|
|
|
|
|
|
|
|
|
|
|
|
|
|
Annual Report
|
|
These are challenging times for the Office. For one thing, the task of protecting privacy has never been more arduous, what with new private sector legislation, a wide array of proposed anti-terrorist and security measures, and the increasing availability and sophistication of privacy-invasive technologies.
To complicate matters, the Office has undergone a period of intense public scrutiny and organizational disruption. The House of Commons Committee on Government Operations and Estimates conducted an inquiry into operational and administrative issues in the Office, and uncovered a number of serious problems. As important and necessary as this exercise of Parliamentary oversight is, there is no denying that it, along with the accompanying media attention, has made it difficult for staff of the Office to conduct their work effectively.
I accepted the position of Privacy Commissioner on an interim basis in order to lead the Office through the process of rebuilding itself and repairing its relationship with Parliament and Canadians. Our task now is to regain the confidence of Parliament and our stakeholders, demonstrate to Canadians that they will receive top-level service in protection of their privacy rights, and ensure that organizations understand their obligations, and citizens their rights, when the Personal Information Protection and Electronic Documents Act comes fully into effect on January 1, 2004.
I have been impressed by the commitment of the Office's staff, and look forward to working with them in this exciting time. I am confident that from this period of renewal will emerge a new enthusiasm for the cause of privacy and a centre of excellence for its protection and promotion.
OverviewFor one thing, privacy in our society has been in some danger. This of course is nothing new; privacy has never been something that we can take for granted, and particularly since the advent of computerization it has required active effort to preserve it. But if the danger to privacy is not new, it is intensified. The forces that have ground away at privacy for the last decade-technological advances in the collection, processing, matching, and analysis of personal information, growing pressure to identify and authenticate parties to electronic transactions, and the drive for security from crime and terrorism-have been particularly powerful in the last year.
Public security measures against crime and terrorism have certainly been the most acute and obvious challenge. They also present the most obvious challenge to privacy advocates and Privacy Commissioners, who must walk a fine line between protecting privacy and making life easier for criminals and terrorists.
But in fact the other forces threatening privacy are no less challenging, and arguing for privacy in the face of them often requires walking similar fine lines. Data matching catches people defrauding the system. Identity cards can make it harder for someone to fraudulently use your credit card. Electronic health records can facilitate diagnosis and treatment, and prevent costly or deadly medical mistakes. Giving researchers access to our personal health information can enable research that can prolong life and reduce suffering.
No one would argue with the goals of these measures. But privacy is not simply a frill or a selfish extravagance that can be tossed away the moment someone claims that it inhibits some other valuable social goal-regardless of whether the goal is security or public health or even individual life or death. Privacy is a cornerstone of individual freedom. It exists in a dynamic balance with our other social needs. The key to preserving privacy is careful analysis of any measure that purports to bring us some other social benefit, to ensure that the balance is maintained.
The results of our work in the past year have been mixed. We have continued to manage a large caseload of complaints and ensure that Canadians enjoy full protection of their rights under the Privacy Act and the Personal Information Protection and Electronic Documents Act. On more general questions of promoting and protecting privacy, we have made some important advances. We have also had some setbacks, and, on a couple of fronts, we have been forced to rethink our approach.
The Office achieved a successful outcome when it spoke up about the Canada Customs and Revenue Agency's proposed database about airline passengers.
This database, as initially proposed, was to contain extensive information on the foreign travel activities of Canadians-where and with whom they travel, how they paid for their tickets, their contact addresses and telephone numbers, even their dietary and health-related requirements. The information would have been retained for seven years, and would have been available for a wide range of administrative and law enforcement purposes.
The impact of this would have been enormous, and unprecedented. The ordinary travel activities of law-abiding people, activities that previously would have passed unnoticed unless there were some reasonable grounds to suspect them, would have been recorded and retained, attached to their names. It would be one more loss of anonymity and privacy, one more way in which innocent people would be identified, tagged, and monitored by the state-in short, one more infringement of the right to privacy.
Our staff analyzed this proposal and concluded that the supposed security benefits to be gained did not justify the infringement of privacy that it represented. Our opposition, supported by public opinion, eventually led the Minister of National Revenue to revise the initiative, significantly reducing the impact on privacy.
One successful outcome does not make a great year. We continue to have concerns about other security initiatives, such as the provisions of the proposed Public Safety Act allowing the police to scan all airline passengers against outstanding arrest warrants, the "Lawful Access" proposals to enhance state powers to monitor electronic communications, the proposal for a national identification card, and the growth of police video surveillance of public streets.
One long-running dispute, about the confidentiality of census returns, appears headed for resolution in a manner that runs directly counter to the recommendations of our Office.
Canadians have been told at least since 1905 that the information they reveal in censuses will be held in confidence and only used for statistical purposes. The Privacy Act actually allows the National Archives to disclose personal information collected in a census, 92 years after the information was collected. This remained largely academic until recently, because the only census records under the control of the Archives were those few that had been conducted up until 1901. Census officials took the view that, beginning with the 1906 census, regulations and legislation required them to keep the returns confidential rather than transfer them to the Archives.
Historians and other researchers have long sought access to these documents, and this year the government, following the recommendations of an expert panel but over our objections, released the 1906 census records and introduced legislation to allow the release of the rest.
Our Office had supported a compromise that would have limited access to the returns to scholars conducting peer-reviewed historical research and individuals wishing to conduct genealogical research on their own families. The government rejected this.
Our concern is with the repeated promises of confidentiality. Canadians were asked to reveal personal information to census-takers, and were led to believe that it would be kept confidential. Violating that promise could diminish the confidence Canadians have in government. We remain hopeful that this will be recognized when the House of Commons takes up this proposed legislation, which was passed by the Senate in May.
On another important privacy issue, video surveillance of public streets, we concluded that a new approach needs to be taken. The previous Commissioner had initiated a lawsuit in the British Columbia Supreme Court, alleging that the RCMP's video surveillance of a public street in Kelowna, B.C., violated the Canadian Charter of Rights and Freedoms. The Court, however, did not address the substance of the case at all. It ruled that the Privacy Commissioner simply does not have the capacity to launch such an action, and dismissed it on that basis.
This presented us with something of a quandary. On the one hand, video surveillance of public places has serious privacy implications, so the idea of simply letting the issue drop because of a procedural problem seemed hardly satisfactory. On the other hand, regardless of what we wanted, the issue had become the one defined by the Court. If we had appealed the decision, the appeal would have been about that issue alone. To work our way through two more levels of appeal would have taken years, at the end of which we would have spent a great deal of the Office's energies and a considerable amount of public money, without any answer from a court on the substantive issue of video surveillance. The issue has to be addressed, but it must be done in a different way. Accordingly, we withdrew the case, but we will pursue this issue with determination.
It was striking this past year how many of our privacy concerns are tied up with anonymity and its opposite pole, identity. The ability to conduct the majority of our daily activities in an anonymous fashion is one of the keys to our keeping control of information about us. People can have a private life even if much of their lives is spent in public view, as long as their activities cannot be linked to each other and to themselves. It is the ability to connect activities to each other and to an identifiable person that is at the heart of profiling and surveillance.
This perspective ties together our concerns about such superficially different things as authentication of clients in electronic transactions, biometric facial recognition systems in airports, traveller databases, and a national identification card.
This was the view that we tried to impress upon the House of Commons Standing Committee on Citizenship and Immigration in its hearings on whether Canada needs a national identification card. We made the argument that such a card (whatever the details of the proposal are, and to date there is no real proposal) would do little to address real problems, would present enormous financial and practical challenges to implement, and would do grave damage to privacy.
While the Office has wide-ranging interests and strives to serve as Parliament's window on all privacy issues, the heart and soul of its work is the system of enforceable privacy rights set up under the Privacy Act and the Personal Information Protection and Electronic Documents Act.
On this account, 2003 was a noteworthy year. First of all, it marks the 20th anniversary of the Privacy Act. That calls for reflection not just on the past year, but on the past twenty, and in particular on the model of privacy protection that Parliament adopted with the Privacy Act. That model is based around an Officer of Parliament, the Privacy Commissioner, who advises Parliament on privacy issues, analyzes the implications of legislative and regulatory initiatives so that Parliamentarians and Canadians can make informed decisions, and acts as an ombudsman to protect privacy rights, through negotiation, persuasion and dialogue-and occasionally, as a last resort, through publicity. The system set up under the Privacy Act quickly showed itself to be a useful one, and it was no surprise that it was adopted and applied to the private sector when Parliament passed the Personal Information Protection and Electronic Documents Act.
We are confident that in the past year, this system has proved useful to Parliament, and indeed has been reaffirmed. Parliament has rethought and revised legislative initiatives such as the CCRA database so as to minimize impacts on privacy, and we think that the outlook for privacy in Canada, despite all the pressures, is encouraging.
The year 2003 is important for the other statute we administer, the Personal Information Protection and Electronic Documents Act or PIPED Act as we call it, since this is the last year before it reaches its full application. The Act has been coming into force in stages. At the outset, in 2001, it applied to certain commercial exchanges of information but excluded personal health information. As of January 2002, it extended to include personal health information. The final stage will begin in January, 2004, when the Act will apply to all commercial activity in Canada except where provinces have passed substantially similar legislation. (To date, only Quebec has privacy legislation deemed substantially similar, but both British Columbia and Alberta introduced legislation this year, another promising sign for privacy protection in Canada.)
In general, the introduction and implementation of the Act have gone far more smoothly than some had predicted. The business community has responded well to the demands of complying with the legislation, and while there have been some bumps in the road, on the whole the new way of doing business has not been as difficult or traumatic as some had predicted. We are seeing a general recognition that respecting privacy is not as onerous as some people thought, and in fact is simply good business practice. One of the most encouraging signs is the obvious interest in compliance among the business community. In fact, a sort of compliance cottage-industry has sprung up, with a host of consulting firms offering expertise in compliance with the Act. Hardly a week goes by without our receiving a brochure for a seminar or workshop about the PIPED Act.
And the ombudsman model, which proved itself under the Privacy Act, has also worked well with respect to the PIPED Act. We have been encouraged by the willingness of private sector organizations subject to the Act to comply with the requirements in the legislation and to recognize the Office's specific expertise in getting to the bottom of privacy issues.
As far as day-to-day operations are concerned, the Office continued to face significant challenges, but it remains a resilient and healthy organization in the face of heavy public demand for its services. We dealt with a heavy caseload of complaints under the Privacy Act, including a 35% increase in new complaints over last year. Under the PIPED Act, the number of new complaints almost tripled over last year, and we can expect a significant increase with the extension of the application of the Act in 2004.
An important development in the past year was the introduction of the Treasury Board's new policy on privacy impact assessments.
A privacy impact assessment, or PIA, is quite simply an assessment of how, and how much, a program or activity affects the privacy of individuals. Typically, it will entail a description of the program, an analysis of what will happen to the personal information collected, used, and disclosed, and an assessment of the program's compliance with privacy principles, legislation, and policies. The Treasury Board's new policy makes PIAs a condition of funding for all new, substantially redesigned, or electronically driven programs and services that collect, use, or disclose personal information. Canada is the first country in the world to make PIAs mandatory in this way.
The implementation of this policy means that government institutions will have to look at privacy right from the outset, from the moment they begin planning a new program. The significance of this is that questions of whether a program or project has a negative effect on privacy-whether it will entail new data matching or increased sharing of personal information, for example, or result in the development of new common personal identifiers, or extended use of existing ones-will be asked before any privacy violation occurs. This preventive approach, rather than a punitive or remedial one, is the most sensible approach to an issue like privacy. Once privacy is violated, once an individual's personal information has been taken out of his or her control, it cannot be undone. Lost privacy cannot be given back. That is why Treasury Board's policy is so welcome. When government initiatives add to sound governance, it should be recognized and applauded.
So it has been a year of some good news, some disappointments, and many continuing challenges. Fortunately, we have not had to face all our challenges alone. The protection of privacy involves us in a continuing dialogue, in Canada and abroad, with privacy advocates, civil libertarians, academics, and, of course, other privacy and data protection commissioners. They have helped us to bear the burden of the disappointments, and they deserve full credit for their part in bringing about the good news.
The Standing Committee on Government Operations has done its duty in holding this Office accountable to higher standards of prudence and probity in the use of public funds. As we move forward in another watershed year for privacy issues, the Office of the Privacy Commissioner will work for renewed support from the Senate and the House of Commons to blunt the impact of pervasive and invasive technologies and policies on the privacy rights of Canadians.
Substantially Similar Provincial LegislationThe intent of this provision is to allow provinces and territories to regulate the personal information management practices of organizations operating within their borders, provided that they have in place a law that is substantially similar.
If the Governor in Council issues an Order declaring a provincial act to be substantially similar, the collection, use or disclosure of personal information by organizations subject to the provincial act will not be covered by the PIPED Act. Personal information that flows across provincial or national borders will be subject to the PIPED Act and the PIPED Act will continue to apply within a province to the activities of federal works, undertakings and businesses that are under federal jurisdiction such as banking, broadcasting, telecommunications and transportation.
On September 22, 2001, Industry Canada published a notice in the Canada Gazette Part 1 setting out the process that the department will follow for determining whether provincial/territorial legislation will be deemed substantially similar.
The process will be triggered by a province, territory or organization advising the Minister of Industry of legislation that they believe is substantially similar to the PIPED Act. The Minister may also act on his or her own initiative and recommend to the Governor in Council that provincial or territorial legislation be designated as substantially similar.
The Minister has stated that he will seek the Privacy Commissioner's views on whether or not legislation is substantially similar and include the Commissioner's views in the submission to the Governor in Council.
The process also provides for an opportunity for the public and interested parties to comment on the legislation in question.
According to the Canada Gazette notice, the Minister will expect substantially similar provincial or territorial legislation to:
In addition to providing comments to the Minister of Industry with respect to specific provincial or territorial legislation, the Privacy Commissioner is required by subsection 25(1) to report annually to the Parliament of Canada on the "extent to which the provinces have enacted legislation that is substantially similar to the PIPED Act."
The previous Commissioner issued two reports to Parliament on the matter of substantially similar provincial legislation. In May 2002, he issued a report in which he concluded that Quebec's An Act Respecting the Protection of Personal Information in the Private Sector is substantially similar to the PIPED Act in terms of the extent to which it protects personal information. In June 2003, the previous Commissioner issued a second report in which he raised concerns about Bills 44 and 38 that have been introduced, but not yet passed, by the provinces of Alberta and British Columbia, respectively.
As neither Bill has been passed, we will continue to monitor their progress and maintain a dialogue with our provincial counterparts.
|
||||
Date published: 2003-11-18 |
 |
Important Notices | ||
