Media Centre

Privacy Today and Tomorrow — Priorities for the Next Seven Years

Canadian Access and Privacy Association Annual General Meeting

November 23, 2004
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

Introduction

Thank you and good morning.

It is a great pleasure to be here speaking about privacy issues with people who are on the front lines of the battle.

I have a tremendous regard for the Access to Information and Privacy community. As you may know, in my previous role in Quebec, my duties included both access to information and protection of individual privacy. I am well aware that your work requires a delicate exercise in balance.

I think perhaps yours can also be somewhat of a thankless task, because people rarely notice when good privacy practices and open, workable access procedures are in place and everything is operating smoothly in your department or branch.

However, when something goes wrong — when computer hard drives full of personal information are taken or controversy erupts over data matching files or access requests pile up — we hear a lot about how you could do your jobs better. Sometimes that can be a healthy impetus for review and change. But unfortunately, sometimes, after the heat dies down, ideas about how to improve privacy and access find themselves at the bottom of a priority list. This is frustrating for many of you, and I know there are concerns about a lack of resources and training in your community.

In this regard, I would like to salute CAPA for its contributions in keeping its membership informed about privacy and access issues, and for its assistance in developing training programs and workshops. I am particularly interested and pleased to see that CAPA is offering scholarship assistance for students who want to take the University of Alberta Information Access and Protection of Privacy certificate program. This kind of forward thinking is an indication of your dedication, as a group, to ensuring a continuum of privacy protection for the personal information that is in your care.

It's been almost a year since I was appointed Privacy Commissioner of Canada, and I have learned a great deal about how much we rely on the Government of Canada ATIP community to help create a privacy-sensitive culture in federal departments and agencies. You are the custodians of a particularly important trust relationship.

Governments routinely collect, use and disclose a great deal of sensitive personal information from Canadians. Very often, this information is collected under the force of law, or in situations where receiving a pension, UI benefit or a government service depends on an individual giving out the information. We really have very little option to refuse when our government needs certain information for taxation purposes, for example, or for the firearms registry, or to complete the census. And the information that is collected is often used to make life-affecting administrative decisions about Canadians. These realities are reflected in the protections of the Privacy Act, which is meant to place checks and balances on the power of the government to collect and use this kind of information about us.

However, I have come to believe that the Act needs review and updating in order to ensure Canadians have the kind of personal information protection it was originally crafted to provide.

Reform of the Privacy Act

The Privacy Act was put in place in 1983, with the expectation that it would be reviewed periodically. The Act was looked at in 1986, and while a series of recommendations were made, they were not implemented.

I believe the need for reforming and refreshing the Privacy Act is urgent and compelling. The world was quite a different place in 1983, and many of the technologies that currently pose the greatest potential threats to data privacy simply did not exist then. The information landscape was different. Computer databases tended to be the exception, rather than the standard, and they were stored individually on isolated hard drives. Data mining was in its infancy, and most people had not even heard about the Internet. The surveillance potential of digital video, linked networks, global positioning systems, black boxes in cars, genetic testing, biometric identifiers and radio frequency identification devices (RFIDs) was still the stuff of science fiction. The major service innovation and horizontal integration of Government On-Line had not yet been envisioned.

When it was first developed, the Privacy Act was set up to be a data protection law based on each government department holding its information separately and predominantly in paper-based filing systems.

In my view, it is not surprising that the Personal Information Protection and Electronic Documents Act (PIPEDA) provides stronger data protection, since it clearly takes into account the electronic realities of today's data collection, use, storage and disclosure. But I do think it is inappropriate for Canadians to have stronger protections under PIPEDA, which governs the private sector, than in the Privacy Act, which governs the potentially much more sensitive personal information collected in the public sector.

Points for consideration

While more study needs to be done on how best to bring the Act up to date, and while of course, the ultimate power to amend the Act rests with Parliament, I would like to share some of my initial thoughts with you on general directions for change to the legislation.

• As you may know, PIPEDA takes primacy over subsequently enacted legislation, unless Parliament expressly declares otherwise. This recognizes privacy as a fundamental right, and this is appropriate. However, the Privacy Act contains no such provisions, and in my view, it certainly should. The Privacy Act should prevail over any other Act that does not contain an express notwithstanding clause.
• The role of the Privacy Commissioner of Canada is that of an ombudsman. Our office uses the powers of consultation, recommendation, and negotiation in order to resolve complaints and in reviewing legislation. I do not have order making powers. Our office may comment and make recommendations after reviewing Privacy Impact Assessments, and while we generally have a very good and cooperative relationship with departments, I cannot force any department to undertake stronger privacy protection measures. I can only point out where they are lacking. I think it is time to review the advantages and disadvantages of the model used in other jurisdictions that have enacted privacy legislation, including British Columbia, Alberta, Ontario and Quebec.
• One of the issues of greatest concern to me is transborder data flow, and you may have heard me speak about this already in other venues. There has been a steady increase in the transfer of personal information from government to government, and from governments to the private sector for processing. I'm sure you are all aware of the potential impact of the USA PATRIOT Act on this information.

  The Privacy Act is silent on this, and contains nothing to impose safeguards on third parties who process this information. While there are Treasury Board policies and various departmental practices, which of course many of you are familiar with, I believe that it makes sense in today's world to deal with this legislatively. I think the Privacy Act should contain specific wording defining the responsibilities of those who transfer personal information outside Canadian jurisdiction.

• Access is also a major issue, and of course, I would be very interested in hearing your expert views about this later. A major purpose of the Privacy Act is to allow individuals to have access to the personal information held about them by the government, and to be able to request correction of their files. Our office has had 20 years experience in hearing from Canadians on this issue and we have found the Act provides too many avenues and situations for access rights to be denied.
• We are also troubled by the provision that allows heads of institutions to neither confirm nor deny the existence of requested information, and we think this deserves review. Consideration should also be given to extending the rights of access and redress to foreign nationals whose information is collected by our government, for example by the Canadian Border Services Agency (CBSA) under the Advance Passenger Information/ Passenger Name Record system.
• I think it is time to take a look at the scope of the Act. Some important federal institutions are not covered, including Parliament itself. As well, the Act does not specifically discuss data matching. There are Treasury Board guidelines that require departments to submit data-matching proposals to the OPC for our review and comments, but we don't see many of them. Does this mean very little data matching is going on? I doubt it. I suspect the data matching policy is generally being ignored, perhaps because of practical problems with the process. Again, I would welcome your views on this issue, as I am sure many of you are thoroughly familiar with it. In any case, given the privacy invasive potential of data matching, it is our view that the duty to report it should be set out in law.
• There are some issues around collection and disclosure that should be tightened as well. The provisions of the Privacy Act do not apply to personal information that is "publicly available", and there are few if any restrictions put on information after it is disclosed. The Act should be revised to allow disclosures of personal information from government registries only for consistent purposes. Similarly, the Act allows the collection of information related to an operating program or authorized activity; this is a very broad interpretation. We believe better protection would be provided under a requirement that only necessary information be collected.
• I'd also like to mention the need to enshrine the Privacy Impact Assessment requirement in the Act. Stuart Bloomfield of our Privacy Practices and Reviews Branch will be speaking to you in more detail about the PIA process later, so I won't do that now. I will say, however, that I see the PIA as a major educational and preventative tool for departments to use in establishing good privacy practices. We have seen the benefits of the TBS policy requiring PIAs to be done and while we salute the policy, we would like to see it given the force of law.

Privacy Challenges Ahead

I'd like to turn now to the privacy issues and challenges that face us in the years ahead. Our concepts of informational privacy are being challenged by technologies and by international security measures that we simply did not anticipate — and could not have anticipated — a few short years ago. The growth of surveillance technologies and the increasing number and connectivity of data banks threatens our very notion of privacy, which has at its core the ability to control information about ourselves.

We live in a virtual world and we participate in the digital economy. The transmission of personal information anywhere in the world is possible at the click of a mouse. The globalization of personal data is, I think, one of the greatest potential threats facing privacy as we know it in the next few years. As a society, we must give broader consideration to the mix of policy instruments that will provide an adequate level of protection of personal information to Canadians. The Office of the Information and Privacy Commissioner for British Columbia has issued a very useful study on one aspect of this, and I have commended Commissioner Loukidelis for his work. The significance of the issues raised is underlined by the increasing cooperation between Canada and the United States on national security and border control. As you may know, our Office is undertaking a compliance audit of the information collection, use and disclosure practices of the Canadian Border Services Agency (CBSA).

I have said repeatedly that there is no need to trade off the protection of privacy against national or international security. I believe that privacy and security are complementary needs, and I have called for a national and international dialogue on developing a model for how and when sensitive personal information is to be shared among governments and under what protections. This wide consultation should involve government decision makers and Parliamentarians of course, but also should engage civil servants such as yourselves, business and union leaders, and civil society advocates. The input of the private sector is particularly important at this time, as we see more and more pressure brought to bear on business to collect and disclose information on their customers to governments.

As you know, all commercial carriers, charter operators, travel agents and owners of reservations systems must provide API/PNR information to the Canadian government. What you may not be as aware of is that amendments to PIPEDA that allow this type of activity do not specify this group, but could be extended to any commercial business.

I am vehemently opposed to the co-opting of private sector organizations to collect customers' personal information without consent for law enforcement purposes. Data collected for one purpose should not be supplied to governments for other purposes without the knowledge and consent of the customer. We must all be aware of this dangerous threat to the privacy of personal information.

Government On-Line

I know that many of you work in departments that are involved in or contemplating Government On-Line projects. The potential for Government On-Line to provide seamless service to Canadians requires the linking of data banks across departments and even across federal, provincial and municipal jurisdictions. This breaks down the traditional "silos" of information that provide privacy protection for personal information collected by governments -- and this creates a new challenge for the ATIP community. The uptake of Government On-Line services by Canadians relies on trust. We know that the uptake has been slow, and that Government On-Line services, while convenient, have been underutilized. Surveys indicate that at least part of the reason is a basic lack of trust in the security of the GOL transaction and the safety of the information submitted.

There has been a significant increase in the efforts of thieves to access the large databases of personal information held by governments. Computer hard drives have been stolen. Employees have been bribed or intimidated. Data bases have been hacked into. I'm sure you are all aware of the recent headlines about the situation in Alberta, where the personal information of senior provincial public servants was found in an Edmonton hotel room, apparently having been obtained by an identity theft ring. Ironically, it appears that the information is that which was given by employees to an agency working for the government to conduct security clearance checks. I'm not singling out the Government of Alberta here, or the agency that conducts their security clearances. There is a lot that is as yet unknown in that particular situation, but it does point out that information collected by governments under the force of law and for legitimate purposes can be at risk, and must be subject to the most careful of protections.

These situations heighten the perception of Canadians that providing their information online to government departments may just not be a good idea. How we overcome that perception — and indeed if it can be overcome — is one of the greater challenges ahead for you as information professionals, and for the government.

I would welcome your thoughts on any of these ideas and issues, and of course, I would be glad to answer any questions you have about my role and that of the Office of the Privacy Commissioner of Canada.