Jump to Left NavigationJump to Content Office of the Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada Government of Canada
FrançaisContact UsHelpSearchCanada Site
HomeWhat's NewAbout UsFAQsSite Map
Mandate and Mission
Privacy Legislation
Information for Individuals
Information for Businesses
Parliamentary Activities
Media Centre
Speeches
Upcoming Events
Blog
Commissioner's Findings
Privacy Impact Assessments
Reports and Publications
Resource Centre
Key Issues
Fact Sheets
Privacy Quiz
Proactive Disclosure

Media Centre

The Proliferation of Data Banks

The National Forum on Criminal Records: Economic, Social, Legal, and Political Issues

November 29, 2004
Ottawa, Ontario

Address by Raymond D'Aoust1
Assistant Privacy Commissioner of Canada

Introduction

On behalf of the Privacy Commissioner, Jennifer Stoddart, and speaking personally, I would like to than the Association des services de réhabilitation sociale du Québec, for your invitation to take part in this Forum. When Nathalie DesRosiers, who was then President of the Law Commission of Canada, first approached us, we immediately recognized the importance of the issue that was being raised and we were very glad to accept the invitation and to take part today.

My remarks will deal with the following questions: given the multiplication of data banks, is it still possible to ensure the protection of privacy? What in reality are the facts of the situation? What are the obstacles to overcome? What tools are available for protecting privacy?

I have also been asked not to limit my remarks to legal information but to deal with the broader, more general issue of personal information that is collected by governments and businesses and eventually winds up in an endless number of data banks. I will nevertheless emphasize the experience of the public sector.

How do we define personal information? The Privacy Act, which dates from 1982 and governs federal institutions, gives a rather broad definition (cf. Section 3 of the Act). Personal information includes an exhaustive range of information that makes an individual identifiable. Thus, it includes the descriptive attributes of a person, for example, age, address, ethnic origin, religion, family status, etc. It also includes information that is related to the life of that person, medical history, consumer habits, a financial profile, (income, assets, debts, etc.) and, of course, any criminal record. The list could go on and on. Canadian lawmakers have thus given a rather broad meaning to the concept of personal information.

We see also that personal information touches virtually every aspect of the daily life of a person, and, in fact, contributes to the very identity of each individual person.

TI would like to say a few words about the Office of the Privacy Commissioner of Canada (OPC). Acting as an Agent of Parliament, the Office of the Privacy Commissioner is responsible for promoting the right to protection of privacy in Canada. We do that by processing complaints that we receive under two federal laws: the Privacy Act, which applies to more than 150 departments and agencies of the Government of Canada and the Personal Information Protection and Electronic Documents Act which applies to commercial activities in Canada. We can also initiate investigations and compliance audits of government departments and agencies under the provisions of the Act. We can also do that in those parts of the private sector that fall under the Personal Information Protection and Electronic Documents Actif we have reasonable grounds for doing so. In addition, we give our opinion on proposed legislation and government programs that could have an impact on the protection of personal information. The powers of the Office of the Privacy Commissioner are those of an ombudsman. We make every effort to persuade, to convince, and to encourage compliance by means of mediation, conciliation and conflict resolution. We carry out our mandate by conducting research (or by funding research through grants), through public awareness, by giving advice, by publishing our observations and conclusions and by making recommendations. The Office of the Privacy Commissioner does not have the power to make binding decisions.

To begin, I will try to describe the scope or extent of the phenomenon of data banks containing personal information by suggesting a brief list of the uses of this information. Next, I want to describe the issues concerning the use of personal information. Finally, I want to conclude by offering some thoughts on the means that are available to us for ensuring better protection of personal information.

The growing number of personal data banks

Nearly all observers agree that the number — and the scope-of information banks are continuing to grow, both in the private sector as well as the public sector. Unlike the business world which has no such obligation, the federal government is required to maintain a complete register of personal information banks. This register, known as InfoSource, consists of two volumes of more than 800 pages containing hundreds of descriptions of data banks. For example, the Correctional Service of Canada alone manages more than 25 data banks that contain a range of systems for case management, information banks on delivery of health care services, on admissions, administration of discipline, on pardons, on offenders, etc.

A look at the contents of the federal register makes it clear how much the activities of all departments, from an operational point of view, depend on data banks and complex information systems that are often inter-connected. It is without doubt no exaggeration to say that it would be impossible today to carry out the business of government, at all levels, without having access to the information contained in these data banks. That observation also applies to private sector and non-governmental business. If not all of those data banks are solely personal information banks, a great many of them are.

It is rather amazing to discover how little research the federal government has conducted on the subject of data banks. Apart from a a few major announcements on cyber-government, it seems that very little in-depth research has been conducted on the effect of data banks on privacy. To a large extent, this is an area of research that has been overlooked. Let us see what comments have been made by the people who have taken the time to reflect on the impact of computerized data banks on privacy.

Oscar Gandy2, offers a classification system that includes 11 categories of information that is routinely collected and that, in one form or another, winds up in electronic data banks. According to Gandy, this extensive classification would apply equally to government activities and private sector operations. Gandy identifies the following categories:

  • Personal information for identification and confirmation (birth certificate, driver's licence, passport, etc.)
  • Financial Information (bank accounts, credit information, investments, income tax returns, etc.)
  • Information related to insurance companies (health, property, business, etc.)
  • Information related to social services (unemployment, pension, social benefits, etc.)
  • Information related to public services (telephone, electricity services, etc.)
  • Information concerning real estate property
  • Information related to travel and other activities (recreation, entertainment, etc.)
  • Consumer Information (credit card statements, rental contracts, etc.)
  • Information concerning employment (job application, performance evaluation, employment history, etc.)
  • Information concerning education (school records, diplomas, certificates, etc.)
  • Legal information (including police records)

This list is surprising in its detail and in the fact that it deals with all aspects of human life. In most cases, the information is given voluntarily by citizens who want access to a service or program. Sometimes, the information requirement is compulsory, especially when dealing with public agencies that have available a wide range of legislation and regulations that require citizens to disclose personal information. For example, it would be impossible for someone to obtain a driver's licence without providing some basic information. In the same way, when applying for a job, the applicant must necessarily provide a great deal of information (training, previous employment, etc.).

As a rule, the information serves to establish someone's eligibility for a program or service (inclusion) while confirming the identity of the person who makes a request for service (authentication). It also serves as a device for managing the risks associated with a particular transaction (the issuance of an insurance policy, for example). Risk management inevitably takes the form of exclusion. This is to say that data banks have a double logic: inclusion and exclusion. According to Gandy, who would like to lay the foundations of a personal economic information policy, the computerization of social functions and the appropriation of the privacy sphere by corporate interests and the government are leading us inevitably toward a more authoritarian society, focused on control and surveillance. The Panoptic Sort is an unavoidable condition of economic growth. The Panoptic Sort makes it possible to distinguish, to categorize, to discriminate and to apply relativity to the principle of universality.

Another observer, Reg Whitaker3 leads us onto more philosophical ground. In his view, our modern data banks have made possible the emergence of a new Panopticon. Whitaker takes up the notion of the ideal prison designed by Jeremy Bentham, an 18th century utilitarian philosopher. Bentham had proposed to invent an ideal prison in which all the inmates would be under total surveillance at all times.

In Whitaker's opinion, unlike the Panopticon invented by Bentham and considered by Michel Foucault4 as one of the dominant models of modern disciplinary institutions, the new Panopticon would be based on consensus and voluntary participation. It would also be a great deal more decentralized — and even competitive. In fact, according to Whitaker, the new Panopticon would be an integral part of the market economy. The strength of the new panoptic lies in the advantages that citizens find in participation, and for many people, these advantages greatly outweigh the disadvantages. While Gandy emphasizes the rationality of exclusion from increasing computerization, Whitaker insist on its cohesive strength.

For example, access to automatic bank machines and to pre-authorized credit, loyalty cards, etc. provide many advantages for everyone that, according to Whitaker, guarantee willing acceptance of the principle of surveillance, which requires that everyone sacrifices some part of his or her personal information. To refuse such surveillance would mean exclusion from the market economy and the resulting benefits. Whitaker also suggests that, in this increasingly digitalized and inter-connected economy, it is essential for the State to play an increased monitoring role to contain the unstable and chaotic aspects of the system. This is what is referred to as the dark side of globalization and which is seen in transnational organized crime and terrorism, realities that justify even greater surveillance by government.

The growth of electronic transactions, which would be impossible without the existence of these data banks, is the foundation of this new economy. If it is true that the first data banks can be traced back to the end of the 1950s and the era of perforated cards, the expansion of data banks, both in their number and their capacity, is a much more recent event. It is a well documented phenomenon and there is no need for me to describe it; but from the perspective of personal information, what exactly is going on?

The most significant change in terms of the design of data banks in the last decade is without doubt the fact that they are for the most part, relational. In other words, data banks can now talk to one another. Until very recently, the basic principles of practically all data banks imitated filing cabinets filled with paper records. One could still speak of administrative transparency. Data banks were largely stored in silos, one beside another. That is no longer true. Interfaces now exist to allow for the importing and exporting of data from one bank to another.

The hegemony of several large software suppliers and the standardization of their operating principles now make it possible for an almost uninterrupted dialogue between systems. They can now combine data, correlate it, recognize "patterns", and identify relations. In short, with the use of complex algorithms that sort and combine data, it is now possible to create new information that can be used in government programs and private sector strategies.

In addition, data banks are increasingly multimedia files, combining digits, images and words. There is even talk of building-in biometric elements that could identify and authenticate people. With digitalization, data banks can now converge to become enormous information beams that are connected to the network of networks, the Internet. A survey by the Federal Trade Commission (1998) in the United States about on-line protection of personal information found that between 87% and 97% of electronic commerce sites surveyed collect personal information5.

What's more, the administrators of those sites are able to compile profiles of their customers. This exponential capacity to extract data has even given rise to new companies that specialize in the mining of data banks and the creation of customer profiles. These companies now sell information to the highest bidder. They provide aggregated composite profiles (for example, to identify socio-economic categories that niche marketers can target) and also supply individual profiles (targeting one specific person). In other words, the panoptic sort described earlier has now become a reality.

But let us look more closely at what happening; and let me share with you some ominous trends.

Data mining

One of the most significant developments, and which seems to have intensified since the events of September 11, 2001, is the mining of data banks. This practice uses a range of computer techniques to search through large amounts of information to extract useful substrata that can be analyzed. The mining of data banks uses statistical analysis and modeling techniques to establish relations and to recognize "patterns" between certain variables to anticipate certain results. The purpose of this practice is to generate new information that has a predictive or anticipatory value. In effect, data mining seeks to reveal hidden secrets about a collection of data that, at first glance, is not related. For example the analysis of credit files, combined with purchasing and travel patterns could disclose some illicit activities.

In the United States, the General Accounting Office (2004) made a survey of this practice within the federal government and found that 53 of the 128 agencies covered by the survey used or intended to use data mining as a continuing part of their operations. The most frequent uses of data mining were the following: improvement of service to the public, anticipating and preventing fraudulent acts, elimination of waste and abuse, for research and information, for human resources management, discovery and prevention of criminal acts, information analysis and prevention of terrorism. The GAO now has to consider the quality and reliability of the information and the use that is made of that information (is it in accordance with the original reasons for collection of the data and the conditions of consent?).

In that context, the Total Information Awareness initiative of the American government attracted a lot of media attention. Originally called Total Information Awareness and later renamed Terrorist Information Awareness in 2003, this initiative was apparently abandoned for lack of sufficient funding. Many people who are concerned about privacy6 see this initiative as the symbol of an all-seeing surveillance of citizens by the government that has made possible access to enormous data banks created by the public and private sectors. However, no one should believe that mining of data banks is limited to a few initiatives to counter the terrorist menace. In fact, this practice also takes place in the private sector where increasingly companies mine private and public access data banks to establish personal profiles. These firms, such as Abika and ChoicePoint, sell these profiles to employers who want to determine the reliability of potential employees. For less than fifty dollars these companies compile a data file — most of the time using information that is impossible to verify — that may have a determining influence on whether a person is hired. It's the same process in terms of measuring solvency or insurability.

Information sharing between jurisdictions

In the information and surveillance community, the sharing of information is a long-established practice. In fact, there are well-established channels of cooperation for combatting and preventing many types of activities. For example, major information sharing systems have been put in place that allows different jurisdictions to share information on travellers, among others. Laws and regulations now require airlines to collect and transmit this information, in effect, making the airlines agents of the government. This system, which is commonly known as Expedited Passenger Processing System (EPPS), enables governments to make a quick analysis of the potential risk of certain travellers and to intercept them as soon as they arrive. This is a good example of how the inclusion and exclusion principle can work from the perspective of risk management. Information is collected on all travellers for the purpose of excluding undesirables.

Canada is an active partner in this information sharing. To a large extent, a harmonized approach to risk management has been adopted in this country. The European Community is also very interested in this issue and is asking to what degree the principles of proper management of personal information are being respected. The Europeans are also wrestling with the question of the opportunities for recourse and correction that are available to their citizens. The Office of the Privacy Commissioner is looking into the question of cross-border traffic in personal information between Canada and the U.S. to determine the type of information that is being shared, what it is used for and its destination. As a first step, we are looking to create a map of the information flow.

Inter-jurisdictional sharing of information is not limited to data on travellers. In carrying out a preliminary survey, we found that in some government departments and agencies agreements for information sharing between jurisdictions number in the hundreds. The control practices on this information are also very different. As a general rule, the farther information moves from the office that created it, the more difficult it is to control the use of that information and its disclosure to third parties.

Public, Private and Extra-territorial Partnerships

Ever since the efforts to rationalize government operations in the 1980s, spurred by the ideology of New Public Management, most governments in post-industrial societies have implemented partnerships of different kinds for delivery of services to the public. These partnerships have given rise to an unprecedented movement towards outsourcing and sub-contracting, and one of the results has been a sharing with the private sector of more and more information of a personal nature. There are many examples of these partnerships. We can take a moment to examine a case highlighted by the Privacy Commissioner of British Columbia.

It all began when the B. C. government announced its intention to award a contract for management of its health insurance program to an American company. The employee's union immediately brought the matter before the courts by filing a law suit. The union argued that this outsourcing threatened the confidentiality of the medical information of its members on the grounds that the data bank would now be accessible to the American authorities under the USA PATRIOT Act. In response to that allegation and the outbreak of protests in the media and among interest groups, the BC Privacy Commission organized a public consultation. More than 600 interveners came forward to express their views. In his report, the B. C. Commissioner described the question in the context of a large and complex problem that leads us to question the effectives of the current system. The matter of personal information protection inevitably involves strengthening of the legislative framework, both at the federal and provincial levels. It demands, among others, an in-depth review of the measures that governments have put in place that provide them with unlimited access to personal information.

The Commissioner made several recommendations intended to strengthen the control of personal information, even when that information has crossed borders. He suggested, among others, a strengthening of contract standards and legal measures in the event of transgression. He also called for audits of data sharing agreements and a study by provincial and federal authorities of the practice of mining data banks to ensure that the principles of sound personal information management are respected.

The report also called for strong action by the federal government. The Treasury Board has begun a review of the impact of the USA PATRIOT Act on the outsourcing activities of federal departments. This is a story that bears watching. However, there should be no doubt that the issue here deals with much more than health information but with all the other information that makes up the fact of identity.

Appropriation of identity

At the heart of the debate about control of personal information lies the question of identity. The importance of the sphere of privacy for the growth of a human being has been recognized for a long time, in philosophy, in law and the human sciences. The dignity of the person is inconceivable without that right. Section 8 of the Canadian Charter of Rights and Freedoms protects against intrusive searching and capture of data. Information technologies, by their very far-reaching pervasiveness, put the protection of this right in jeopardy and as a consequence, threaten the very foundations of personal identity.

The accumulation of personal information on an individual enables the creation of a composite image of that person that is often false and reductionist. More and more one hears of the electronic identity of a person. That identity precedes the person when he or she travels. That identity follows and leaves a trail when he or she uses the Internet. It becomes a determining factor of the individual's potential for action and development. That identity could be stolen or appropriated. It serves to categorize a person. When doubt is cast — even if it is unfounded — on his or her integrity, that identity can prevent a person from travelling, from finding a place to live or a job, or to obtain insurance. There is very little recourse for correcting this data, to ensure that it is accurate, for enabling the exercise of judgement concerning that identity. There are major issues when we deal with information related to criminal records. The closer personal information comes to the biographical heart of a person, the more that information can have significant consequences on the shaping of identity and on imposing serious limitations. Information about a person's health, like information in criminal records, undoubtedly falls into this category. As a result, that kind of information must be managed with great care.

Is it still possible to protect privacy?

Before examining some solutions and suggesting particular avenues for consideration, I want to try to answer the question raised at the start: Given the multiplication of data banks, is it still possible to ensure the protection of privacy? In responding to that question, I would be tempted to say that such protection is increasingly difficult to ensure. As the collection and use of data becomes more and more extensive, protection of personal privacy becomes more difficult and complex. The mining of data banks and the sharing of information between jurisdictions and organizations and the erasing of the separation between private and public greatly complicates the whole question. And there is no indication that this trend is going to diminish.

The space of personal privacy according to all observations is shrinking fast, and the instruments for maintaining privacy and personal information intact are being severely tested. Technology surrounds us and in principle at least makes it possible to monitor everyone and everything. In his latest book7, Jeffrey Rosen, an experienced observer of the subject, expresses the view that the development of the Internet has prompted the emergence of an omnipticon (which goes much further than Bentham's Panopticon) in which everyone is watching everyone else. This symbol of our era, this omnipticon, is increasingly the result of a convergence of technologies. This convergence means that technology reaches into every sphere of our private lives. This convergence poses serious challenges to the basic principles of the protection of personal information. Those challenges are not limited solely to data banks.

Several examples should be familiar to all of us. Cellular phones with digital imagery make it possible for someone to take pictures without our consent and to broadcast them almost immediately on the Internet. "Black boxes" built into automobiles that record speed, acceleration, braking, and wearing of a seat belt, fly in the face of the principle that a person must be informed when data is being collected about him or her. Many automobile owners are unaware of the existence of these "black boxes." Car dealers "forget" to mention them. In California, the state has passed a law that requires car dealers to tell potential buyers. Radio frequency identity chips (RFID), those famous miniature tags that are used on consumer products for inventory control and theft prevention, also present a special challenge because they make it possible to locate and identify the person who uses those items. When combined with the technology of geospatial fixing, it becomes possible to follow the movements of a person. With the development of nanotechnology, such tags could be part of the paint on a car or other object, serving as a unique identification code, a sort of DNA of that object. These "tags" could also be added to biotechnology instruments to enable the transmission of biomedical data. They would thus become part of the human body, an interface with the data bank.

Nothing that I have talked about is from the realm of science fiction. These are all real matters that are the object of tremendous investments in research and development. These few examples are a true picture of the depth and breadth of the phenomenon.

These examples explain why many observers from different disciplines and fields of practice have concluded that the protection of personal information will be the major issue of the 21st century.

Conclusion

Now, let us turn our attention to what can be done to prevent other assaults on our privacy.

The need to expand our instruments for protection of personal information

In a recent work on governance of personal information, Professor Colin Bennett8, questions the effectiveness of existing instruments in preventing a lowering of defences on the integrity of personal privacy in post-industrial societies. He suggests that an effective protection system requires three elements: a legislative framework properly adapted to the realities of modern life (which would allow us to deal with current technological issues) and regulatory agencies to enforce the law, trans-national instruments (OECD, EC, ISO, etc.) that would make possible to enact and enforce international standards for protection of personal information, self-regulating industry codes of practice (for example, marketing) and technological instruments that would protect the integrity of personal privacy. According to Bennett, all of these instruments have to be in place and working together to protect personal information.

An effective legislative framework supported by good management practices

In 2001, Canada adopted a very progressive law on management of personal information by the commercial sector in this country. The law is flexible and in the opinion of many people, well suited to current needs. It includes, among others, a set of guiding principles to direct the sound management of personal information (limits on data collection, responsibility, access, correction, etc.). The law includes a mechanism for harmonizing of provincial and territorial jurisdictions. It also contains a set of standards under which it is possible to evaluate the intrusive nature of new practices (data mining) and developments in technology.

On the other hand, the legislation governing the public sector, which dates from 1982, needs to be updated. We are now working to develop proposals for doing that. These recommendations for reform will deal with several aspects of the Act: its application to federal institutions, the definition of personal information, the inclusion of guiding principles, a broadening of the right to recourse to the courts, data matching, cross-border transmission of data, etc. It is our opinion that in an era of cyber-government the activities related to the collection, use and disclosure of personal information must be brought up to date by the Government of Canada. For example, should the Act include a test of the necessity to collect certain data?

There is also a need for ensuring that the management of risk is carried out systematically, by examining the impact of factors related to privacy, for example, and that effective prevention measures are in place. It is also necessary to implement mechanisms for control, monitoring and training. Experts agree that most of the problems related to poor management of personal information are caused by the human element and that the people responsible for the errors are not outside the organizations but right inside (managers, employees or contractors). There is a clear need for continuous training and auditing by the organizations that are entrusted with this information.

Technological instruments

Many researchers and entrepreneurs are working to develop software applications that would make information anonymous, by using algorithms to encrypt information, as a way of making personal information more resistant to incursions and cyber-attacks by hackers. An example would be to enable data transmission using aliases and other mechanisms. Many others are working to develop information systems architecture that would restrict access, use and disclosure of information. The goal is to build-in rules that would comply with a code of fair practice in the management of personal information (for example, the school of Digital Rights Management has begun a project to develop architecture that by its very design would guarantee that only the authorized person could obtain information at the appropriate time). However, opinions are divided on these efforts: are they motivated more by concern for security of the system than for the protection of personal information? In other words, it would be possible to have the most secure system in the world that would also be a very intrusive system. One condition does not rule out the other.

Efforts are also being devoted to authenticating the identity of electronic communications to eliminate, among others, identity appropriation and fraud. Exchange forums have been established to discuss these issues and to share experiences. While these initiatives are still in an early stage of development, they all share a common concern: how to harness the technology to prevent abuses of personal information?

Creating public awareness

There is still a lot of work to be done in creating public awareness of the issues related to protection of personal information, especially concerning young people. According to some surveys, the fears and concerns of Canadians in terms of privacy are much more subdued since the events of September 2001. It seems security is more important, even if it means greater intrusion on the part of public authorities. The balance between concern for the protection of rights and security may have to be defined anew. According to some observers, there are significant differences between generations. Young people, who are more likely to use new technologies, are less concerned about protection of their personal information.

However, that is not to say that the public is apathetic about intrusions into their privacy. When it was discovered near the end of the 1990s that HRDC had created a super-file that contained more than 2000 pieces of information (drawn from many data banks) without the consent of the people involved, more than 60 000 people demanded access to their files to ensure that the information in the files was legitimate and correct.

The need to support research

The Office of the Privacy Commissioner of Canada launched a program of contributions for research this year. We identified two areas for research. The first approach focuses on the many challenges that technology poses for the protection of personal information and the second area looks at the implementation of the legislation covering the private sector.

It is obvious that a sustained research effort is needed to ensure that public policies and practices for management of personal information are based on a sound framework of principles supported by solid empirical analysis. To be effective such research must be multi-disciplined and should include the law, human and social sciences and the sciences of technology. The protection of personal information is of such importance that we must ensure our knowledge of the issues is constantly updated.

Footnote
1 The opinions expressed here are those of the author and do not necessarily represent the views of the OPC.
2 The Panoptic Sort: A political economy of personal information, Westview Press, 1993
3 The End of Privacy, The New Press, 1999
4 Discipline and Punish, 1978
5 Quoted by Sockman, The Privacy Challenge, in The Law of Privacy in Canada, Thompson-Canswell, 2000
6 For example, see the annual report of the Electronic Privacy Information Center, (EPIC), 2003
7 The Naked Crowd: Reclaiming security and freedom in an anxious age, Random House, 2004
8 Charles Rabb, The Governance of Privacy: Policy instruments in global perspective, Ashgate, 2003.
 

Date published: 2005-04-01
Date modified: 2005-04-01

 Top of Page Important Notices