![]() ![]() ![]() |
![]() |
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
|
![]() |
![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
Media CentrePrivacy Today and Tomorrow — Priorities for the Next Seven YearsCanadian Access and Privacy Association Annual General MeetingNovember 23, 2004 Address by Jennifer Stoddart IntroductionThank you and good morning. It is a great pleasure to be here speaking about privacy issues with people who are on the front lines of the battle. I have a tremendous regard for the Access to Information and Privacy community. As you may know, in my previous role in Quebec, my duties included both access to information and protection of individual privacy. I am well aware that your work requires a delicate exercise in balance. I think perhaps yours can also be somewhat of a thankless task, because people rarely notice when good privacy practices and open, workable access procedures are in place and everything is operating smoothly in your department or branch. However, when something goes wrong — when computer hard drives full of personal information are taken or controversy erupts over data matching files or access requests pile up — we hear a lot about how you could do your jobs better. Sometimes that can be a healthy impetus for review and change. But unfortunately, sometimes, after the heat dies down, ideas about how to improve privacy and access find themselves at the bottom of a priority list. This is frustrating for many of you, and I know there are concerns about a lack of resources and training in your community. In this regard, I would like to salute CAPA for its contributions in keeping its membership informed about privacy and access issues, and for its assistance in developing training programs and workshops. I am particularly interested and pleased to see that CAPA is offering scholarship assistance for students who want to take the University of Alberta Information Access and Protection of Privacy certificate program. This kind of forward thinking is an indication of your dedication, as a group, to ensuring a continuum of privacy protection for the personal information that is in your care. It's been almost a year since I was appointed Privacy Commissioner of Canada, and I have learned a great deal about how much we rely on the Government of Canada ATIP community to help create a privacy-sensitive culture in federal departments and agencies. You are the custodians of a particularly important trust relationship. Governments routinely collect, use and disclose a great deal of sensitive personal information from Canadians. Very often, this information is collected under the force of law, or in situations where receiving a pension, UI benefit or a government service depends on an individual giving out the information. We really have very little option to refuse when our government needs certain information for taxation purposes, for example, or for the firearms registry, or to complete the census. And the information that is collected is often used to make life-affecting administrative decisions about Canadians. These realities are reflected in the protections of the Privacy Act, which is meant to place checks and balances on the power of the government to collect and use this kind of information about us. However, I have come to believe that the Act needs review and updating in order to ensure Canadians have the kind of personal information protection it was originally crafted to provide. Reform of the Privacy ActThe Privacy Act was put in place in 1983, with the expectation that it would be reviewed periodically. The Act was looked at in 1986, and while a series of recommendations were made, they were not implemented. I believe the need for reforming and refreshing the Privacy Act is urgent and compelling. The world was quite a different place in 1983, and many of the technologies that currently pose the greatest potential threats to data privacy simply did not exist then. The information landscape was different. Computer databases tended to be the exception, rather than the standard, and they were stored individually on isolated hard drives. Data mining was in its infancy, and most people had not even heard about the Internet. The surveillance potential of digital video, linked networks, global positioning systems, black boxes in cars, genetic testing, biometric identifiers and radio frequency identification devices (RFIDs) was still the stuff of science fiction. The major service innovation and horizontal integration of Government On-Line had not yet been envisioned. When it was first developed, the Privacy Act was set up to be a data protection law based on each government department holding its information separately and predominantly in paper-based filing systems. In my view, it is not surprising that the Personal Information Protection and Electronic Documents Act (PIPEDA) provides stronger data protection, since it clearly takes into account the electronic realities of today's data collection, use, storage and disclosure. But I do think it is inappropriate for Canadians to have stronger protections under PIPEDA, which governs the private sector, than in the Privacy Act, which governs the potentially much more sensitive personal information collected in the public sector. Points for considerationWhile more study needs to be done on how best to bring the Act up to date, and while of course, the ultimate power to amend the Act rests with Parliament, I would like to share some of my initial thoughts with you on general directions for change to the legislation.
Privacy Challenges AheadI'd like to turn now to the privacy issues and challenges that face us in the years ahead. Our concepts of informational privacy are being challenged by technologies and by international security measures that we simply did not anticipate — and could not have anticipated — a few short years ago. The growth of surveillance technologies and the increasing number and connectivity of data banks threatens our very notion of privacy, which has at its core the ability to control information about ourselves. We live in a virtual world and we participate in the digital economy. The transmission of personal information anywhere in the world is possible at the click of a mouse. The globalization of personal data is, I think, one of the greatest potential threats facing privacy as we know it in the next few years. As a society, we must give broader consideration to the mix of policy instruments that will provide an adequate level of protection of personal information to Canadians. The Office of the Information and Privacy Commissioner for British Columbia has issued a very useful study on one aspect of this, and I have commended Commissioner Loukidelis for his work. The significance of the issues raised is underlined by the increasing cooperation between Canada and the United States on national security and border control. As you may know, our Office is undertaking a compliance audit of the information collection, use and disclosure practices of the Canadian Border Services Agency (CBSA). I have said repeatedly that there is no need to trade off the protection of privacy against national or international security. I believe that privacy and security are complementary needs, and I have called for a national and international dialogue on developing a model for how and when sensitive personal information is to be shared among governments and under what protections. This wide consultation should involve government decision makers and Parliamentarians of course, but also should engage civil servants such as yourselves, business and union leaders, and civil society advocates. The input of the private sector is particularly important at this time, as we see more and more pressure brought to bear on business to collect and disclose information on their customers to governments. As you know, all commercial carriers, charter operators, travel agents and owners of reservations systems must provide API/PNR information to the Canadian government. What you may not be as aware of is that amendments to PIPEDA that allow this type of activity do not specify this group, but could be extended to any commercial business. I am vehemently opposed to the co-opting of private sector organizations to collect customers' personal information without consent for law enforcement purposes. Data collected for one purpose should not be supplied to governments for other purposes without the knowledge and consent of the customer. We must all be aware of this dangerous threat to the privacy of personal information. Government On-LineI know that many of you work in departments that are involved in or contemplating Government On-Line projects. The potential for Government On-Line to provide seamless service to Canadians requires the linking of data banks across departments and even across federal, provincial and municipal jurisdictions. This breaks down the traditional "silos" of information that provide privacy protection for personal information collected by governments -- and this creates a new challenge for the ATIP community. The uptake of Government On-Line services by Canadians relies on trust. We know that the uptake has been slow, and that Government On-Line services, while convenient, have been underutilized. Surveys indicate that at least part of the reason is a basic lack of trust in the security of the GOL transaction and the safety of the information submitted. There has been a significant increase in the efforts of thieves to access the large databases of personal information held by governments. Computer hard drives have been stolen. Employees have been bribed or intimidated. Data bases have been hacked into. I'm sure you are all aware of the recent headlines about the situation in Alberta, where the personal information of senior provincial public servants was found in an Edmonton hotel room, apparently having been obtained by an identity theft ring. Ironically, it appears that the information is that which was given by employees to an agency working for the government to conduct security clearance checks. I'm not singling out the Government of Alberta here, or the agency that conducts their security clearances. There is a lot that is as yet unknown in that particular situation, but it does point out that information collected by governments under the force of law and for legitimate purposes can be at risk, and must be subject to the most careful of protections. These situations heighten the perception of Canadians that providing their information online to government departments may just not be a good idea. How we overcome that perception — and indeed if it can be overcome — is one of the greater challenges ahead for you as information professionals, and for the government. I would welcome your thoughts on any of these ideas and issues, and of course, I would be glad to answer any questions you have about my role and that of the Office of the Privacy Commissioner of Canada. |
![]() |
||||
Date published: 2004-11-24 |
![]() |
Important Notices |