Building Bridges — Implementing PIPEDA

Access & Privacy Conference 2004
Hosted by the University of Alberta

June 10, 2004
Edmonton, Alberta

Address by Jennifer Stoddart
Privacy Commissioner of Canada

---

Building Bridges — Implementing PIPEDA

I am very happy to have been invited to be part of this terrific learning and networking event. As I look around the room, I am aware that many of the best and brightest thinkers and doers in this field are here to share their experience and their ideas. I am very much looking forward to comparing notes with you on our concerns, our battles, our goals, and our achievements. As I look out at the sheer volume of privacy expertise represented in this room I find myself reflecting upon the great distance we have come in terms of putting privacy issues and data protection on the map in Canada.

I must say that I am proud of what we have achieved as a group working together on these issues. But we have some complex and difficult challenges ahead. I believe that privacy is a fundamental human right, in many ways the cornerstone of all other rights we cherish in a civil society. Freedom of thought is essential to freedom of action, and the very hallmark of a free society is the absence of continual surveillance.

Imagine being watched, being profiled, and having the day-to-day actions of our ordinary lives measured for potential wrongdoing. Imagine what we buy, where we travel, what clubs or political parties we join, what books we read and even where we worship becoming part of a massive commercial or government data base.

Without strong controls and clear rules restricting the collection, use and disclosure of personal information, this is possible in our digital world, with severe implications for our freedom and quality of life. This is not the way I want to live. This is not what Canadians want. I believe that most of us in this room today share this deep concern for preserving the right to individual privacy as a fundamental cornerstone of democracy.

I would like to take a moment to salute the efforts of the Government of Alberta in the field of privacy and the protection of personal information. Under the creative leadership of Information and Privacy Commissioner Frank Work, Alberta has been a leader in inculcating privacy culture, principles and practices in its own dealings with the public and in the private sector as well.

For example, Alberta's decision to require mandatory Privacy Impact Assessments for systems that collect, use or disclose health information is a practical and forward looking step in helping to ensure that the privacy of our most sensitive information is protected. The Privacy Impact Assessment, while not perfect, is one of the best tools we have at our disposal for finding, resolving, or mitigating, privacy risks in any project that handles personal information. While there are many excellent and sophisticated technical systems that can tell us, after the fact, that personal information has been compromised, the PIA remains our best preventative safeguard.

As I am sure you would all agree, prevention is Job One when it comes to privacy protection. Preventing the inappropriate collection, use and disclosure of Canadians' personal information is what our jobs are all about. We all know that once privacy is gone, it's gone. With all the good will in the world, you can't give it back. In our field, an ounce of prevention is priceless — because there is no cure.

So I am taking this opportunity to congratulate Alberta for its emphasis on the Privacy Impact Assessment, and for its recognition of the importance of this tool by giving it the force of law for projects that involve the collection, use and disclosure of medical information. Under the federal Privacy Act, the Treasury Board makes PIAs a condition of funding for new, substantially redesigned or electronically driven programs and services that collect use or disclose personal information. This policy has gone a long way in helping government departments ensure they build privacy considerations into their projects from the ground up.

The policy is a good step forward and beneficial to protecting privacy and the security of personal information, but it remains only a policy. I believe that Privacy Impact Assessments should be given the force of law at the federal level, as Alberta has done with its PIA process for health information. I would also like to see an overall review of the Privacy Act, which is 20 years old and was passed at a time when some of the technologies that today may pose some of our greatest privacy risks simply did not exist.

Private Sector Protections

I would like to turn now to privacy challenges and opportunities in the private sector. In addition to my duties under the Privacy Act, I oversee the Personal Information Protection and Electronic Documents Act — also known as PIPEDA — and it is primarily in that capacity that I will be speaking to you today.

The Act establishes rules for organizations involved in commercial activities to manage personal information. It attempts to strike a balance between the right of individuals to protect their personal information, and the need of organizations to obtain such information for legitimate and reasonable purposes. The Act applies to traditional paper-based business as well as electronic and online transactions.

The federal legislation may be superseded by legislation that has been deemed to be "substantially similar". So far, only the legislation passed in Quebec has been the object of an Order in Council. We are expecting an Order declaring the British Columbia and the Alberta Personal Information Protection Acts to be substantially similar to be approved this summer.

Phased in over three years, PIPEDA now extends to the collection, use and disclosure of personal information in the course of any commercial activity within a province. It also applies to all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.

Companies are now required to obtain consent from the individuals from whom they collect personal information. This applies not just to information collected for a specific transaction, such as a credit card number or a delivery address but to all information, including that which is to be used for future marketing purposes. The information must be collected for a reasonable purpose, must be accurate, must be able to be corrected, and must be stored securely.

Well, it doesn't sound all that complicated, does it? However, I know I would not get away with indicating to this audience that implementation of PIPEDA in the commercial sector has gone entirely smoothly.

There have been some bumps, and some challenges. There has been some misunderstanding, some misinterpretation and some just plain confusion. Many companies are still grappling with the full implications of what the Act means to them, including its retroactivity. Many smaller businesses across Canada may simply be unaware that the Act does, in fact, apply to the personal information they collect, use and disclose.

But we are forging ahead, and we are making progress.

I would like to report to you today on some of that progress, and on some plans we have for the future. Our office is engaged in discussions with the provinces of Alberta and B.C. to ensure a smooth transition of complaints files when, as expected, their provincial legislation is deemed substantially similar. We will share current complaints files where circumstances warrant, and we are developing joint statements, questions and answers, and jurisdictional tools.

Staff members in our offices are in regular contact on day-to-day issues that may touch on both jurisdictions as they arise, and we meet frequently, cooperatively, and fruitfully. I am happy to say that our level of cooperation and our ability to achieve joint goals is significant. This kind of cooperation is vital in bringing Canadians a better level of privacy protection — and that's what it's all about.

We have recently posted a number of innovative new resources on our website. These include links to the excellent privacy diagnostic tool developed by the Office of the Information and Privacy Commissioner of Ontario, and to the very thorough privacy compliance guide developed by the Canadian Institute of Chartered Accountants. We have updated our PIPEDA guide for businesses and organizations, and we have established better relationships with business associations such as the Canadian Bankers Association and the Canadian Marketing Association.

We are actively seeking partnerships with the private sector to help spread the word on PIPEDA, relieve the confusion, help business to comply and educate consumers. We are engaged in a long-term public education and outreach plan that we hope will build on these successes.

I do not mean to imply that we do not have a long way to go! I would like to share a few stories from the front lines of our inquiries and investigations branch, just by way of illustration. To set the stage, here are some statistics reflecting the number of calls, letters and emails we receive on a regular basis.

According to statistics for the month of March 2004, our Inquires unit received 1,725 phone calls from Canadians with privacy related questions. Of those, 980 were specifically concerned with PIPEDA. The unit also received almost 400 written inquiries — letters or emails — about PIPEDA in that time.

I really must take my hat off to our extremely dedicated and professional inquiries branch staff, who have been patiently, steadily and tactfully responding to hundreds of calls a week about PIPEDA. Calls come in from all across the country, from corner businesses, from large companies, from corporate lawyers, and from ordinary Canadians in every walk of life.

Here is just a small taste of some of the more intriguing and puzzling PIPEDA questions and concerns we hear in our office.

• A gentleman called to say he had left all his income tax returns in a Tupperware container under the bed when he left his wife, and she had looked at them to find out his annual income. He felt this was an invasion of his privacy and wanted to launch a complaint under either the Privacy Act, or failing that, PIPEDA, as the taxes he paid were because of commercial activity.
• A large company based in the U.S. sent its entire data base of customers — thousands of people — a pamphlet outlining its privacy practices, and a consent form to sign to indicate the customer accepted these policies and consented to personal information being used. So far, so good. However, instead of putting its own phone number on the form as a source of information on its own privacy policies and practices, the company put ours. Our offices were flooded with calls from this company's customers, asking us to describe its internal privacy regime, which of course we knew nothing about. Needless to say, these people calling us were not happy to hear that!
• Customers of a retail store called to say they had taken their items to the cash register, where they were told they had to sign a blanket consent form giving the retail chain permission to use their personal information pretty much any way it wished — or they would not be allowed to make their purchases.
• And a tradesman called to find out what the specifications were under PIPEDA for the design and installation of, of all things, toilets. I guess it does have something to do with privacy, but I don't think we were able to help.

So, yes, we certainly do have a long way to go. According to our inquiries branch, consent issues are the most misunderstood and contentious aspect of the Act. We will be working proactively with business and consumer groups to develop a better understanding of this issue.

Contributions Program

One of the ways in which we hope to develop a better understanding of PIPEDA and of privacy in general is through a special funding program that I am very proud to see get underway. The Contributions Program is a special privacy research fund that will promote greater privacy awareness and understanding by making grants to worthy projects. In my view, it is extremely important to build our national privacy research capacity. Privacy policies must be based on a solid foundation of knowledge. I am confident the Contributions Program will play a key role in this area.

The $200,000 Program will focus on two key priorities. The first will examine how and to what extent emerging technologies affect our privacy. New technologies raise new challenges. We need a clear assessment of the privacy impact of developments such as RFIDs, black boxes, and biometrics. Video surveillance, while not new, is being combined with other technologies such as facial and movement recognition, even thermal tracking. The entire subject of surveillance deserves a closer examination and a full public debate of what we view as acceptable and unacceptable limits on our freedom and privacy in return for promises of greater security.

The second area of focus for the Contributions Program is implementation of PIPEDA. We are looking for good, solid projects from the not-for-profit sector that will help raise awareness and promote good privacy practices. Organizations may receive up to $50,000 for projects of this kind. I am very much looking forward to seeing the proposals as they come forward. Not-for-profit groups, including education institutions and industry and trade associations, as well as consumer, voluntary and advocacy organizations are eligible for funding under the Program.

A Pragmatic Federal Approach

Privacy is a deeply cherished value in Canada. PIPEDA was enacted to help address consumer concerns about privacy and the expanding use of their personal information in the digital economy. PIPEDA recognizes that while electronic commerce knows no physical boundaries, our data protection laws must be in harmony with international standards — particularly those of the European Union — in order for business to flow to us.

Good privacy practices are good for business, whether domestic or international. A strong, well developed federal commercial privacy law provides clear national standards and a level playing field for business. PIPEDA is an innovative attempt to provide a global framework for privacy across multiple jurisdictions. I believe the law shows great sensitivity to jurisdictional issues by allowing those with substantially similar legislation to apply their own laws. This is a pragmatic approach to the constitutional realities of our nation, while ensuring all Canadians receive the high level of privacy protection that they deserve, no matter where they live.

We sometimes call this the "Information Age" and it is certainly true that there has been an explosion in the gathering and dissemination of information of all sorts, including personal information. Businesses in particular have found a huge potential to grow their markets and develop new ones by mining this deep vein of informational gold. They use personal information to seek out new customers and keep up relationships with existing ones. They want our demographic information in order to target their products correctly. They want information about our buying habits and preferences to develop new products.

The challenge lies in getting, storing, using and circulating that information in a way that does not violate our fundamental human right of privacy and our deeply cherished need to control our own information.

One of the greatest challenges facing us as we move forward with implementation of PIPEDA is the administration of health records. While PIPEDA does not cover the core activities of municipalities, public schools, universities, public hospitals and correctional facilities, the Act does apply to private pharmacies, labs, and private practices of health care professionals. We recognize that there are some gaps and grey areas in PIPEDA's coverage of health care records. We are aware of the perception that PIPEDA, drafted to protect personal information in a general way, may not be the best suited vehicle for the specific protection of health care information.

Alberta is again taking a lead in this area through its participation with Health Canada and other provinces in the Pan-Canadian Personal Health Information Privacy and Confidentiality Framework. The Framework is seeking to develop a comprehensive set of rules that would apply to electronic and paper-based health records in all organizations — public or private, engaged in commercial activity or not. As currently envisioned, the Pan-Canadian Framework would be broader in scope than PIPEDA.

Our office is following this initiative very closely as it unfolds over the next few months. It is clear that better sharing of health records can help ensure better patient care and a more effective health care system. Protecting the privacy of those records as they circulate is of the utmost importance. Many technical questions that arise around this issue need to be addressed and resolved on a cooperative basis.

Firearms Act

Now I would like to digress a little from PIPEDA, if I may, and turn my attention to the Canadian Firearms Program. I really don't think that I can come to this part of the country and ignore this issue, which resonates so strongly here. The Firearms Act is a highly controversial piece of legislation that provokes strong emotion and argument from supporters and critics alike. It is certainly a hot button issue, but our focus is simple. The Firearms Program collects and uses large amounts of highly sensitive personal information. It has a direct effect on more than 2.3 million firearm owners across the country. Issues of concern about the handling of this personal information have been brought to the attention of our office and I would like to take this opportunity to give you an update on what has been happening.

Our office's Review of the Personal Information Handling Practices of the Canadian Firearms Program was delivered to the Department of Justice and to the RCMP in August, 2001. It made 34 detailed recommendations aimed at reducing the intrusiveness of the program and responding to the concerns of Canadians about risks to their personal information.

Some of these recommendations have been accepted, and changes have been made in personal information handling practice in the Firearms Program. Some issues remain outstanding, but I am pleased to say I have had a cooperative and productive meeting with Firearms Commissioner Baker, and we are working on a resolution of Canadians' concerns.

International Information Exchanges

This is an intriguing time in the development of privacy law and privacy practices, and I think it is safe to say we all have challenges ahead. The debate over transborder data issues such as passenger information is emerging as a key issue. Our office is embarking on a new project to map out the flow of Canadians' personal information as it crosses borders. We want to know what information is collected, particularly by security forces, we want to know where it goes, and what protections and rights may apply. We are all grappling with the implications of the USA PATRIOT Act and the complicated array of international information sharing agreements that may impact Canadians' privacy in the public and private sectors.

David Loukidelis, B.C.'s privacy commissioner, has asked for our office's input as he looks into this issue, and we are glad to cooperate in any way we can. We will be making a detailed submission in response to his request. I congratulate Commissioner Loukidelis for taking a stance on this, and for providing an opportunity for dialogue and debate. We share his concerns, and in fact have been discussing this issue with federal officials over the past few months.

I started my address to you today by saying we have come a long way, and that is certainly true. I would like to conclude by asking you to think about how far we have yet to go, and what is standing in our way. I believe we are at a crossroads and there is a great risk ahead that the right to privacy will come to be seen as frill — a luxury not in keeping with the informational demands of modern society.

I believe the decisions we make and the path we follow as privacy advocates in the next few years will be of the greatest importance. It is easy to become overwhelmed by the galloping pace of technology. A new surveillance gadget or a global positioning device or a dazzling new data mining software program seems to come out every day. We are told regularly that information is the lifeblood of our economy. We are constantly made aware of threats to our safety and security that seem automatically to trigger demands for the collection of more and more or our personal information.

But we must mobilize to meet this challenge. We must start putting more resources into privacy research and the development of privacy enhancing technologies. We must confront those who would trade away individual rights, including the rights to privacy, for the promise of national security. We must ensure that the privacy rights of individuals are not lost or submerged in the chorus of voices calling for more security, more data, and more information about all of us.

We all have a lot of work ahead of us, and I am very much looking forward to the coming challenges and opportunities. I anticipate working cooperatively with you to meet the coming issues with creativity and vigour. Thank you for your attention, and if you have any questions I would be glad to answer them.