Reconstructing the Privacy Act
Assessing Current Privacy Issues
A one day seminar organized by Riley Information Services
February 21, 2007
Ottawa, Ontario
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(CHECK AGAINST DELIVERY)
Introduction
I would like first to thank Tom Riley for bringing together the cast of privacy
experts he has assembled today, and I also thank the members of the audience
for spending this day reflecting on privacy and sharing ideas with colleagues.
We need such opportunities to engage in a serious dialogue about this important
right.
I am somewhat daunted by the title of my session – The Future of Privacy. The
title seems to fall into the same category as a speech on “The Future
of the Environment” – eminently important, but impossible to cover
in 30 minutes. I am hoping that a speech about privacy can be
a little bit more upbeat than one about the environment, but some days I am
not so sure.
In fact, I am going to pursue a more modest goal today than looking at the
future of privacy. Instead, I would like to examine one microcosm of
privacy – where we in Canada should be heading with our federal Privacy Act.
Irritated spouses sometimes use an expression that strikes dread in the hearts
of their errant partners – “We need to talk.” Well,
when it comes to the Privacy Act, I am an irritated Privacy
Commissioner, and I am saying to government, “We need to talk.” My
irritation, I should make it clear, is not with this audience, but rather with
a series of unmotivated governments that have not upheld their part of the
bargain. My job as Privacy Commissioner is to oversee the Privacy Act. The
job of government is to make sure that the Act is worth overseeing, by keeping
it up to date and responsive to the needs of a changing society. But,
successive governments have been all talk, and very little action.
Over the last quarter century, we have witnessed an enormous array of technological,
political and social changes. Twenty-five years ago, for example, most of us
didn’t even know what software was, and we had no idea of the misery
that these bug-ridden products would eventually cause. I don’t
recall many of the futuristic scenarios painted by science fiction writers
even mentioning software problems, although the errant computer HAL in Stanley
Kubrick’s 1968 film, “2001: A Space Odyssey” may be the exception.
Perhaps, in light of this array of changes, we should take comfort that some
things remain constant. Unfortunately, I can take no comfort from the
fact that the Privacy Act that is with us today is very much
the same as the Act that came into force in 1983. Sometimes I think
of the Act as being like one of those prehistoric sea creatures that fishermen
occasionally drag up from the depths of the ocean – a relic of an earlier
era that has somehow managed to survive, but that has faded into near-irrelevance.
The Privacy Act needs to change because the world is passing
it by. Its noble beginnings and noble purpose have not saved it from
decay. I would perhaps be less worried about the inadequacies of the
Act if privacy had been included as a named right in the Charter of Rights,
as it was in Quebec’s Charter of Human Rights and Freedoms. However,
the Privacy Act alone is the de facto privacy standard
for Canadians in their normal lives. The privacy rights that have been
read into sections 7 and 8 of the Charter of Rights are of little
use to them, since those rights have evolved primarily in the field of criminal
law – and most Canadians, happily, are not criminals.
Even at its inception, the Privacy Act was hardly a powerful
statement of privacy rights. It did incorporate the fair information
principles set out in the 1980 OECD Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data, and, unlike its counterpart American
legislation, it also had the virtue of introducing an ombudsman, the Privacy
Commissioner, to oversee the Act. But Canada’s Privacy Act can
better be described as a law that brings order to how federal government institutions
manage personal information rather than as a law that offers robust protection
of privacy.
The limitations of the Act have become increasingly evident with the surge
in technological innovation – cheap, affordable computing power and the
development of digital databases. The Act’s weaknesses also became
apparent as Parliament embraced more and more technological “solutions” to
the issues confronting it – from data matching to increased surveillance
of Canadians.
And then came the fallout from the events of September 11, 2001, and subsequent
attacks in Madrid and London. Privacy very quickly became a second-order concern
with many politicians and government agencies, driven by fear more than logic,
and by the ready availability and aggressive marketing of surveillance technologies.
I am not downplaying the threat that violence of this sort poses, but that
threat does not need to, nor should it, compel us to abandon some of the most
important rights of a democratic society.
Successive governments could perhaps be excused for not addressing the deficiencies
of the Act if those deficiencies had just appeared very recently. But
they are not recent. Just four years after the Act came into force, what
was then the Commons Standing Committee on Justice and the Solicitor General
issued a report entitled Open and Shut: Enhancing the Right to Know and
the Right to Privacy. The report contained 100 recommendations,
the majority of which related to improving the Privacy Act.
That was in 1987. The report was unanimously supported by committee members.
The government of the day committed to move on amendments by the fall of 1988.
Twenty years after the report was released, it is notable for the almost complete
failure of government to carry out its recommendations for legislative change.
One of the few legislative recommendations that the government did respect
was the extension of the Commissioner’s oversight powers to the private
sector. This, as you know, came in the form of the Personal Information
Protection and Electronic Documents Act.
Governments showed a consistent pattern of ignoring calls for reform of the Privacy Act after
the Open and Shut report as well. Bruce Phillips, my predecessor during
the 1990s, noted in his final annual report as Privacy Commissioner that Parliament
had ignored numerous recommendations for Privacy Act reform
that he had made during his term. He observed that Parliament had somehow
managed to develop and enact PIPEDA, and that PIPEDA contained many features
that were superior to the Privacy Act. This made it
all the more incongruous that the Privacy Act was being so
studiously ignored by successive governments.
Canadians have stronger privacy protections for personal information in the
hands of the private sector than they do for that held by government. I suspect
that most Canadians would be very surprised to learn this. Yet it is government
that remains the greatest potential threat to our privacy.
The Open and Shut report was issued in 1987. Some of you may remember
the work a decade later of the House of Commons Standing Committee on Human
Rights and the Status of Persons with Disabilities. In 1997, after a
lengthy study, the Committee issued its report, Privacy: Where
Do We Draw the Line?. “One of the most common refrains we
heard across the country,” the report stated, was, “We need
a strong legislative framework – basic rules of the road and effective
compliance measures – and we need it now.”1
If the federal government wants to lead the private sector by example, it has
failed to do so with the Privacy Act. The weaker protections
offered by the Privacy Act when compared to those in PIPEDA are
all the more troubling because individuals have little choice about sharing
information with government. The government, unlike the private sector,
has the power to compel individuals to provide information to it (although,
admittedly, individuals often are compelled as a practical matter to give personal
information to the private sector in their daily lives). The government’s
authority to compel citizens to provide their personal information has not
been matched with accountability and oversight. Issues of proportionality and
accountability in the collection, use and disclosure of personal information
by government therefore deserve greater attention. But they have not
received it. Simply put, government’s authority is disproportionate
to its accountability for personal information under the Privacy Act.
PIPEDA and the Privacy Act
One of the many glaring deficiencies in the Privacy Act,
when compared with PIPEDA, lies in the authority to collect personal information. There
is no requirement under the Privacy Act to show that the
collection of personal information by a government institution is in any way
necessary or reasonable. Government institutions should only collect
personal information that is reasonable and necessary for the particular purpose.
They should specify the authority under which information is being collected,
the uses to which it will be put, whether and with whom it may be shared, the
consequences of not providing the information, and the right to make a complaint. Amending
the Act in this way would bring it into line with the collection provisions
of PIPEDA.
Under the present Privacy Act, information collected may
be used for a use consistent with the purpose for which it was obtained. That
is too broad a permission. Instead, a “reasonable and direct connection” test
should be applied in the case of consistent use.
The Privacy Act is also inadequate in its treatment of a
government institution’s duties when it discloses personal information
without the consent of the individual to whom it relates. Wherever possible,
there should be a corresponding duty on the institution to inform the individual
about the disclosure.
Finally, a detailed review should be undertaken of the provisions in the Privacy
Act allowing disclosure without consent. Although the provision in the
Act dealing with disclosure requires consent as the default position, the subsequent
exceptions are so broad as to make the original consent requirement almost
meaningless.
I sometimes wonder if the focus that has been placed on PIPEDA over the past
six years has served as a diversion from the need for Privacy Act reform.
Data Matching
Let’s look more closely at one issue – data matching. Data
matching is a profoundly important concern, particularly since it is being
touted as part of the solution for those promising greater security for Canadians. One’s
head would need to be buried very deeply in the sand not to understand the
dangers of uncontrolled data matches. We have seen the proposal in the
United States for a program known as Terrorism Information Awareness that would
first vacuum up the personal information held in private and public sector
databases and then use this information to try to pick out suspicious patterns
of behaviour. Ultimately, the US Congress did not fund the program, but
it is almost certain to reappear in other guises.
In mid-January, The Economist magazine reported that the UK government
was thinking of reforming “overzealous” data-protection rules to
allow ministries to share information about citizens more freely. It
is hard to conceive that at least some government officials in Canada would
not be excited at the prospects for similar surveillance through databases
in Canada.
If we turn to the Privacy Act for a little comfort that
data matching – one of the central tools of a surveillance society – will
not be allowed to run away on us, we will be profoundly disappointed. There
is no provision in the Privacy Act dealing with this highly
intrusive manipulation of personal information.
In 1987 – yes, 20 ago – the Standing Committee on Justice
and the Solicitor General unanimously recommended that the Privacy Act prohibit
all but the most carefully circumscribed data matching, especially with respect
to those matches involving the use of personal data from another government
institution.
Ten years ago, the Commons Standing Committee on Human Rights and the Status
of Persons with Disabilities described the Privacy Act’s
treatment of data matching as appearing to contain “holes... big enough
to drive a truck through.” The Committee observed that there
seemed to be little more than bureaucratic assurances and goodwill preventing
databases from residing in a single institution. The Committee cited
well-known privacy advocate Simon Davies’ description of the situation
as the equivalent to a general warrant on all personal information in the hands
of the federal government. Said the Committee, “This practice must be
stopped.”2 Ten
years after the Committee report, and 20 years after the 1987 Justice Committee
report, the Act contains no provisions on data matching.
And all this concern about data matching arose even before the Public Safety
Act, 2002, amended to section 7 of PIPEDA to facilitate private sector
cooperation in the process of government surveillance. That amendment
enabled organizations to feed the government’s data matching machinery
by collecting, using and disclosing personal information without consent if
they suspect that the information relates to national security, the defence
of Canada or the conduct of international affairs.
Last November, when I attended the International Data Commissioners Conference
in London, one of the speakers presented the results of a study done for the
UK Information Commissioner, entitled A Report
on the Surveillance Society. “Your
digital body,” he said, “is as central to your person as your human
body.” Unfortunately, back in Canada, successive governments have
failed to appreciate this as they continue to manhandle our digital personas.
The Treasury Board of Canada did adopt a policy on data matching in 1989.
However, this is a policy directive and does not have the force of law. It
requires federal institutions subject to the Privacy Act to conduct
a detailed assessment of any proposed data matches and also requires that my
office be notified 60 days before the matches begin. The handful of notifications
we receive each year must surely be little more than the tip of the iceberg.
This data matching policy seems to be honoured overwhelmingly in the breach.
We have long suspected that most data matching is simply going unreported.
That is not the type of accountability that Canadians should tolerate of their
federal government.
Other Privacy Act Reforms
There are other deficiencies in the Privacy Act as well.
The Act is
urgently in need of modernization to address transborder data flows. The Act
should contain specific wording to define the responsibilities of those who
transfer personal information outside the federal public sector into other
jurisdictions and to address the issue of adequacy of protection in those jurisdictions.
The standard for disclosure to a foreign state set by the Privacy Act is
very low. Most data protection statutes prohibit the disclosure of government-held
information to a foreign state, except in very specific circumstances. This
should be the standard for Canada, and the Privacy Act should
spell out the requirements to be included in any agreement, as well as accountability
and reporting requirements concerning those agreements.
The Privacy Act should, at a minimum, also make it clear
that, when government work is outsourced, the government institution remains
accountable for personal information and that the information is considered
to be under the control of the institution.
Even if I agree that a complaint about inappropriate collection, use or disclosure
has merit, I have no power to provide a remedy. Nor does the Federal
Court. Inappropriate use or disclosure of personal information in particular
has the potential to cause embarrassment or other harms to the person. However,
the Privacy Act, unlike PIPEDA, does not allow for remedies
for any damages caused by government actions.
Individuals, or the Commissioner acting on their behalf, should be able to
ask the Court to review government collection, use and disclosure of personal
information following completion of an investigation. In addition, the Court
should be empowered to assess damages against offending institutions.
There is one ray of hope amidst this legislative inaction. The recently
enacted Federal Accountability Act has expanded the jurisdiction of
the Privacy Act to cover the Offices of the Information and
Privacy Commissioners, all Crown corporations and their wholly-owned subsidiaries,
and five foundations. But having an expanded jurisdiction
is of little use if the Act itself remains seriously inadequate.
A Well-intentioned Public Service
Fortunately, most of those in the public service whom my office has encountered
are interested in privacy, even if significant Privacy Act reform
is not on the legislative agenda in any significant way. We have encountered
many highly dedicated people, especially on the security front. And departments
apparently do implement many of our recommendations flowing from our investigations
and audits, although we don’t always hear about this. We have not
seen a significant accidental leak of personal information in some time. Still,
we need to continue to challenge departments to keep thinking about privacy.
Treasury Board Secretariat also deserves much credit. In the absence of legislative
action on crucial issues, it has tried to fill the gap by developing policies
on outsourcing, privacy impact assessments and data matching. We also understand
that a policy on breach notification will be released shortly.
Conclusion
I haven’t outlined all of the Privacy Act reforms that
we consider necessary – and that Canadians deserve. A more extensive
discussion of the reforms we want is available on our web site. But even
from the issues I have raised here, you can see that the present Privacy Act leaves
us seriously hobbled in our ability to protect this important right when dealing
with government.
As some of you already know, my office is hosting the 29th
International Conference of Data Protection and Privacy Commissioners in Montreal in late September. You
are all most welcome to attend and participate, and, of course, there is the
bonus of spending time immersed in the culture, energy and culinary delights
of Montreal. The last time Canada hosted this conference, in 1996, the
then Minister of Justice Allan Rock announced his intention to proceed with
the private sector legislation that ultimately came into force five years later
as PIPEDA. Wouldn’t it be memorable if, at our 2007 conference,
the government made a similar commitment to reform the Privacy Act – and
then followed through?
|