|
|
|
|
|
|
|
|
|
|
|
|
|
|
 PrivacyCommissionerANNUAL REPORT1995-1996The Privacy Commissioner of Canada (613) 995-2410, 1-800-267-0441 Canada Communications Group This publication is available on audio cassette, computer diskette and on the Office's Internet home page at http://infoweb.magi.com/~privcan/
Privacy Commissioner of Canada
July 1996 The Honourable Gildas L. Molgat Dear Mr. Molgat: I have the honour to submit to Parliament my annual report which covers the period from April 1, 1995 to March 31, 1996.
Yours sincerely,
Bruce Phillips
Commissaire à la protection de la vie privée du Canada
July 1996 The Honourable Gilbert Parent The Speaker The House of Commons Ottawa
Dear Mr. Parent: I have the honour to submit to Parliament my annual report which covers the period from April 1, 1995 to March 31, 1996.
Yours sincerely,
Bruce Phillips A Day in the Life...or how to help build your Super File Nothing to hide? It's just as well...from the time we get up in the morning until we climb into bed at night we leave a trail of data behind us for others to collect, merge, analyze, massage and even sell-often without our knowledge or consent. And there is no law against it (except in Quebec). 8:30 - Exit apartment parking lot (Cameras, and possibly a card, record departure) 8:35 - Pull onto toll highway (Device records your entry and exit points to send bill at the end of the month) 8:42 - Caught in traffic jam, call work to delay meeting (Cellular phone calls can be easily intercepted; new personal telephones will signal your whereabouts to satellites to deliver calls) 9:17 - Enter office parking lot (Card records entry and time, cameras monitor garage) 9:20 - Enter main office/plant door ("Swipe" cards record comings and goings; active badges allow others to locate you anywhere in the building) 9:25 - Log on to computer (System records time in) 9:29 - Send personal E-mail to friend, business message to colleague (Both can be read by the employer; simple deletion does not erase them from the computer's hard drive) 10:45 - Call your mother (Supervisors may monitor phone calls) 11:00 - Make a delivery using company vehicle (Many company vehicles have geo-positioning devices to plot vehicle location; some have "black boxes" to record driving habits) 12:05 - Stop at bank machine (System records details of transactions, cameras overhead or in machine record your behaviour) 12:10 - Buy birthday gift for friend (Credit card records details of purchase, retailer's loyalty card profiles purchase for points and directed discounts; banks may use spending patterns to help assemble complete customer profile) 12:35 - Doctor's appointment (Health cards will soon contain small computer chips to record your complete medical history on the card, blood samples contain DNA which could be tested for wide variety of conditions, doctor's diagnosis may need to be disclosed to insurance company if you buy life or disability insurance and details sent to centralized registry in U.S run by insurance companies) 1:15 - Pick up prescription (Some provinces have on-line drug networks which share your drug history with pharmacies across the province and may be disclosed to police tracking drug abuse) 1:30 - Return to work (Card records your return) 2:45 - Provide urine sample for employer's new drug testing program (Reveals use of targeted drugs but not impairment; sample may also reveal use of legal drugs such as birth control pills, insulin and anti-depressants) 3:30 - Meeting in secure area (Pass through security which scans retina to confirm identity) 5:30 - Complete first draft of report (Computer records content, can also store keyboard speed, error rate, length of pauses and absences) 6:15 - Leave office (Exit recorded by computer, entry system and parking lot) 6:30 - Buy groceries (Debit card purchase recorded, loyalty card tracks selections for marketing and targeted discounts) 6:45 - Pick up video (Computer records viewing preferences, Social Insurance Number; store may sell your viewing preferences-say, Erotica-to other companies) 7:20 - Listen to phone messages (Your phone has recorded callers' phone numbers, displays your number when you call others-unless you enter code to block the display) 8:20 - Order clothing from catalogue (Company records personal details and credit card number and may sell the information to database-list-marketers) 8:30 - Subscribe to new magazine (Many magazines routinely sell their subscribers' list to mass mailers) 8:35 - Survey company calls (Company gathers political views, social attitudes and personal views. Some surveys are actually marketing calls to collect personal data for future sales. Legitimate surveys destroy personal identifiers once data processed) 8:45 - Political canvasser at the door (Political contributions of more than $100-amounts and the party-are listed in public records) 9:10 - Log onto Internet (Your choice of chat groups and your messages can be monitored and a profile assembled by anyone, including police; some Web sites monitor your visits); see Privacy in Cyberspace p.27. Increasingly, living a modern urban life seems to mean there is nowhere to hide. In our search for security and convenience, are we hitching ourselves to an electronic leash? Highlights
Table of contents Mixed Messages "Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves."-William Pitt the Younger, 1793. The great British parliamentarian's words, uttered more than 200 years ago, have never been more relevant, timely or applicable than they are in today's struggle to hang on to our right to a private life. Society, in the throes of an unparalleled technological revolution, is confronted daily by arguments that yet another infringement of our personal freedom is necessary, the usual necessity being those seductive benefits: efficiency, convenience and economy. Sometimes the benefit is real; sometimes it is merely promised, not proven; often it is mostly for the efficiency, convenience and profit of its proponents. Yet if there is a tyrant, it is not some jackbooted dictator. It is the tyranny of ignorance, of unthinking acceptance of technology without regard to the consequences. The tyrant and the slave are one and the same. It is ourselves. A Backward Leap
Most immediately, commercialization affects the thousands of federal government employees who are transferring to the private sector. But equally important, it touches the untold numbers of Canadians who use services previously managed by government. This constitutes nothing less than a privacy disaster, and is a dark stain on the otherwise progressive record of the Canadian government in protecting Canadians' privacy rights. This consequence of privatization may have been entirely unintended; it can hardly have been unforeseen. And, regrettably, it was entirely preventable. The issue arose in dramatic fashion during the transfer of the air traffic control system to a private company, NAVCANADA. An estimated 6,000 federal employees will move from government to private employment. As well, the air traffic control system generates substantial personal information in its contacts with thousands of users of the system. Given the magnitude of the transfer, the Commissioner wrote to the government last November pointing out the consequences to privacy protection and offering a solution. He suggested inserting a condition to the agreement between the government and NAVCANADA making the company subject to the Privacy Act, as it is subject to the Official Languages Act. Although the government conceded the importance of the issue, it took no action. The Commissioner then appeared before the Commons Transport Committee studying the transfer. The committee accepted the proposal and recommended it to the House of Commons. The government objected to the recommendation and, despite a further intervention before the Senate committee, the bill has now cleared both Houses with no privacy protection. Among the objections put forward both by NAVCANADA and the government, foremost was the contention that binding NAVCANADA to the Privacy Act would single it out for special treatment by a government which otherwise has not enforced privacy law in the commercial sector. There is ample precedent. It is government policy to recommend that contracts between government departments and outside service providers contain clauses extending Privacy Act protection to any personal data. Furthermore, at least one huge enterprise, Canada Post, was required to abide by the Privacy Act when its corporate structure was revamped and its mandate altered to make it operate in the manner of a private sector, profit-and-loss corporation. Although owned by government, Canada Post must compete in the open market for much of its business. This is not a problem NAVCANADA, a monopoly, will ever face. Whatever one makes of these arguments, the government has an obligation not to sacrifice basic rights such as privacy and data protection as it commercializes operations, particularly when the available defence is as simple as insisting on a privacy clause. It is worth pointing out that one of the chief government negotiators publicly stated that Privacy Act protection would not have been a "deal-breaker". As for the company, NAVCANADA has undertaken to seek employees' consent for transferring personal files and to keep the records confidential "pursuant to government policy". Fine words but not ones that convey any legal rights, and far from the protection they now enjoy. The Office intends to audit the personal records before Transport Canada transfers them to NAVCANADA. Canada's air traffic control system is simply one of several operations to be commercialized. Next on the block is Canada Communications Group, the government's massive printing, distribution and inquiries operation. Already gone are the harbours and many airports. And in the works are a new breed of "service agencies" to provide selected services of existing government institutions. These include Parks Canada (formerly Environment Canada), a single food inspection agency (Agri-Food Canada) and the Canada Revenue Commission (Revenue Canada). These new agencies will be given greater autonomy to improve service and reduce costs and have more flexibility to allow provincial participation. At issue is whether "streamlined rules and flexible authorities" and separate legislation also spell the end of privacy protection for clients and employees. "Twixt Darkness and Dawn"
The report, Moving Canada into the 21st Century, acknowledges that when it comes to protecting personal information in an information society, "security procedures and technologies cannot do the job alone. The right to privacy must be recognized in law, especially in an electronic world of private databases where it is all too easy to collect and exploit information about individual citizens". The ministers of Industry and Justice undertook to consult with the provinces "and other stakeholders" and bring forward proposals for "a legislative framework governing the protection of personal data in the private sector". Here, at last, is at least the prospect of meaningful action. To meet the threats to privacy posed by the information revolution, nothing equals the need for bringing order, fairness and decency to the information management practices of the private sector. This is where most personal information is collected and used, and this is where there is the least protection for, and recognition of the rights of individuals. The government, in developing this framework legislation, has the opportunity to build on what may be a growing consensus for action. One early indication of support came in the Canadian Direct Marketing Association's brave announcement of support for legislation to protect personal data in the private sector. In CDMA President John Gustavson's words "legislation is the most effective means of ensuring all private sector organizations adhere to the same basic set of rules...". And the trail has already been substantially blazed by the Canadian Standards Association's now-final model privacy code. The code was drafted with major private sector players such as the banks and telecom-munications companies and contains all the essential elements for good privacy protection save independent oversight and the force of law. Mr. Manley's announcement included no details, for the good and obvious reason that the work is just beginning. As usual, the devil is in the details. The government can bring forward truly effective legislation, heralding a new dawn in which technology follows a path lighted by civilized standards of respect for the rights of human beings. Or, if the action is excessively timid or, as is so often the case, the bold initial thrust is emasculated by concessions to special interests, we will find ourselves mired in the grip of ineffectual patchwork laws with little ahead but a gathering gloom of greater surveillance and less control over what others know about us. Such an outcome would be worse than no action at all, deluding us, as it would, with a mere illusion of protection. So Canadian society finds itself at a critical point, where its privacy is poised between salvation and sinking. Everything now depends on the will and creativity of governments and Parliament. Toward a new birth of civility
Any casual perusal of the daily press demonstrates that our ethical glue is losing its sticking power. Look only at the chaos of hacking, unauthorized access into private and personal computer files, systems pranks and vandalism, software piracy, electronic harassment and bulletin boards of hate, pornography and violence. In short, technology has thrust us into the information age but we have arrived having given little thought to our social responsibilities. We seem to suffer a stunning inability to put the pursuit of human dignity at the heart of our development and progress. It is not enough that new technology satisfy material needs. It must also play its part in affirming human dignity and human potential. Otherwise, we are conducting a technical exercise in a moral vacuum-moulding our lives to fit technology, not making technology fit our lives. Social responsibility in the electronic world is everyone's business. It is maintaining the delicate balance between meeting legitimate information needs and simply respecting people, their property and their rights. We can no longer-if we ever could-afford to do things simply because we have the technical capacity. We must dedicate time and resources to the process of discerning ethical dimensions and integrating ethical decisions into the technology design process. We must educate young people about the rules of morality, civility and mutual respect in cyberspace. Our enthusiasm and expectations will be pointless if we simply become more technically adept but not more learned, thoughtful and considerate. In short, we must build an ethical foundation for technology. It all comes down to the degree to which we respect one another as unique individuals, each with our own set of values, which we are entitled to conceal or reveal as we choose. To truly respect your neighbour, you must grant that person a private life. The limits of our personal privacy define in large part the limits of our freedom. As Supreme Court Justice La Forest put it in a 1990 decision "...not to be compelled to share our confidences with others is the very hallmark of a free society". If we discard the notion of privacy and simply treat one another as data subjects, as objects of surveillance, we abandon that fundamental, democratic notion of autonomy and self-determination. Let us be clear. No amount of information or technology will do much good unless we consider the values it serves. ID card stories are standard fare for Privacy Commissioners' annual reports. This year's menu is rich. Governments' appetite to cut spending, simplify and privatize program delivery, and to ferret out cheats, has led to a plethora of proposals most of which are supported by new, glitzy technologies. The key component of these proposals is often a multi-purpose ID card or a smart card which looks like the pieces of plastic found in most wallets. However, imbedded in them are powerful microchips and circuitry which allow the collection, storage and manipulation of vast amounts of data. The cards can be inserted into electronic readers and operate like a personal computer plugged into a network. They are low cost, versatile, simple and powerful; hence their attraction. They are yet another intriguing new option for bureaucrats and private sector administrators to deliver programs more efficiently and more cheaply for our benefit and their profit. As journalist John Ibbitson described them in a recent Ottawa Citizen article, they are fast becoming a "plastic panacea". Improperly applied, these technologies can be powerful surveillance tools, delivering the fatal blow to an already fragile and embattled right. Those who consider the fears exaggerated need look no further than the quoted words of the Ontario Cabinet Minister on Ontario's plan to introduce a multi-purpose smart card. This proposed card would replace existing driver's licences, health and welfare cards and keep a timely record of citizen's use of the system " ... like Visa or Mastercard where they can tell you where you were an hour ago and how much you spent, that would be a great step forward for the health system in Ontario". Perhaps a great step forward for efficient administration of the health care system, but certainly a giant leap backwards for autonomy and privacy. Toronto's welfare card
The downside is that welfare payments could be credited to a card which can then be used for direct debits at stores. While it is clear the present proposal will not track the behaviour of people, it would be a simple matter, once implemented, for the system to collect information about the life styles and the spending habits of welfare recipients. There is an added human cost which is to require a segment of the population to be monitored in a way, usually reserved for criminals, that no other citizens have to suffer. The data may also prove to be attractive to social science researchers. Officials estimate that the cards will save $32-million from the annual $1.1-billion cost of operating the welfare system by eliminating claimants collecting more than one cheque. A similar proposal in B.C. using laser photo smart cards would merge drivers' licences, welfare cards and health cards. B.C. Privacy Commissioner David Flaherty termed the proposal an invasion of privacy, and the B.C. Civil Liberties Association considered it acceptable only if used for identification purposes. The SmartHealth process
Manitoba's approach illustrates how best to use the technology; first define the needs and then look for the technology solution. SmartHealth conducted numerous focus groups, surveys and interviews and found "among the most cited concerns were fears of personal health information falling into the wrong hands". Manitoba has concluded that privacy safeguards must be in place before the network is developed; it will then select the most appropriate technology for the task. A smart card is simply one of the options. However, Manitoba's proposal also illustrates what is a growing (and potentially alarming) trend to deliver government services in partnership with the private sector. Personal information now largely protected by privacy rules will be shared with the private sector which is subject to no privacy laws and increasingly anxious not to be. Private sector "opting in" to voluntary privacy codes is a grossly inadequate trade-off for gaining access to data and transactions which now have legal protection. There is also a ray of hope in a Québec proposal to introduce smart card technology as part of the government's information highway strategy. Like other provinces, Quebec's multi-purpose smart card would replace existing government identification cards. Unlike some other proposals, however, the Québec card would be used for all program delivery, including such things as hunting and fishing licences. The most important difference lies in the government's stated intention to measure technological initiatives against three fundamental principles: universal and equitable access, privacy and the confidentiality of personal information, and respect for existing social values. The project could well build on the province's experience with a pilot project to introduce a health smart card in Rimouski. In his report on the pilot project, Quebec Privacy Commissioner Paul-André Comeau observed "...the success of the project (was) due first and foremost to the guarantees of confidentiality offered by project designers and the choice of a technology able to ensure confidentiality..." Smart cards have the potential to destroy our privacy or to enhance it. We can use them as a powerful surveillance tool to monitor and control individuals; or we can use them, not only as a device to protect the security and confidentiality of our personal data, but also as a device that will allow us to exercise a greater degree of control over uses and disclosures of our personal information. Should our lives fit technology or technology fit our lives? Ultimately the choice is ours. A Privacy Framework for Smart Cards
Is the collection related to a government program? Regulatory/legislative framework: To show a direct relation to an operating program or activity, an institution must ordinarily demonstrate that it has Parliamentary authority to collect the information. Thus, some legal mechanism (legislation or regulation) should govern each smart card system whether for client services or program delivery. These should specify not only the technical and administrative characteristics of program delivery but also the ethical codes which will govern privacy, confidentiality and security. Is the information collected directly from the individual and he or she notified of the purpose? Public notice of systems: In the broadest sense, government should alert the public to the system's development-for example, its objectives, extent, the type of data and clients affected-before the system is implemented. Individual written notification: The government should provide each card holder, in writing, the essential information about program participation and use of the card. This includes details about the purpose, nature, operation of the system, contents of the card, and the individuals authorized to access it (either read or record). Government should also inform card holders of all possible communications between the issuer (the government agency) and the card users (the service provider/point of delivery of that program). How long will the information be kept? Data conservation: Card issuers and users must establish retention and disposal schemes for data. Issuers should establish regulations governing the nature of information conserved and the security measures taken to guarantee confidentiality of the data. How will accuracy of the information be ensured? Responsibility for inaccurate information: Card users should not automatically accept the accuracy of the information simply because it is recorded on the card-the data could be false, incomplete or obsolete. Accuracy is a joint responsibility of the card issuer, card user and card holder. How will the information be destroyed? Card renewal: Government must establish which data from old cards should be transferred to the new card; and whether old data should be rendered anonymous and available for research purposes. Destruction of the card: Subject to the regulatory authority governing destruction of the card, individuals should have the right to request that the card be destroyed; this would include rendering anonymous all data stored by the card issuer about the card and its contents. How will the data be used and disclosed? Reading the card: Government must determine who it will authorize to read the card, the extent of authorization (total or partial), and the protocols governing the reading function. Restricting reading access or use for other purposes: Government must establish conditions and measures to prevent unauthorized access to card files or uses other than those originally intended. Access must be restricted only to those who have an authorized need-to-know under the Privacy Act. Restricting unauthorized use, disclosure and copying: Government must institute proper controls to prevent card users from unauthorized down-loading of information from the smart card to other databases and then using it for purposes unknown to the card holder. All non-government card users or readers must operate under regulatory restrictions by agreement with the government program authority and have no automatic rights to copy other data from the card-this must be subject to the card holder's authorization. Card structure: The card chip should be structured in different zones of access to assure selective or limited degrees of access as well as segregation of identification data, administrative data, and sensitive data such as medical or emergency help information. Government should segregate each application on the card to prevent merging or cross-overs of data. Readers and public point-of-delivery devices must secure transactions to and from the host computer. Individual authorization for reading access: The file contents of the card shall not be accessed by third parties except by a positive act of the card holder (or by the card holder's authorized agent, as in a medical emergency). Such positive action would generally be punching in a PIN or other code. Entering/removing information on the card: Government must determine who may enter, change or delete data on a card, either directly or through the delivery authority. Issuers must consider the individual's right to demand erasure of parts of information on the data card from every institution that makes entries. Visible data on the card surface: The card exterior should contain only the minimum amount of nominative information required for the purposes of program participation. Do individuals have right of access to the personal data? Transparency of data on the card: Individual card holders must be able to know the type of information held on the card. Right of card holder to read the file: Government should provide individuals the means to read their own cards. They should also be prepared to interpret the data for card holders. Data entry/transaction record: Card issuers and users must compile and maintain a record of all significant data entries as well as all communications between them concerning the card holder. These records should also be available to the card holder. This suggested framework is based on the privacy checklist for technology set out in the Commissioner's 1992-93 annual report (see page 14). To obtain copies of the complete text of the Privacy Framework for Smart Card Applications, or to submit your comments, please contact the Office or visit our Web site.
Last year we reported our recommendations on the proposed bill to allow police to obtain DNA samples from a person suspected of a serious crime. The law was enacted in July 1995. However, the legislation did not deal with several privacy issues, the most important of which was whether to establish a database of genetic samples or analyses derived from those samples. Early in 1996, the Solicitor General issued a consultation document, Establishing a National DNA Databank, that dealt with many of the remaining privacy issues. Our response made several proposals:
The privacy audit is particularly important. Two or three years experience with the database should give a good idea of its utility in solving crimes. It will also help to ensure that the database does not become subject to "function creep". We want to avoid an ever-lengthening list of offences for which a DNA database or DNA sampling in criminal investigations is allowed. The pressure to do just that is already present in our society, a product of the very existence of technology and the belief that technology can solve all our woes, if only we let it. Legislation dealing with these remaining aspects of forensic DNA analysis has yet to be introduced in Parliament. We await any such proposed legislation to ensure that it meets our criteria. As a final note on this subject, we commend both the Department of Justice and the Ministry of the Solicitor General for recognizing privacy issues as among the most significant in the discussion of forensic DNA sampling and DNA databases. We also commend them for involving our office in the consultation process before legislation is introduced. Their willingness to discuss the privacy issues with our office ensures a hearing at a time when changes can be accommodated with little political embarrassment. Canada's Chief Electoral Officer recently proposed amendments to the Canada Elections Act which would give him authority to create a permanent voters register. The notion is not new. It was considered, but not recommended, by the 1991 Royal Commission on electoral reform. Canadians have traditionally resisted such proposals because population registers pose a potential threat to human rights and freedom. Wartime memories are etched in the minds of many. Political climates change, however. In the age of "fiscal responsibility", what was previously unacceptable is now fashionable on condition that millions of dollars can be trimmed from public expenses. Québec and British Colombia have recently created permanent voters registers citing budget reductions and efficiency. The federal government now proposes to follow suit. "Efficiency, economy and accuracy" is the rallying cry; there are other equally important considerations. The proposal
Elections Canada also proposed to conduct periodic data matches with other government data bases such as tax and motor vehicle records to update addresses; with vital statistics to remove the names of deceased persons; with citizenship records to add new Canadians entitled to vote, and with provincial election lists after elections to update the data. Provinces, municipalities and school boards could obtain information from the register to conduct local elections. And every year all members of Parliament would receive the list of voters in their respective constituencies. The response
Telephone numbers The Office questioned the proposal to collect a new data element-telephone numbers. Telephone numbers are not needed now and their appearance on a voters' list would seem to beg intrusive calls. Elections Canada explained that the numbers will be used only for internal administrative purposes and will not be included on the lists. Power to collect more data The provision allowing the Chief Electoral Officer to collect additional information aroused some early concern, opening the door-as it seemed-to a broader collection than legislators may intend. The provision is simply to permit the federal agency to collect additional personal details if required by provincial election laws. The Chief Electoral Officer undertook to make this clear in the legislation. Annual disclosure of lists to legislators Annual disclosures of the list appears excessive in light of the list's express purpose of conducting elections or referenda. Given that no jurisdiction conducts annual elections, this frequent a disclosure seems more suited to repeated canvassing by political parties, not the election itself. The Chief Electoral Officer agreed to re-examine the need for annual disclosures. Collection by data matching Updating the register by data matches with other federal data banks is worrisome. On principle, the Commissioner opposes mining other government databases for unrelated uses. Datamatching is invisible and inconsistent with the federal Privacy Act. The preferred method is for Elections Canada to collect the information directly from the Canadian public, with their knowledge and consent. The Commissioner suggested that Elections Canada arrange to include a consent box on other federal government forms to authorize departments like Revenue Canada or Human Resources Development Canada to transmit the personal data. British Columbia uses this system to maintain its electors' register. Or Elections Canada could develop a specific form to be enclosed in all government mailings and returned directly to Elections Canada. The Chief Electoral Officer undertook to pursue the idea. Other uses of the list By far the greatest concern is pressure for secondary uses of the register. It will be a very attractive list of the majority of Canadian citizens and hold enormous potential for any number of public organizations. Other levels of government which have created permanent registers have found that requests for access by other government programs soon follow. These are difficult to resist. Growing authorized access to Revenue Canada's list of tax filers-once virtually off-limits-leads one to suspect that the voters' register will soon be targeted. The Chief Electoral Officer explained that requests for access to the list for any unrelated purposes-which the Commissioner would strenuously oppose-would require Parliamentary approval and thus be a matter for public debate. The bottom line
Early in 1994, Treasury Board Secretariat tabled its Blueprint for Renewing Government Services Using Information Technology. The blueprint responded to the federal government's call for a leaner and more efficient public service, encouraging every federal institution to use computer technology to streamline operations and eliminate inefficiencies. Given the impact of several of the Blueprint recommendations on government handling of personal records, the Office asked to be involved in projects which federal institutions undertake. While more than 30 federal institutions have since begun re-examining their operations, two departments have taken a clear lead. Both have approached us for guidance. Citizenship & Immigration Canada CIC's Business Process Re-engineering is the first major Blueprint initiative, one which other departments are viewing as a test project. CIC aims to become a "horizontally-integrated" work environment which means sharing more information about immigrants and refugee claimants both inside and outside CIC. CIC now segregates data according to its purpose or program (the vertical or "stovepipe" information environment common to most federal institutions). CIC has begun the transition to a horizontal environment which will integrate all its information resources. Human Resources Development Canada (HRDC) is the other leader. HRDC is streamlining its delivery of employment insurance, Canada Pension Plan, workforce training and job bank programs and substantially reducing the number of Canada Employment Centres. HRD will deliver service to many communities by satellite and telephone centres, electronic kiosks, frequently in partnership with private businesses, Crown Corporations, special agencies or provincial and municipal governments. The two initiatives illustrate two government trends and, if not properly planned, the risks they pose. They are data warehousing and shared service delivery. Data warehousing
A data warehouse is a sort of super repository which integrates data from a variety of sources, reconciles any anomalies, then makes it easily accessible for search, analysis and manipulation. Rather than segmenting the data by its intended use-for example, paying taxes, claiming Canada Pension Plan, or applying for a student loan-all the data is organized by the person's name and other personal identifiers. Find the individual and you have a record of all their transactions with the federal government. For managers, the prospect is exciting. For privacy, it is troubling. Data warehouses, by definition, consolidate information thus making more details accessible to more people. Personal information collected for one purpose could become available for different and unrelated purposes. And consolidation pushes demand for even more information-the data warehouse as insatiable appetite. This is what privacy advocates call "function creep". Warehousing data also permits the creation of client profiles-or more insidious-"client intimacy" systems drawn from historical transactions and relationships previously unknown. Ultimately, the system demands a unique identifier to link to the individual's data file. Thus we arrive at the single number, single file, single card without which we are no-one. Like all advanced systems, the data risks becoming paramount, not the person; we are all reduced to bits and bytes. Technological advances are undermining individual control over personal information. They may even be undermining privacy laws because protecting privacy becomes increasingly difficult as systems become more developed, more widespread and more complex. That does not justify throwing up our hands. Nor does it justify the angry outbursts that privacy is the impediment to new systems development. The accusation that something cannot be done because of privacy is more often simply an excuse offered at the end of the systems development cycle; an attempt to assign blame elsewhere for not having done the work properly at the outset. The accusation is simply wrong and short-sighted. Privacy does not restrict good systems design-it enhances it. Systems designers simply have to build in controls to limit employees' access to the data elements necessary to deliver the program or service. Privacy protection is an essential component of good information management and a good systems development plan; one which helps ensure public confidence in government's computer based systems. It's time to get on with it. Shared Service Delivery
As with data warehousing, shared service delivery must be done with great care. If we are going to share services with provincial or municipal governments, we must make the obligations of various parties clear at the outset. And the answer is not sinking to the lowest level of privacy protection-in some jurisdictions, that is virtually none. Much as the Office lauds federal government efforts to become more efficient, there are real privacy concerns with horizontal integration and shared service delivery. While our work with CIC and HRDC has allayed some fears, Blueprint initiatives may well create the unique on-line client file designed to be shared by federal, provincial, private or even foreign organizations who may need access. Not only is this incompatible with the current Privacy Act, it raises the spectre of a surveillance society; one in which anyone will be able to learn anything about anybody. We have yet to confront two unavoidable realities: no computer system in the world has yet proven safe from hackers, and the weakest link in any computer system is the authorized users. While technology may (and, occasionally, may not) enhance our quality of life, there is little doubt that it can have a dark side for privacy. Even its creators often do not fully understand the potential, let alone the users. Privacy is sometimes a victim of entrepreneurship, and this year's technological headline may again prove the point. Personal Communications Systems Given PCS marked improvement over cellular telephony, what is the problem? There are two of which Canadians should be aware. First, PCS communications are still transmitted over the airways and so can be intercepted, albeit with more sophisticated and more expensive equipment. Second, PCS service must know your exact location at all times-at home, on the ski slope or in a shopping mall-to deliver calls. Unsettling enough, but its power to locate the user also makes it a tempting tool for criminals, law enforcement agencies, jealous spouses or direct marketers. These two problems could be addressed by
Industry Canada plans to limit the use of digital scanners, thus reducing the chance for interception of PCS communication. But another needed step is to prohibit PCS companies from either using or disclosing information about the subscriber's whereabouts for any purpose other than routing calls or billing PCS service. And PCS invoices should not display the exact location of a calling or called party. Although the Canadian Radio-television and Telecommunications Commission (CRTC) does not now regulate PCS companies, it will hold public hearings later this year to determine which, if any, aspects of wireless telecommunications (including PCS) it will regulate. If both manufacturers and regulators would safeguard the handset, the transmissions and the records, Canadians will reap only the intended benefits, not find themselves under surveillance from another piece of electronic wizardry designed to ease their lives Other telecommunications news
The CRTC authorizes the full service companies to disclose their customer data to long distance resellers on request and with proof of the customer's interest. However, the re-sellers (which buy blocks of long distance calls from the telephone companies) are not regulated by the CRTC and some customers have been unaware of the switch until receiving their first bill. Customers can be returned to their original provider at no cost. More recently, private directory publishers have asked the CRTC for access to electronic client lists to publish directories, now published mainly by Tele-Direct, a Bell Canada subsidiary. While the CRTC agreed that White Directory could compete against existing directory publishers, it ordered telephone companies to enable subscribers to remove their names and addresses from the electronic directory files before they were given to White Directory. White Directory appealed the "de-listing" mechanism to the CRTC, arguing that it would be at an immediate disadvantage because its directories would likely contain fewer listings than current directories, should many subscribers opt out. The CRTC upheld its earlier decision and White Directory filed a petition with the Governor in Council seeking to overturn the CRTC order. The Privacy Commissioner supported the CRTC decision and urged to the Governor in Council to guarantee subscribers the right to full control over their personal information. The Governor in Council has up to one year to make a decision. There appears to be a growing public outcry about releasing violent offenders into the community either on parole or at the end of their sentence. The concern is most acute with pedophiles. There is no doubt that some danger exists and Canadians have the right to try to minimize those dangers. An incident in Fort St. John, B.C. illustrates. Fort St. John City Council, told that a known sex-offender was in the community, agreed to help local community groups print and distribute posters publicizing the man's presence. At a later meeting the Council resolved to pass on the information to other communities in B.C., Yukon and Alberta. The poster contained a photograph, physical description, list of convictions, as well as a notation about withdrawn charges. During the storm of publicity, the man left the community. Both B.C. Information and Privacy Commissioner David Flaherty and this Office inquired-Dr. Flaherty into the actions of the municipality, and this Office into an allegation that the RCMP improperly disclosed information to the mayor of Fort St. John (information which actually appeared to be publicly available). Both commissioners concluded that while disclosure may be appropriate in some circumstances, the "shotgun approach", as Dr. Flaherty describes it, is often not the answer. Both agreed that a consistent national policy and process would help officials determine when disclosure is needed. In an effort to shed some light on a heated discussion, the Office produced a discussion paper entitled Publicizing the identity of violent offenders on their release into the community. Protecting the public from violent offenders is primarily the responsibility of the criminal justice system, mental health institutions and social welfare agencies. It is not usually a privacy issue. However, in part because the justice system is fallible and prison rehabilitation programs sometimes ineffectual, governments and the public look to other means of protection. Is publicity the answer?
Notifying the public about the presence of a violent offender may prevent further harm in some cases. However, publicity may actually produce greater harms:
From a privacy perspective, any measures that warrant breaching the offender's privacy should have a demonstrable public benefit. If there is no benefit, there should be no disclosure. Two questions need answering: When is it appropriate to release personal information about an offender who has left an institution on parole, under statutory remission, or at the end of the sentence? Who should have authority to release the information, and to whom? The discussion paper examines several possible disclosure programs for releasing violent offenders into the community. Among them are those used in B.C. and Manitoba. Both programs involve the interested parties-police, correctional officials and, in Manitoba, public interest groups-in examining the circumstances of an offender and then deciding whether disclosure is warranted and if so, to what extent. Privacy Act does not prevent release This is not so. The Privacy Act's prohibition against disclosure of personal information may be overridden if the head of the government institution concludes that there is a demonstrable public interest. The head must then notify the Commissioner's Office. Staff examine the circumstances leading to the disclosure proposal and the type of disclosure. The Commissioner then decides whether to notify the individual about the disclosure; however, the Commissioner has no authority to stop the release. To repeat this oft-misunderstood point: The Privacy Commissioner has no power-other than that of persuasion-over releasing information about a potentially dangerous offender to the public. The Privacy Commissioner neither initiates or prevents the release. If anything, the Privacy Act provides rules to facilitate the release of personal information in the public interest. Striking the balance
The schemes used in B.C. and Manitoba appear reasonable models for striking a balance between the public interest in knowing the presence of a potentially dangerous person and that person's right of privacy. Our discussion paper offers tentative support for such schemes for any offender who poses a certain level of risk of serious violence to the community, not merely sex offenders. For provinces that do not have such schemes, a federally appointed government/lay committee could make recommendations to the RCMP, Correctional Service Canada and the National Parole Board about disclosure in the public interest. Copies of the discussion paper will be available from the Office and on our Web site.
A criminal history records system is a vital tool for police forces and other agencies which investigate and prevent crime. This powerful and sensitive record collection is maintained by the RCMP in its information bank CMP PPU 030, Criminal History Records and Identification Fingerprints. The database is subject to the Privacy Act and during the past year Office staff completed a study of its contents and administration. The study helped dispel a number of misconceptions that had developed about what information is contained in criminal history records and how it is managed. The RCMP is aware of the sensitivity of this personal information, of the need to ensure it is accurate and up-to-date, and of its responsibilities to properly manage the information. Interviews with members of the RCMP and other police forces helped confirm that the RCMP makes every possible effort to ensure the information is accessible only to individuals and organizations who need to know. Although the RCMP's overall management of the information continues to respect the Privacy Act, staff identified several opportunities to strengthen compliance. They include the following issues: Mandate Although the study identified a number of pieces of legislation that refer to the RCMP's maintenance of criminal history records, neither Office or RCMP staff were able to identify a comprehensive authority. Since the information is used daily by police agencies and other organizations to make significant decisions about individuals, specific legislation or amendments to existing legislation would better serve the interests of both the RCMP and the Canadian public. The legislation should spell out what information may be collected, how it may be used and to whom it may be disclosed. Content of Criminal History Records The current definition of criminal history includes not only charges for which an individual has been convicted, but also charges stayed, withdrawn or for which the individual was found not guilty. Although information about charges for which an accused was not convicted can be valuable to police forces, it should be held in a separate information bank to which access is more limited. This would ensure it would be available only for authorized police investigations and not for such other uses as screening employees. Since the 1987 Ministerial Directive on disclosure of criminal history information is being revised, the time seems right to consider creating a second bank for records for which there was no conviction. Cessation of Pardon The Criminal Records Act provides the National Parole Board with the power to revoke a pardon after giving the individual an opportunity to make representations. The Act also provides that a pardon ceases if an individual is subsequently convicted of an indictable or hybrid offence. In these cases, the Act requires the RCMP to restore all entries concerning the pardoned offences into the regular criminal records system. The individual has no opportunity to make representations or to be advised that the pardon has ceased. This may lead the accused to believe that information once inaccessible because of the pardon, is once again available for use against the individual. The RCMP should modify its procedures to include notifying the individual, whenever possible, that pardon has been revoked, thus making the system much more open to everyone concerned. Info Source Description The RCMP's criminal history records do not always contain an individual's complete criminal history because police and correctional agencies are not obliged to provide information to the system. The bank description in Info Source is unclear and could lead readers to conclude that the bank is a complete history of all criminal charges and convictions. The RCMP should amend the bank description to describe the information more accurately. Printed copies of the Study of Criminal History Records Maintained by the RCMP can be ordered from the Office or obtained from our Web site.
At last count (or best guesstimate) 40 million people worldwide are surfing the Net for fun and profit. Surprisingly, many of them are simply unaware that their communications, transactions-and perhaps even the data on their own computer-are available for others to see (unless they take precautions). The openness of the Internet should not be surprising-the Net evolved from a U.S. Defence Department communications network (ARPANET) linking military bases, university research centres and defence contractors. It was designed to be open and accessible-to communicate and to be impervious to nuclear attack. Other computer networks and universities quickly joined. Today the Net is multiple networks with many pathways connecting many computers. Messages can be routed around the world to reach across town and seldom travel the same route twice. The Net resides nowhere and everywhere; it has no headquarters and no-one is "in charge". That is its power-and its challenge to privacy. Sitting quietly in front of our personal computers, it's easy to be lulled into forgetting that sending E-mail is not like making a telephone call; it's more like broadcasting. We should have few expectations of privacy. In fact, not only are our messages to public newsgroups or forums accessible to others, software available on the Net allows others to assemble a profile of our messages and interests. Soon marketers will systematically mine the Net to assemble personal profiles and target lists to sell products and services on line. And shopping and banking over the Net pose their own risks unless the service is protected by encryption. The power and reach of the Internet gives users and system operators extraordinary access to data, including personal information. In January 1989 the Association for Computing Machinery (ACM), recognizing the social impact of their profession, drew up a code of ethics to articulate members' responsibilities. One of these is to "respect the privacy of others". But, given the nature of the Net, individual users must also take responsibility. Here, then are some suggestions for protecting privacy in Cyberspace, adapted with their permission (and our gratitude) from a fact sheet of the Privacy Rights Clearinghouse at the Centre for Public Interest Law, University of San Diego, California.
Encryption: these scramble e-mail messages or files, making them gibberish to both the system operator and anyone other than the intended recipient. Various encryption programs (such as PGP-Pretty Good Privacy) are available on-line; Anonymous remailers: these servers act as intermediaries for your message, stripping off the identifiers before forwarding the message; Memory protection software: programs which prevent unauthorized on-line access to your home computer. Some include an "audit trail" to record all activity on your computer.
The 1993-94 annual report discussed the privacy issues in a new national body set up to gather personalized medical data from provincial health institutions and transform it into aggregate statistical data for research. Since the Canadian Institute for Health Information (CIHI) is not a federal agency, the Commissioner was concerned about removing sensitive medical data from the protection of the federal Privacy Act (and even tougher Statistics Act) with no compensating safeguards in place. He offered any input that might prove helpful to ensure that sensitive medical data was properly protected . CIHI's initial response was tepid but the past year has seen a sea-change. Background
A study by the National Council on Health Information concluded that the arrangement duplicated effort and produced overlapping responsibilities. The Council recommended integrating all the organizations' relevant activities into a single federally-chartered, non-profit organization with a mandate to create and maintain a completely integrated health information system for Canada. This is CIHI. Midway through 1995, CIHI seized on the privacy issue and determined to draw up guidelines on protecting the vast store of sensitive personal data of which it is custodian. Senior CIHI staff sought the office's input; the result is four documents on privacy and confidentiality, one of which-Privacy and Confidentiality of Health Information at CIHI-sets out the guidelines. They include:
These new guidelines will apply as minimum standards to all data under the control of CIHI. They will be implemented in 1996-97. Two questions remain. One is unsettling; is it advisable to centralize so much sensitive medical information given the unprecedented power for surveillance and linkage its systems grant health bureaucrats? And notwithstanding the security systems in place, concentration of data increases the potential for information leaks. The second question concerns the wisdom of CIHI piloting a national survey of some 22,000 Canadian households about their living habits, use of health services and their health problems. Previous health surveys were conducted under the stringent protection of the Statistics Act and the added safeguards of the Privacy Act. CIHI's guidelines are a brave statement of principle but they hold no power in law.
The past year was a quiet one for new privacy laws in Canada and abroad. Alberta's Freedom of Information and Protection of Privacy Act came into force on October 1st. The law currently applies to provincial government records but will be extended to municipal and regional governments in the future. In November, British Columbia extended its Act to cover records of self-governing professional bodies such as the provincial College of Physicians and Surgeons-a first in Canada. The New Brunswick legislature established an all-party committee to examine comprehensive privacy legislation to replace the province's current privacy code. Residents now have a legal right of access to their personal records but none to challenge the government's collection, use and disclosure of their personal records. Nova Scotia has begun reviewing its 1993 Act for possible amendment. Prince Edward Island remains the only province without any kind of access to information or privacy legislation. Winnipeg appears to have broken new ground. In January, city council's new By-law relating to Access to Information came into force giving city residents rights of access to and correction of their personal information in city records (Manitoba's privacy law does not extend to regional and municipal governments). Abroad, Australia's federal government is considering extending its Privacy Act, which applies only to federal records, to the private sector. In July the European Parliament ratified the Directive on data protection, which is now in force. Member countries of the European Union have until the summer of 1998 to adopt or adapt national privacy laws to comply with the Directive. Section 25 of the Directive prohibits member nations (and businesses within the country) from transferring personal information to a non-member country whose laws do not guarantee adequate protection of the information. In the absence of nation-wide privacy protection laws covering both the governments and the private sector (except in Quebec), Canada may not meet the Directive's adequacy test and risks being at a trade disadvantage with other countries. The Branch's intake of new complaints levelled off at 1625 during 1995-96. Investigators completed 1681 cases, leaving 1630 open case files-virtually an entire year's workload-to be carried into the next fiscal year. Two issues need highlighting in this report; both are the result of this huge backlog of complaints the Office continues to face. Like virtually all federal government institutions, the Office is struggling with dwindling financial resources. But the combination of across-the-board percentage cuts and climbing caseload has pushed the Office to the critical point far more quickly than larger agencies. The Commissioner is funded only to investigate and cannot turn away-or charge-complainants. Coupled with budget cuts are clients' increasing demands. Canadians demonstrate growing awareness of privacy threats, increased sophistication in framing complaints and a greater demand for respect for their privacy rights. More provinces have passed privacy legislation, there is a standard privacy code in the private sector, as well as a steady barrage of media stories about the dangers to privacy protection from technological advances. The Office recognizes that it will cease to be relevant if it cannot respond to complainants in a timely fashion-justice is already being seriously delayed. To serve clients properly, the Office should have no more than 500 complaint investigations open at any time; about 35 cases per investigator. The only option was to streamline the process substantially. In late 1995 the Office undertook an in-depth examination of its investigation process, including one-on-one meetings with staff in departmental privacy offices. The new process will reduce the paper burden, remove some of the formality, eliminate steps in the review process and allow greater reliance on the telephone-in short, a fast track approach to handling many of the complaints, one that builds on the strength and flexibility of the ombudsman role. At the same time, the Branch implemented quality service standards aimed at reducing the time and effort required to investigate complaints, created a unit to focus on backlogged complaints, and another to concentrate on complaints about improper collection, use, disclosure and disposal of personal records (sections 4 to 8 of the Privacy Act). The Office will monitor the changes carefully, and fine-tune where needed. Following are selected complaints from the year's caseload. Three strikes-CIC out Apparently the Surrey CIC office had closed and the priority courier, unable to find a current address, continued to deliver packages (addressed to "CIC") to the nearest likely destination-CIC Construction in West Vancouver. The journalist called the Vancouver CIC office. The manager reacted immediately, retrieving the file, calling the Montreal office to correct the address, and then the courier service which traced the deliveries. The courier acknowledged that the packages should have been returned, or instructions sought from the sender. The manager agreed to be interviewed and photographed but asked the journalist not to identify the subject of the file in the article. The journalist agreed but had already called the man for his reaction to the disclosure and asked him about his immigration status. Understandably upset, the man complained to the Commissioner. It was obvious that the immigration file (which contains photographs, fingerprints and sworn statements about his political background and reasons for seeking refuge in Canada) had been improperly disclosed. Despite three earlier opportunities, CIC had failed to determine why files were being returned or take proper measures to guarantee safe transfer of very sensitive personal information. Had they done so, the file would never have found its way to the newspaper, exposing the man to the journalist and to his probing questions. Fortunately the newspaper agreed not to compound the problem by naming the man in its article. The department apologized to the complainant. It also undertook to update its mailing lists, instruct employees on proper addressing and distribution of personal files and distribute information about the case to staff to illustrate the serious personal consequences of documents going astray. The complaint was well-founded. Privacy not a screen for defaulting loans The government has a legitimate right and obligation to collect outstanding debts, and-having no collection agency of its own-it contracts debt collection to outside agencies. This does not violate the Privacy Act. Nevertheless, the Office ensures that contracts specify that agencies collection and use of the information does comply with the Privacy Act. Surplus employee can see successful candidates' assessments In order to determine who would fill the remaining positions, Public Works developed selection criteria, established questions, a rating guide and the method of assessment for each job. From this process it established a list in reverse order of merit. Depending on the number of positions, employees were offered a position or declared surplus. Unsuccessful employees who grieved the process were provided the assessments of those ranked higher on the merit list. This disclosure follows Public Service Commission policy which provides the information to ensure the fairness of the process; the employee can see that he/she was fairly evaluated against objective criteria and against other employees. The department collected the information to establish the reverse order of merit list. It is entitled to disclose the list and assessments to aggrieved employees to defend its decisions in establishing its merit list. In short, the disclosure is consistent with the purpose for the original collection. The Commissioner was satisfied that the disclosure of the higher-ranked employees' personal information was in accordance with the Privacy Act. Must keep interview panel members' notes
The Act is clear; personal information used by a government institution to make an administrative decision about an individual is accessible and should be kept for a minimum of two years. Several board members interviewed could see no difficulty with retaining the notes. In fact, next year's non-commissioned officer selection boards will include a candidate de-briefing which is likely to require board members to retain their notes to go over individuals' answers to specific questions. The RCMP has agreed to change its policy and will gather members' notes at the conclusion of the process and keep them in staffing files. Garnishment notice not an "improper disclosure"
After several attempts to collect the arrears (which the woman was trying to reduce by periodic payments), Revenue Canada sent her a "pre-legal" letter demanding a response in 15 days. When the letter and phone call to her workplace produced no response, Revenue Canada issued a "Requirement to Pay" notice against the employer. In the meantime, the woman had left the job and says she wrote to Revenue Canada to advise them. The investigator found no trace of a hard copy of the woman's letter or any entry in the taxation computer diary. Since Revenue Canada was attempting to collect taxes owing, did not know that she had left the job, and its authority is set out in the Income Tax Act, the Commissioner concluded that there had been no improper disclosure. Labour market survey not compulsory
It appeared that Statistics Canada had sent the woman a letter of introduction prior to taking the survey, explaining that the survey is voluntary. Unlike the Census, there are no legal obligations to respond to Statistics Canada surveys. An enthusiastic Statistics Canada staffer may have attempted to persuade the woman to participate and his or her persistence may have given the woman the impression she had to respond. However, the documents are clear. Since the study is a six-year longitudinal survey, participants are followed up at regular intervals. Statistics Canada asks for an alternate telephone number; for example, of family members or friends, if it is unable to reach the person for an extended period. The request for access to future tax returns was intended to help reduce the burden on respondents-much of the financial information needed for the survey duplicates details in individual tax returns. The question was apparently hypothetical-to assess respondents' willingness to approve such a disclosure. It was never made. The Commissioner concluded that Statistics Canada had the authority to conduct the survey, had properly explained its purpose and made it clear that participation was voluntary. Statistics Canada undertook not to approach the woman again although there is nothing to prevent her name from appearing at random in future surveys. MPs have no special access
While the Privacy Act allows departments to disclose personal information to MPs (with the individual's consent) for the member to help resolve the constituent's problem, MPs have no special access rights to other individuals' records. In this case, the MP was not helping the person concerned. In fact, he was acting on behalf of the complainant's estranged wife. The department did not have the complainant's consent to disclose his information to the MP, nor was there any reason to do so. The Privacy Commissioner concluded that Citizenship had made an improper disclosure. Regrettably, once personal information has been disclosed, it cannot be retracted. There is no remedy that can undo the damage to the individual. However, the department has assured the Commissioner that there will be no repeat of the incident. Citizenship officials agreed to develop and disseminate a policy to provide better direction to departmental officials responding to MPs' inquiries about its clients. Supervisor leaves; computer transferred-with employee files Health Canada erased the information, apologized and has issued a directive to all staff to check computer hard drives before re-assigning them to other staff. Unfortunately, restoring the other employees privacy is impossible. The case is an object lesson for everyone who stores personal data on computers with little thought for the long-term consequences. Without help from their minders, these machines never forget. DND public affairs staff reveal details to media A young soldier died in tragic circumstances and his parents pressed for the details. Unsatisfied with DND's explanations, they went to the media. DND public affairs staff responded to journalists' questions with details about the soldier's alcohol problems and DND's attempts to help him. In another interview, the public affairs officer also revealed that the soldier had not named his parents as next-of-kin to be called in an emergency. Video recordings of television interviews established two of the disclosures. A print journalist learned some of the details from one of the television interviews, not public affairs staff as the family maintained. Nevertheless, the Commissioner concluded that the disclosures were improper. DND will revise its policy and provide information sessions to guide public affairs officers when handling media demands for personal information. Human error misdirects mail In the first case, a man's Change of Address card-the notice to the local Canada Post letter carrier to intercept and forward his mail-ended up being delivered to his former landlord. Canada Post apologized for what was an isolated incident. The second case was potentially far more damaging; a letter from Revenue Canada's Audit Services to a taxpayer was enclosed in material being mailed to a third party. Fortunately the recipient returned the letter to Revenue Canada; it contained information about the woman's income tax returns. Apparently Revenue Canada's Toronto East Tax Services Office provides mailing service to its Audit Services Branch. Mailing staff had gathered up the woman's letter inadvertently with other material. Revenue Canada apologized to the woman, has changed some mailing procedures and now conducts routine spot checks to try to prevent any recurrence. Employee tax guidelines working The investigator examined the employee's personnel files and found that the employee and manager had repeatedly discussed his behaviour, absences from his desk and frequent personal phone calls. Concerned about the employee's low productivity and on-the-job activities, the manager asked for an Internal Affairs audit. The audit followed the trail left by the employee as he accessed key tax data available on Revenue Canada's computer system-selected tax items, not the complete return. The audit revealed that the employee had unauthorized access to his own tax data, as well as those of several family members and an acquaintance, none of which were needed for his job. It also revealed that despite having earned income, the employee had not filed a tax return for several years. However, the audit did not intentionally target the employee's tax data-it simply followed the trail he left which included accessing his own file. There were no tax details in his personnel files. While Revenue Canada ultimately fired the employee, it was due to his work habits, lack of productivity and unauthorized access to his own and others' tax data. The department also asked him to file tax returns for the missing years. The Commissioner concluded that the complaint was not well-founded. Had the manager made a deliberate decision to investigate an employee's income tax return, the guidelines require him to provide substantial justification and obtain the approval of the assistant deputy minister. Many callers cannot be helped because the Commissioner has no jurisdiction over the private sector; banks, insurance companies or transportation companies. Some callers were angry about Sprint Canada's request for customers' SIN. Others objected to Purolator Courier requiring all employees to be fingerprinted. And several calls from Air Canada employees wanted investigators to examine the airline's use of personnel files and its access to employees' e-Mail. Despite having been Crown corporations, neither Air Canada or Via Rail (also the subject of several inquiries) have ever been covered by federal privacy legislation. Employees have no legal right to examine their personnel records unless privacy rights are negotiated in collective agreements. OC Transpo According to the Ontario Privacy Commissioner's office, OC Transpo tries to follow the Ontario legislation. The Ontario Privacy Commissioner has been able to gain access to employee files except those dealing with harassment or grievance cases. These OC Transpo officials refuse to open. Old Age Security Card - SIN Personal Information Request Forms The forms and accompanying directory, Info Source, should be available in employment centres, federal government libraries and reading rooms, large public and university and college libraries, MPs' constituency offices and native band council offices. Top Ten Departments by Complaints Received
Completed Complaints by Grounds and Results
Complaints Completed by Grounds Origin of Completed Investigations
Completed Complaints by Department and Result
The Branch's portfolio system had a thorough workout this year. Less time was spent on formal audits and follow-ups; far more on consultation and discussion with government staff. This reflects the evolving trends in the public service; becoming more active and service oriented. Privacy staff are now more likely to be consulted early in program design and service delivery; in some cases, sitting on internal or interdepartmental committees to examine new initiatives. Two recent examples are the Office's work with Elections Canada on the permanent voters' register (see A Vote for Privacy? page 14) and ongoing discussions with the Justice Department on the new firearms registry. Preempting problems is the priority. An ounce of prevention...
Atomic Energy Control Board: miner exposure to radon AECB regulates atomic energy in Canada. Among its responsibilities is monitoring the health effects of radioactive substances on workers. AECB requires uranium mining companies to keep records of workers' exposure to radon-a known carcinogen. Rather than see destroyed an invaluable source of data for research into the long-term effects of radon exposure, AECB asked Dennison for the records. The company agreed. AECB was then faced with ensuring that its collection and use of this information complied with the Privacy Act. AECB anticipates matching the data with Statistics Canada's mortality database to determine the effects of exposure on employees' lifespan and their mortality rates from lung cancer. The use is consistent with the mining companies' original collection of the data - to monitor the health effects of exposure to radioactive substances. To ensure that the database meets privacy requirements, the portfolio leader confirmed that:
Rideau Hall: Order of Canada nominees criminal record checks RCMP: removing personal data from surplus equipment Communications Research Centre: employee phone records Public Works and Government Services: automating security screening The new system uses software designed to help private companies working on government contracts to gather and transmit personal data on employees who need security screening. The employer can load the software into a personal computer, gather the information and send it on line to the department. PWGSC will offer the service to 2,600 companies which do business with the federal government, as well as government departments and agencies. Given the amount and type of personal information required-family information and work history-the Office was concerned about making private sector organizations responsible for its collection and storage when they are subject to no privacy laws. The department provided privacy staff with the proposed security agreement to bind companies which have delegated authority to collect and store the screening information. The agreements will impose contractual obligations to protect the information in accordance with the Government Security Policy and spell out the government's ownership of the information. A pilot project is underway to test the system. Public Service Commission: privacy clauses for outside surveys RCMP: suspends ride along program Human Resources: using Internet Human Resources: the Electronic Labour Exchange The Privacy Act gives the Commissioner the power (and the discretion) to investigate federal government compliance with the act's fair information code-the rules governing collection, use, disclosure and disposal of individuals' personal information. Traditionally, the Office selects a handful of organizations and examines their information handling practices (or, when the organization is large, one aspect of their operations). Given the near impossibility of systematic auditing, the Office has shifted its emphasis to examining privacy issues government-wide. Nevertheless, the Office completed two audits during the past year-the Communications Security Establishment and the Canadian Centre for Management Development-and reviewed the internal compliance audit for a third-Canada Post's Central Division. Communications Security Establishment (CSE) This audit proved to be one of the more complex the Office has undertaken, for several reasons. First, the nature of the material gathered and handled by CSE is extremely sensitive and demanded high-level security clearances for investigators, physical modifications to office space, and special equipment to process documents. Second, in the midst of the audit, there were several public allegations that CSE was gathering data about Canadians and monitoring their legitimate political activities. Unfortunately, the ensuing public debate, and revelation that the office was conducting a routine audit, may have raised unrealistic expectations as to what the Privacy Commissioner could report. Third, the Official Secrets Act also binds the Privacy Commissioner. This necessarily limits what he can report publicly. Finally, and most germane to the Office's investigation, is that CSE's mandate is not set out in enabling legislation (as with most other government agencies) except those unspecified powers conferred on the minister under the National Defence Act. Privacy audits usually rely on enabling legislation to assess an organization's compliance with the Privacy Act. A legislated mandate is the benchmark against which an organization's information management is measured; what information is collected and how, and how it is used, disclosed and ultimately destroyed. The government has given CSE a stated rather than legislated mandate to conduct foreign signals intelligence. It was against this stated mandate that the Office assessed compliance. From a representative sampling of SIGINT data and reports, Office investigators concluded that CSE collects only information which serves the government's established foreign intelligence criteria. They found no evidence to support any allegations that CSE "targets Canadians" or monitors their communications. It is inevitable that any monitoring of foreign electronic communications will inadvertently trap information about some Canadians. However, CSE has strict procedures to minimize the possibility and to destroy any such information that does not meet government's foreign intelligence needs. Finally, the investigators also found that CSE's intelligence reports to government did not violate the act. Nevertheless, the government should introduce legislation establishing explicitly a legal framework and review mechanism for CSE's operating programs and activities. Not only would this allow its personal information management practices to be measured objectively, it would establish in law protection for Canadians' liberties-as well as a clear underpinning for CSE. Legislation would stimulate informed debate about the agency's mandate and better understanding of its activities. In short, more light; less heat. The timing appears right: as we go to press, the government announced it will establish an independent oversight body for CSE. Canadian Centre for Management Development (CCMD)
This first audit of the CCMD examined how the Centre collects, keeps, uses, discloses, and protects its personal information holdings, and assessed employees' general knowledge and awareness of their obligations under the Privacy Act. The audit identified several problems with the Centre's management of personal information. For example, files containing personal information were stored in insecure locations; some personal information holdings had not been identified and described in Info Source; disposal schedules had not been developed, or were not being applied, leading to information being stored longer than needed, and contracts requiring access to personal information did not bind contractors to comply with the Privacy Act. Before the audit, staff knew little about the requirements of the Act. This explains most of the shortcomings identified. However, staff understood the concept of "confidentiality" well, and were willing to learn. Privacy audit staff made several recommendations to the Centre, including:
CCMD reacted quickly to the recommendations and is taking action to deal with all issues raised. Canada Post Corporation - Huron Division The audit confirmed the problem of "shadow" files and led Canada Post to concrete action. Managers were told that they "may" retain in their personal files documents such as attendance calendars or other records needed to "support the supervision of employees, especially at remote work sites". However, two conditions were imposed:
Privacy staff examined the results of Canada Post's preliminary compliance review and concluded that the proposed changes to the corporations's business practices made it unnecessary for the Office to conduct its own audit at this point. Instead the Office will monitor complaints against Canada Post to help assess whether the corrective action produces a long-term solution. Citizenship & Immigration (CIC)
This year, staff continued following up earlier audits to determine whether federal institutions complied with our recommendations. Once again, staff found a high degree of compliance. Canadian Human Rights Commission (CHRC) Some work remains to be done on three recommendations. The Commission has not conducted a complete security and risk assessment for areas where complaints are processed and stored. And while CHRC contracts now require outside contractors to respect the confidentiality of the information they process on its behalf, they do not contain satisfactory clauses clearly establishing that any personal information gathered is deemed to be under the control of the Commission and subject to the Privacy Act. Finally, the Commission's mailing lists need to be described in Info Source as a personal information bank, rather than a general information holding. National Research Council (NRC) NRC has
National Defence (DND) Royal Canadian Mounted Police (RCMP) Background Statistics Canada staff advised on the structure of the questionnaire and an advisory committee guided the project and reviewed the findings. The Office distributed the survey to all deputy heads in February 1995 and completed data collection late in 1995. The final results are based on 107 of 109 institutions responding. Some blatant errors were corrected but generally the data was entered as reported. While the survey results are not exhaustive (and have not been verified), they are revealing. Why sharing needs tallying The Act is also clear that personal information collected for one purpose cannot be used for other unrelated purposes-this includes sharing between programs within a single department for which there is no provision. New uses for data are permitted if they are "consistent" with the original purpose, the Commissioner is notified and the new use described in Info Source. The findings
Internal Sharing Even those 70 cases of sharing which departments consider they have reported in Info Source are difficult to detect by experienced staff, let alone the public. They demand both careful perusal and liberal interpretation. External Sharing The number of sharing agreements and arrangements may appear high. However, they are inflated by two departments, Statistics Canada and Revenue Canada which together reported 434-more than 50 per cent of the total 861. Of this 434, 319 were covered by written agreements. Datamatching There was another anomaly: some matches were reported by one institution, but not the other. Although the reporting institution may be considered the "matching" institution (and the other merely provided information), at the least the information provider should report the disclosure as external sharing. This was not the case. Only eight internal data matches were reported; surprising given the proliferation of computer systems. While Treasury Board's instructions on conducting a data match are clear, some privacy coordinators seem unsure about its application. The result: neither the public or the Commissioner is being told. Far greater cooperation is needed between departmental privacy coordinators and the program staff who devise the matching proposals. Conclusions
While it may be risky to draw conclusions from the returns, one thing is clear-Info Source is a difficult tool to use in its present form, even for experienced staff. It demands careful perusal to determine the extent of government datamatching, or consistent uses departments make of personal information under its control. Even then, the references are often oblique. Our sympathy is with uninitiated readers trying to find their way through this thicket. It's time for the government to be much clearer and more forthright on its uses of clients' and employees' data. Minister of Finance v. Michael Dagg Last year's annual report described the Federal Court of Appeal's decision (see page 26) which established clearly that the Privacy Act and the Access to Information Act are of equal status. Once information sought under the Access Act is found to be "personal", it may only be given to third parties if disclosure is permitted by the Privacy Act. The Court has yet to set a date for the hearing. Rubin v. Clerk of the Privy Council The Supreme Court confirmed a lower court decision that no-one has a right to have access to another person's representations to the Information Commissioner and that confidentiality continues, even when the investigation is completed. Mr. Rubin had argued that the confidentiality of representations should end, once the investigation is finished. The ruling suggests that the Court would reach a similar conclusion about representations to the Privacy Commissioner. Privacy Commissioner v. Canada Labour Relations Board Despite government's apparently firm conviction that the Privacy Commissioner has no education role (and certainly needs no money to inform Canadians) taxpayers think otherwise. The Office handled 1304 publication and media requests and there were more than 30,000 visits to the Commissioner's new Web site. In fact, the Office was one of the first dozen federal agencies to establish a site as part of the Open Government pilot project. In addition to providing the Office's information and publications, the site links to other privacy sites. Commissioner and staff gave more than 30 speeches this year-and had to gracefully decline almost as many. The cupboard is bare. Consumers, business, professionals and the media are alive to privacy as an issue. The recent survey by Ekos Research Associates for the Public Interest Advocacy Centre (PIAC) and the Fédération nationale des associations de consommateurs du Québec (FNACQ) demonstrates the public's growing concern. Overwhelmingly Canadians want to be informed about the collection of their personal information and the uses to which it is put. They insist that their permission be obtained before their information is passed to another organization. And 87 per cent think government should treat the issue as a priority. (Copies of the entire report are available from PIAC in Ottawa and FNACQ in Montreal.) Among the speaking engagements, Commissioner and staff spoke about the privacy implication of information technology to
Interest in bringing the law into the information age led to speeches to the Canadian Bar Association and the Commissioner delivering
Where to draw the line on DNA testing-in criminal investigations and insurance underwriting-were the subject of speeches to
The Privacy and Information Commissioners share premises and administrative services but operate independently under their separate statutory authorities. Corporate Management Branch provides centralized administrative services to avoid duplication of effort and realize cost savings to the government. The services include finance, personnel, information technology advice and support, telecommunications, library services and general administration. The Branch has just 15 staff (who perform a variety of tasks) and a budget representing 15 per cent of the overall OIPC budget. Subject to modest savings through information technology, the Branch has gone as far as it reasonably can to simplify and streamline service delivery. Resource Information Figure 1: 1995-96 Resources by Organization/Activity HUMAN RESOURCES (FULL-TIME EQUIVALENTS) Information 33(38%) FINANCIAL RESOURCES ($000) Information 2680(41%) Figure 2: Details by Object of Expenditure
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
Date published: 2003-11-06 |
 |
Important Notices | ||
