Privacy and Technology: More Action Needed

Six Annual Access to Information and Privacy Conference: Technology — Enhancing or Undermining Democracy?

April 20, 2005
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

---

If the level of energy directed by government at using technology and law to facilitate surveillance were matched by an equal amount of energy directed at securing the right of privacy, I would be much more at ease as Privacy Commissioner.

Let me give you a few examples of why I am concerned about governmental approaches to intrusive technologies. Data matching and mining both present opportunities to enhance surveillance. Data matching will also be an integral part of our attempts to expand e-government at the federal level — a potential benefit to Canadians in their interactions with government.

But where are the legislative and policy responses to ensure that data matching does not go awry?

There is no provision in the Privacy Act even requiring that the Privacy Commissioner be notified of a data match. The Treasury Board of Canada adopted a policy on data matching in 1989. However, this is simply a policy directive and does not have the force of law. It requires federal institutions subject to the Privacy Act to conduct a detailed assessment of any proposed data matches and also requires that my office be notified 60 days before the matches begin. Unfortunately, this policy seems to be honoured most often in the breach. In 2003-04, we received only 10 notifications of data matches. We have long suspected that most data matching is simply going unreported. And even in those few cases where I am notified about a data match, I have no power to stop or limit the match. Our acquired response in Canada to the powerful tool for surveillance has effectively been a limited policy response with no serious accountability and reporting requirements.

There have been calls for more effective controls on data matching since the first days of the Privacy Act. In 1987, just four years after the Act came into force, a House of Commons committee recommended that in the area of what was called "computer-matching", the Privacy Act be amended to ensure that the linking of personal records was conducted only when demonstrably necessary and under the continued vigilant oversight of the Privacy Commissioner of Canada. This recommendation fell on deaf ears. A similar recommendation proposed by a 1997 committee has also met with silence. Last month I raised this once again with the Hon. Reg Alcock, President of the Treasury Board and called on him to move forward with rules to cover the various forms of data matches.

Data mining is another important issue that until recently has fallen below the radar. As with many potentially beneficial technologies, data mining has serious privacy implications. It is time to examine government data mining practices in Canada to determine both the extent to which they occur and whether they are consistent with fair information practices. We cannot afford our response to be no response. The OPC intends to use its full audit powers to examine issues of data mining where there are grounds to do so.

You can see the picture that is emerging. On the one hand, the government seems intent on increasing powers of surveillance through legislation and technology. On the other, it is lagging seriously behind in legislative and policy responses.

However, I was very encouraged and would like to congratulate the government for releasing only yesterday new reporting requirements which will require Deputy Heads to report on Privacy Impact Assessments as well as on types of disclosures under s. 8(2) of the Act and on data matching and sharing activities. Annual Reports on privacy and access matters will become more meaningful and will be increasingly important tools in following developments in those fields. This is a very positive and significant step in the right direction which will go a long way to addressing issues of compliance with the Privacy Act.

IT Security: A Key Pillar to Privacy Protection

The government, is however still, slow off the mark in further enhancing the clout of the Privacy Act and in adopting other policies that would enhance privacy. For example, issues of information security.

Many of you will be aware of the findings in the February 2005 report of the Auditor General of Canada on Information Technology Security. Ms. Fraser last audited IT security in 2002 and found that progress since then was still, as she says, "unsatisfactory," despite encouraging signs of improvement. She concluded that the government still does not meet its own minimum standards for IT security. Reviews and assessments of IT security performed in the last two years have indicated serious weaknesses in controls over access to data, programs, and networks.

The Auditor General has urged senior managers in departments to pay more attention to identifying threats and risks adequately, developing action plans to correct the weaknesses, and becoming fully compliant with IT policy and standards. I might add that the need for IT security is that much more pressing as the federal e-government initiative expands the number of government services being offered on-line.

Let me be clear. The resolution of privacy issues, from a public interest perspective, requires that a set of bold and audacious measures be taken in managing privacy risks from large IT systems, as well as reinforcing the legislative framework for how the federal government manages the information assets of its citizens.

Privacy and security work hand-in-hand and are centred around the same reality of protecting citizens. They need not be at odds.

Outsourcing

Last year's debate about the implications of the USA PATRIOT Act for personal information transferred outside Canada is far from over. Along with many other organizations, my office quickly realized that this was not simply an issue about increased access to our personal information by US police agencies under the USA PATRIOT Act. It was a much broader issue about the extent of outsourcing by Canadian private sector and public sector bodies. The USA PATRIOT Act debate was merely the catalyst for taking a serious look at this issue.

We have managed to establish in our new law, PIPEDA, and similar provincial legislation, a respectable, though clearly far from perfect, set of standards for the protection of personal information in Canada. We do not want those standards to evaporate as personal information moves beyond our borders. How do we then create the legislations, institutions and public policies to ensure that those standards exist when personal information is transferred?

Canadians are becoming more aware of these flows of personal information, and they are starting to challenge them.

In a recent EKOS public opinion research study commissioned by the Office of the Privacy Commissioner in March 2005, study respondents say they believe governments do not have a good understanding of how companies use personal information on Canadians. Our study also revealed that there is a pervasive belief that personal information is flowing freely to other countries, particularly the United States and that Canadians attach an extremely high concern to cross-border transfer of personal information. There is also a desire by more than 60% of those surveyed, that governments and the private sector obtain informed consent from Canadians before engaging in these types of disclosures of personal information.

Last autumn, Treasury Board Secretariat began a review of outsourcing activities among federal government institutions. We are still awaiting the inventory of transborder flows of personal information held by federal government institutions and an analysis of the policy response. I am very concerned that more than a year after the issue first surfaced in British Columbia, we have no portrait of this phenomenon. In the meantime, my office is, on its own initiative, auditing the transborder data flows of the Canada Border Services Agency. I can safely say that a significant part of this work will be to ascertain the privacy protection safeguards offered by large IT systems.

I would like to have the virtue of infinite patience on this outsourcing issue, but I do not. We first raised this with the government 15 months ago. We have discussed this with the Minister of Justice, the Hon. Irwin Cotler, and with Treasury Board President, the Hon. Reg Alcock. Several years ago, Treasury Board developed draft guidelines on outsourcing by government, but these were not either adopted or even adapted to the problem of outsourcing personal information confided to the government.

The antiquated Privacy Act, virtually unchanged in a quarter-century, does not address this issue, particularly at a time where the privacy implications of technology has never been greater.

Responding to the Challenges of Technology

The government has been slow to address the gap between intrusive technologies and the regulation of those technologies. My office has tried to fill at least part of the gap. In January, we announced the awarding of over $370,000 under the contributions program launched by my office last year to support a number of research projects to address the societal aspects of technology and privacy. A few projects are addressing issues of surveillance and the impact of technology values and attitudes.

These research projects can identify the privacy issues, and they may even be able to identify technological "fixes" for some of these issues. The knowledge contributed through these research projects is invaluable. But is should not be an incentive for the government to say: "let's wait and see what the research says." There should be no justification for inertia. These issues will not be resolved without governmental involvement through legislative or policy change.

Danger of crying wolf

Part of the challenge of addressing the privacy implications of technology is the danger that we will be seen to be crying wolf. Although most people do not see the immediate effects or consequences of technology on their privacy, Canadian opinion on privacy issues is nonetheless maturing. The EKOS Research to which I referred, reveals that the privacy concerns of Canadians have become more centered around issues relating to their personal information. Seventy per cent of survey respondents believed they have less personal information protection now than they did ten years ago.

Consequences of a "personal information" spill cannot be judged against the same criteria as an oil spill or toxic leak.

The impact of technology on privacy has happened through incremental advances in that technology, the growth of commercial interests in exploiting personal data, governmental responses to concerns about public safety, and a general lack of understanding among members of the public about the implications of technology. But incremental or immediate, the ultimate consequences for privacy are the same. Whether you boil the lobster slowly or quickly, it is still dead at the end of the process.

Conclusion

One might hope that some uses of technology to intrude in the name of national security or some other perceived public good are merely temporary. But I suspect that they are temporary in the same sense that income tax was temporary when it was first introduced.

The picture I have presented is therefore not an entirely happy one, but we don't need to contemplate jumping off a bridge just yet.

On the legislative front, PIPEDA is scheduled for a review in 2006 and, as you know, the Anti-terrorism Act is currently undergoing a review. For those not willing to hold your breath waiting for improvements in the law, there are other measures that can be implemented even without legislative change. Better IT security doesn't need new laws, just an understanding of the privacy issues and a commitment to address them and the expertise to reflect these in the IT/IM systems we build and how we inform Canadians and elected officials about what we do with the information.

Treasury Board directives and policies — for example, on transborder flows of personal information — can be introduced quickly if the political and bureaucratic will exists. And technology itself — the source of many privacy intrusions — can also offer solutions that protect privacy.

Finally, I would suggest that the ATIP community has much to offer if it is given the chance. This community has been neglected within government. The protection of privacy of all Canadians can be significantly enhanced if the government provides the ATIP community with the continuous learning opportunities and updated analytical tools it needs to advise departments and agencies about the privacy implications of their initiatives.