments realize that this is no trivial matter. Sometimes the enquiries indicate more a need to understand datamatching rather than an intent to undertake one.
This match, first described in last year's annual report, proposed running the list of those in default of their Canada Student Loans against the federal employee paylist. This would allow HRDC to identify those employees who have defaulted on loan repayment agreements and to recover any funds owed by an essentially captive audience. The Privacy Act clearly permits disclosures of personal data to locate someone who has been established as owing a debt to the Crown or to whom the Crown owes money. This is distinct from matching lists in order to determine who might owe a debt, as in the match of Customs traveller declarations and employment insurance claimants.This is an important distinction. Once the student loan program generated a list of defaulters and matched it with the government payroll, the Office's lingering concern was to ensure that recovering any debt not have negative impact on the employee at work. Unless it becomes necessary to garnish the employee's wages, the employer need not know that an employee has defaulted - it is a matter between employees and the Student Loan Program. HRDC explained that it would contact only one officer in the employing institution - the official in charge of the paylist. Collection officers would try to obtain the employee's home address and telephone number and then deal with the employee at home. If a satisfactory repayment plan can be worked out, the employer is not involved any further. Should garnishment prove necessary, arrangements will be made with the pay office, not the employee's supervisors. Alberta Disability Income Program and CPP Disability benefits This match compares the list of beneficiaries of the Canada Pension Plan (CPP) disability plan with those receiving payments from the Alberta Disability Income Program. Although currently limited to Alberta, HRDC is planning similar arrangements with the other provinces and territories. The initiative, on the back burner for the past two years, is partly a response to a comment in the 1996 Report of the Auditor General. That report cited a 1995 Statistics Canada study showing that 17 per cent of those receiving CPP disability benefits were also receiving provincial Workers' Compensation Board benefits. The Auditor General estimated that CPP could save $42 million annually by eliminating the duplicate payments. Curiously, this statement overlooks CPP's status as the first payer. Collateral benefits from the province do not usually affect entitlement to CPP disability benefits. This data match is more likely to produce savings for the Alberta program, not CPP. Alberta provides HRDC a list of those receiving payments from its program (part of the Workers Compensation plan). HRDC matches the information with its CPP disability payments database, creates a list of those appearing on both databases and gives it to Alberta. Although some individuals do legitimately receive benefits from both CPP disability and the Alberta program, many will find the Alberta payment reduced or eliminated. Only those suffering a prolonged disability will receive a CPP disability pension. In the interim, Alberta may pay the provincial disability benefit. Once CPP payments kick in, provincial benefits may be adjusted or terminated. Alberta may recover any overpayments and will almost certainly benefit by reducing program costs. HRDC stated that matching two income replacement/support programs - CPP Income Security and the Alberta program - is a "consistent use" of the CPP disability information. The Office accepts that using information about an individual receiving an income replacement pension to assess eligibility for, and amount of, collateral benefits can be considered a consistent use of the information. To ensure a consistent approach at both ends, Office staff discussed the match with the Alberta Information and Privacy Commissioner's office. That office had reviewed the match with the provincial ministry and decided not to intervene. However, if the match becomes routine, the Alberta commissioner will seek a clear statement on the provincial application form telling individuals that the information would be shared with CPP Income Security. We concluded that HRDC's agreement with Alberta is authorized by both the Canada Pension Plan Act and can be argued is consistent with the original use under the Privacy Act. However, two further steps need to be taken - particularly if the program is to be expanded to other provinces. HRDC should alert Treasury Board to the new match in the descriptions of its personal information banks in Info Source. And HRDC should inform applicants for CPP disability benefits that it will advise provincial income replacement programs of their CPP disability status and benefits. Notifying Old Age Security of claimants' deaths Another proposed match will use the Quebec Pension Plan (QPP) database to identify which federal Old Age Security claimants have died. Although HRDC's Income Security Program receives death information from the Quebec vital statistics agencies, the information is not in a standard format and often does not include the SIN. Identifying the correct individual can be difficult. In all other provinces, residents contribute to the Canada Pension Plan and a death notice to either the OAS or CPP program is communicated to the other. Even though Quebec administers its own plan, heirs and administrators of estates may assume that notifying QPP is sufficient to notify the federal program. This is not so and HRDC has many examples of cheques continuing to be paid after the beneficiary's death. The match is not yet underway; HRDC is in the final stages of drawing up a data sharing agreement with the Québec Régie des rentes which administers the QPP. Sharing names of OAS claimants and QPP recipients A somewhat related match would allow HRDC and QPP to match information about QPP recipients and applicants for Old Age Security, Guaranteed Income Supplement and the Spousal Allowance. Since the federal programs are linked to income, failing to declare income from QPP could give some applicants more than their entitlement. HRDC ran pilot studies in 1994 and 1996 using the CPP database which identified significant overpayments of the federal benefits to applicants who had misstated or not declared their CPP income. HRDC has no reason to believe that the situation would be any different in Québec but, since it does not have access to QPP data, cannot check. The match was under consideration at the end of the reporting year. Reference to the Federal Court by the Privacy Commissioner of Canada and the Attorney General of Canada Last year's annual report signalled our intention to seek the Court's guidance on the legality of government matching of returning travellers' Customs declarations with the Employment Insurance database. The case has now been filed. The Court will be asked two questions.The first is whether the Customs Act overrides government's obligation in the Privacy Act to use personal information only for the purpose for which it is collected, unless the individual consents. The second asks whether searching every returning traveller on suspicion of defrauding Employment Insurance offends the "reasonable search and seizure" provision of the Canadian Charter of Rights and Freedoms. The Office had accepted a pilot project in order for Human Resources Development Canada (HRDC) to gather data for a formal data matching proposal to the Commissioner (required by Treasury Board guidelines).When HRDC moved to implement the project before his review was completed (and without his suggested safeguards), the Commissioner sought legal advice. The Court will be asked to consider the relationship between the Customs Act and the Privacy Act by way of a stated case (a statement of facts on which both the Privacy Commissioner and the government agree) under section 17(3) of the Federal Court Act. The question of whether the match offends the Charter is expected to be heard through an appeal of a complainant's case to an umpire under the Employment Insurance Act. The Court is expected to consider the matters this Fall. Robert Lavigne v. The Office of the Commissioner of Official Languages The Privacy Commissioner intervened in this application to support Mr. Lavigne's request for access to his personal information. Mr. Lavigne wanted to examine certain witness statements and interview notes contained in the investigative files the Office of the Commissioner of Official Languages compiled while looking into his complaint against Human Resources Development Canada. Official Languages refused access, arguing that disclosure of this information would harm its enforcement of the Official Languages Act (an exemption permitted by s. 22(1)(b) of the Privacy Act). Official Languages had relied on provisions in its own legislation - the Official Languages Act - which deal with the confidentiality of information obtained during an investigation. At issue is the proper interpretation of s. 22(1)(b) of the Privacy Act and whether the right in the Privacy Act to see what others have said about you overrides the confidentiality of investigations under the Official Languages Act. The case will be heard on October 5, 1998. Privacy Commissioner v. Immigration and Refugee Board The Privacy Commissioner launched this application with the consent of an individual seeking access to his personal information contained in interview notes. An investigator, hired by the Board to conduct an internal review of several leaks to the media, had interviewed a number of employees and promised them confidentiality. The Board refused to provide the information to the individual, citing s. 22(1)(b) of the Privacy Act (see above).The Board argued that providing access would impede its ability to conduct similar investigations in the future. In his reasons for judgement released on December 24, 1997, Mr. Justice Richard concluded that the Board "did not have reasonable grounds to withold disclosure of the records sought in this case". He held that the Board's claim of injury was "speculative" and there was "no evidence of probable harm to any investigation that has been undertaken or is about to be undertaken". He concluded that "one cannot refuse to disclose information under s. 22(1)(b) on the basis that the disclosure will have a chilling effect on possible future investigations". He ordered the Board to give the individual the personal information at issue.
In the Beginning Despite the lack of a specific right to privacy in the Canadian Charter of Rights and Freedoms, Canada's highest Court has recognized privacy as a constitutionally protected or Charter value almost from the beginning. Several provisions in the Canadian Charter protect privacy values: section 2 protects individuals' abilities to decide personal beliefs and opinions; section 10, the right to legal counsel; sections 11 and 13, the right against self-incrimination. These rights protect informational privacy by controlling the way information is collected and used. Section 7 provides a right not to be deprived of life, liberty and security of the person, except in accordance with the principles of fundamental justice. This is at least suggestive of privacy protection. But it is section 8 of the Charter - the protection against unreasonable search and seizure - which has been the most valuable for privacy advocates. It's worth examining some Supreme Court of Canada decisions because they can provide tools for advancing privacy as human right. Some Key Cases In Hunter v. Southam Inc. 1 , the Supreme Court stated that a major purpose of the constitutional protection against unreasonable search and seizure under section 8 of the Charter of Rights and Freedoms was the protection of the privacy of the individual. The case involved a constitutional challenge to a search conducted under the Combines Investigation Act. The Court concluded that to assess the constitutionality of a search, it must focus on the search's reasonableness or unreasonableness in terms of its impact on the individual and not simply on its rationality in furthering a valid government objective. Mr. Justice Dickson of the Supreme Court advanced in this case for the first time the notion of "reasonable expectation of privacy" as a standard against which government action should be scrutinized. He made it clear that the expectation of privacy was at the forefront of any s. 8 Charter analysis. He said: "The guarantee of security from unreasonable search and seizure only protects a reasonable expectation.This limitation on the right guaranteed by s. 8 whether it is expressed negatively as freedom from 'unreasonable' search and seizure, or positively as an entitlement to a 'reasonable' expectation of privacy, indicates that an assessment must be made as to whether in a particular situation the public's interest in being left alone by government must give way to the government's interest in intruding on the individual's privacy in order to advance its goals, notably those of law enforcement". The notion of reasonable expectation of privacy deserves some examination. There is no definition by the Court (or of course, in the Charter). Rather, it is to be determined on the basis of the totality of the circumstances. The American Courts have suggested some guide-lines as follows: "(i) presence at the time of the search; (ii) possession or control of the property or place searched; (iii) ownership of the property or place; (iv) historical use of the property or item; (v) the ability to regulate access, including the right to admit or exclude others from the place; (vi) the existence of a subjective expectation of privacy; and (vii) the objective reasonableness of the expectation."2 These factors are not particularly protective of privacy. The Canadian Court has tended to be more flexible in its approach to what constitutes an unreasonable invasion of privacy. It has found that a person's expectation of privacy is very high in one's own home (but lower in someone else's home) and not so very high in the workplace3; high in hair and saliva samples and teeth impressions but not in the mucous thrown away on a tissue4; higher in private phone calls than pay phone calls5 and high in private records such as medical or therapeutic records, school records, private diaries6. The driver of a vehicle has more expectation of privacy than a passenger and the expectation is higher in a tagged suitcase than a plain garbage bag.7 In R. v. Stewart 8, a union seeking to organize hotel employees hired Mr. Stewart to obtain their names, addresses and telephone numbers. Mr. Stewart contacted the hotel security guard and offered to purchase the information. The guard refused, knowing he was not authorized to access that information through the hotel records and that the hotel had previously refused to give the information to the union. Mr. Stewart was charged with counselling to commit fraud and theft. After an acquittal at trial, the Court of Appeal entered a conviction on the charge. The Supreme Court allowed the appeal on the basis that confidential information does not qualify as property, at least for the purposes of the Criminal Code and that Mr. Stewart's conduct did not amount to fraud as it did not involve a risk of economic loss amounting to deprivation. (But that's not the important part.) Cory J.A., as he then was, suggested that information and its collection, collation and interpretation are so vital to modern enterprises that it may be considered their most valuable asset. He then concluded that the confidential or private nature of the information is exactly what gives it its proprietary interest. Picking up on that theme, Mr. Justice Lamer, (now Chief Justice) acknowledged that, "... given recent technological developments, confidential information, and in some instances, information of a commercial value, is in need of some protection" but he considered that this was best left to Parliament. Some six months later, Mr. Justice Lamer had an opportunity to revisit these notions in R. v. Dyment 9. In that case, decided before amendments to the Criminal Code dealing with blood samples, a doctor drew a blood sample from an emergency patient without his consent or knowledge in order to provide medical treatment and later gave it to a police officer for his investigation.The sample was used to secure a conviction of impaired driving. Mr. Justice Lamer found that the blood was held by the doctor subject to a duty to respect the patient's privacy; and Mr. Justice La Forest found that the officer breached the respondent's privacy interests in the sample and so effected a seizure within the meaning of section 8 of the Charter of Rights. This case is often cited for identifying the three types of privacy: physical, territorial and informational. Actually, as the Court pointed out, these categories were first identified in a 1972 joint study by the Federal Department of Justice and the Department of Communications.The Court accepted that the notion of privacy derives from the assumption that all information about a person is in a fundamental way, his own. Two years later, in R. v. Duarte 10, Mr. Justice La Forest had occasion to review the police practice of "consent surveillance" i.e. electronic surveillance without a court authorization where one of the parties to a conversation, an undercover police officer, surreptitiously records it. He reinforced the precept that the Charter standard for privacy is set at a "reasonable expectation of privacy" and that the particular police practice of audio-surveillance failed to meet that standard. That same year, Mr. Justice LaForest wrote the majority reasons in a case involving unauthorized videotape surveillance of a hotel room. In R. v.Wong 11, he again stressed the need to interpret the individual's reasonable expectation of privacy in light of the social importance of privacy. In other words, the question should always be framed in a neutral manner: whether in a society such as ours, persons who retire to a hotel room and close the door have a reasonable expectation of privacy. He considered that the Court must examine the reasonable expectation in the context of a free and democratic society - i.e. without reference to any illegal activity of the particular person. Mr. Justice Sopinka and Mr. Justice Lamer considered that the Court must evaluate the expectation in light of what a reasonable person placed in those circumstances could expect. For example, in R. v. Plant 12, Mr. Justice Sopinka wrote the Court's majority judgment examining the individual's privacy interest in computerized utility records. In this case, Calgary Police received a tip that an individual was growing marijuana in his house. They searched his electricity records held in the computer of the city's utility commission, using a remote terminal in the police station with a password supplied by the utility. They discovered that the house used four times the average amount of electricity - but typical use for a marijuana operation. Eventually, the owner was charged and convicted.The matter went to the Supreme Court where it was argued that the warrantless search of the owner's computerized records violated his reasonable expectation of privacy under section 8 of the Charter. The Supreme Court rejected the claim. Justice Sopinka set out five factors for applying the reasonable expectation test: one must consider the nature of the information itself, the nature of the relationship between the party releasing the information and the party claiming its confidentiality, the place where the information was obtained, the manner in which it was obtained, and the seriousness of the crime being investigated. These factors, he felt, would properly allow for a balancing of the societal interest in protecting individual dignity, integrity and autonomy with effective law enforcement. Under the last factor, he concluded that the seriousness of the accused's offence in this case suggested that the accused could not reasonably have a privacy interest which out-weighed the state's interest in law enforcement. In a short but powerful dissent, Madame Justice McLachlin disagreed with the conclusion that police were free to search the database without a warrant. The proper question for her was whether the evidence disclosed a reasonable expectation that the information would be kept in confidence and used only for the purpose for which it was given. Electricity records, she said, were "close to the line" but they deserved protection because they could reveal information about the individual's private life. She writes in her judgment: "The records are capable of telling much about one's personal lifestyle, such as how many people lived in the house and what sort of activities were probably taking place there. The records tell a story about what is happening inside a private dwelling, the most private of all places. I think the reasonable person looking at these facts would conclude that the records should be used only for the purpose for which they were made - the delivery and billing for electricity - and not to be divulged to strangers without proper legal authorization." In a September 1997 speech entitled "Freedom of Speech and Privacy in the Information Age", Mr. Justice Sopinka spoke of his approach in the Plant case: "In that case, we had to consider whether it was constitutionally permissible for the police to use its computer records of the electrical consumption at a specified address in order to determine whether or not it was likely that marijuana was being grown at the house, since this is often characterized by a higher than normal consumption of electricity. I observed that the 'Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state'. It could be said that information revealing a pattern of electricity consumption would fall into such a category. However, each case must be decided on its own facts, carefully analyzing the extent to which respect for one's personal privacy and dignity has been violated." Justice La Forest has occasionally pursued privacy protection much further than the rest of the Court. In Edmonton Journal v. Alta (A.G.)13, the Court examined the rights of individuals to protect their privacy against the right of newspapers to report on court proceedings. At issue was a provision of the Alberta Judicature Act which limited the publication of information relating to matrimonial cases. In his dissent, Justice La Forest concluded that, although freedom of expression and the need for open courts are important interests, the general publication of details of private family cases serves insufficient public interest and the limitation should stand. Most interestingly, in this case, it was recognized that the privacy of individuals is not only threatened by the interference of government but also by other powerful entities, such as the media, against which an individual is powerless. More recently, the Court has extended the notion of privacy into that of reputation, perhaps opening the door to successful claims in damages for invasion of privacy. In Morris Manning and Church of Scientology of Toronto14, Mr. Justice Cory stated: "..... reputation is intimately related to the right to privacy which has been accorded constitutional protection. As La Forest J. wrote in R. v. Dyment,'privacy, including informational privacy, is [g]rounded in man's physical and moral autonomy and is essential for the well-being of the individual'. The publication of defamatory comments constitutes an invasion of the individual's personal privacy and is an affront to that person's dignity.The protection of a person's reputation is indeed worthy of protection in our democratic society ..." For the Future This notion that the Charter is concerned not only with protecting property but also protecting privacy could be an extremely valuable one. Speaking before the Canadian Human Rights foundation in 1990, Mr. Justice LaForest suggested that "it is with the adoption of section 8 of the Charter that a privacy doctrine has truly developed". However, as Mr. Justice Sopinka has more recently re-iterated on the subject, "... It [the Charter] only applies to government action. Given that much of the world of electronic communication is controlled privately, without any government regulation, the Charter may be an ineffective tool ..." Several cases could advance to the Supreme Court in which privacy will face off against, not only the historically competing interests like law enforcement, but also those of judicial independence and governance issues. These will test the waters because they raise two interests which the Court has consistently protected. For example, there is what one privacy commissioner describes as a "high technology search and seizure" case. Last year's annual report dealt with the case of the Customs E-311 computer data match. Human Resources Development Canada is matching the Employment Insurance data base with that of returning air travellers custom declarations.The "hit" shows who of these millions of flyers has been receiving employment insurance payments, possibly undeservedly. The match offends fundamental privacy principles by taking information given by Canadians for one purpose and, without their consent, using it for a very different purpose. It also violates privacy more fundamentally in that it fails to recognize the right of millions of innocent Canadians to be left alone by their government if they have done nothing wrong. The Privacy Commissioner considers the program violates s. 8 of the Charter in that it erodes Canadians' reasonable expectation of privacy and therefore constitutes an unreasonable search and seizure of personal information. At time of writing, he expects, after months of complex negotiation with the Attorney General, to have the matter before the first level of courts in the Fall of 1998. 1. Hunter et al v. Southam Inc. [1984] 2 S.C.R. 145
The following highlights events in the provinces and territories since our last annual report. For a summary of the legal privacy protection in place in each jurisdiction, please check our Web site or call the Office. Parliament extended Privacy Commissioner Bruce Phillips' term until May 2000. The federal government conducted public consultations on a proposed privacy protection law that would apply to the federally- regulated private sector (see page 11). Alberta renewed Information and Privacy Commissioner Bob Clark's appointment until 2002. As well, the provincial government will extend its Freedom of Information and Privacy Act to school boards (effective September 1, 1998), health care bodies (October 1, 1998), universities and colleges (January 4, 1999) and municipal governments and police commissions (October 1, 1999).The government's Health Information Steering Committee, struck by the minister of health, is expected to report in July on a health information act to replace the bill tabled and withdrawn last year. The bill is expected to be debated in the Assembly in February 1999. Finally, the Freedom of Information and Protection of Privacy Act will undergo its statutory three-year review this summer. The British Columbia College of Physicians and Surgeons, the B.C. Medical Association and the provincial Information and Privacy Commissioner jointly developed a Privacy Code that now protects the confidentiality of personal information held in a doctor's private office. And following an outcry over the intrusiveness of a provincial ministry of human resources consent form, the Commissioner's office reviewed and advised on a replacement form and pamphlet (see page 82).The Commissioner's office also reviewed a College of Pharmacists' audit and inspection reports on use of Pharmanet, the province's on-line drug prescription and billing system. Manitoba adopted two new laws to protect Manitobans' privacy. The new Freedom of Information and Protection of Privacy Act, proclaimed in May 1998, replaces the 1988 Freedom of Information Act and expands provincial residents' privacy rights to include controls on government bodies' collection, use and disclosure of their personal data. As well, effective December 1997, the Personal Health Information Act (the first such law in Canada), regulates the collection, use and disclosure of medical records. Both laws are overseen by provincial Ombudsman Barry Tuckett who has appointed former provincial archivist Peter Bower as executive director of the office's new Freedom of Information and Protection of Privacy Division. New Brunswick passed its new Protection of Personal Information Act February 1998 (the law is not yet in force).The new Act applies to the provincial public sector and is the first in Canada based on the Canadian Standards Association's Model Privacy Code. Responsibility for oversight was given to the provincial Ombudsman. In addition, the provincial justice minister announced his intention to "present a discussion paper soon considering the possible extension of privacy legislation to the private sector". Public consultations are scheduled to take place in the summer of 1998. Despite calls for revamping the provincial Privacy Act (a tort law), Newfoundland and Labrador have made only minor amendments to that statute, and to the province's Freedom of Information Act, dealing with the disclosure of a person's criminal history. Several Ontario initiatives will have an impact on individuals' privacy. Students will now be assigned a unique ID number which will be used in place of their names to allow the Ministry of Education to track them throughout their schooling. New regulations will now impose certain restrictions on the search powers which currently allow social workers to search a welfare recipient's house to verify eligibility. And social assistance recipients must now be identified using a biometric identifier - a digitized fingerprint.The provincial government is also working on a proposed Personal Health Information Protection Act that would regulate the collection, use and disclosure of medical information, which the government announced would pave the way to equip every Ontarian with a smart health card. The bill may be tabled in 1998. And finally, the Legislature appointed former Assistant Privacy Commissioner Ann Cavoukian to replace outgoing Information and Privacy Commissioner Tom Wright who completed his term in April 1997. Prince Edward Island remains the only province without privacy legislation. However, the government tabled a proposed Freedom of Information and Protection of Privacy Act (Bill 81) in November 1997, which awaits second reading in the Legislature. In the Fall of 1997, Québec's National Assembly conducted public consultations on amendments to the province's two key privacy protection statutes; the 16-year old law governing the public sector, and the five-year old law regulating private business. The National Assembly also tabled its final report on a provincial identity or multi-purpose card, recommending that no card be developed now for lack of a demonstrated need. However, it suggested that the government might consider an optional identification card for those wanting one. The provincial Privacy Commission embarked on a thorough review of the security and confidentiality mechanisms protecting provincial government databases in reaction to the well-publicized improper sale of Quebecers' personal information by civil servants (who were later fired). As well, the Commission continues seeking controls on the extraordinary powers given to the provincial revenue ministry which, to wage its war against tax fraud, has been armed with the unchallenged right to access any personal information held by any public sector agency. The Privacy and Information Commissioners share premises and administrative services while operating separately under their statutory authorities. These shared services - finance, personnel, information technology and general administration - are centralized in Corporate Management Branch to avoid duplication of effort and to save money for both government and the programs. The Branch has just 14 staff and a budget representing 14 per cent of total program expenditures. Resource Information The Offices' total budget for the 1997-98 fiscal year was $6,616,000. Actual expenditures for 1997-98 were $6,440,099 of which, personnel costs of $5,308,203 and professional and special services expenditures of $695,181 accounted for more that 93 per cent of all expenditures. The remaining $436,715 covered all other expenditures including postage, telephone, office equipment and supplies. Expenditure details are reflected in Figure 1 (resources by organization/ activity) and Figure 2 (details by object of expenditure).
Figure 2 Details by Object of Expenditure
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
Date published: 2003-11-06 |
 |
Important Notices | ||
