Appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics on the Study on Open Government
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
February 14, 2011
Opening Statement by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
Thank you for inviting me to speak to you about the very important issue of open government.
I would begin by applauding the Committee for addressing the highly relevant, topical issue of privacy in the context of open government. As we plead for greater and greater openness in government, and therefore greater accountability and democracy, the issue necessarily arises of protecting personal information in that context.
In September 2010, Canada’s federal, provincial and territorial access to information and privacy commissioners signed a resolution to endorse and promote open government as a means to enhance transparency and accountability. The resolution specifically stated that open government must afford due consideration to privacy, confidentiality and security.
Our Commissioner’s letter to this Committee last July 15, addresses this intersection between open government and privacy. It stated that “any public interest favouring disclosure ought to be weighed against the legitimate interest of the right to privacy.”
While our Office supports increased efforts to bolster online access to government information, greater transparency, accountability and public engagement, we also urge the government to remain mindful of its responsibility to protect the vast amount of personal information in its possession.
Integrating open government and the protection of privacy rests upon several considerations that are particularly put to the test through new information technology:
- The first relates to the nature of the information: can seemingly anonymous information be considered personal information?
- The second relates to public interest: how does the digital age impact on the traditional balance between transparency and privacy?
Let me address each consideration separately with concrete examples.
First, what constitutes personal information?
There is a difference between open data and open information, or structured and unstructured data – and this nuance is a key aspect of the discussion.
Structured data is mostly facts, numbers, statistical sets, geographic maps, weather data and so forth. Where data sets do not contain identifiable personal information, the Privacy Act does not apply. However, if data is found to contain personal information about an identifiable individual, then all the requirements and protections of the Privacy Act need to be observed.
The issue is that the line between identifiable and non-identifiable information is becoming increasingly blurred with the emergence of new information technologies.
What initially appears to be anonymous or de-identified information can, in some cases, be combined with information from other sources, and then manipulated using powerful database technologies to produce data that can be linked back to specific individuals.
Here are two concrete examples where re-identification was at issue.
In the first case, an individual complained to us that an organization had combined Statistics Canada demographic data with White Pages phonebook information to create new personal information and therefore should have required consent for use.
Our investigation determined that the particular complaint was not well-founded because the new data produced information about neighbourhoods, not about identifiable individuals.
Still, it forced us to reflect on the consequences of merging two data sets.
The second illustration of how seemingly anonymous data can be become personal information is in the case of Gordon v. Canada, where we were granted leave to intervene and which was heard in Federal Court in 2008.
The case stemmed from a journalist’s access-to-information request for data contained in Health Canada’s Canadian Adverse Drug Reactions Information System. The request was granted, except for 12 database fields. These were withheld on the grounds that, if they were to be disclosed in combination with other data, then individuals could conceivably be identified.
The Court was faced with determining whether the province from which an adverse drug reaction report was received should be exempt from access.
Mr. Justice Gibson found “substantial evidence” that disclosure of the province field could lead to a “serious possibility that an individual could be identified through the use of that information, alone or in combination with other valuable information.” Obviously, such identification was not warranted in the name of public interest
A second consideration is the impact of the Internet on transparency and privacy. Our Office’s position on the Internet posting of administrative tribunals’ decisions is an example of this.
Federal administrative tribunals are under the jurisdiction of our Office, and subject to the Privacy Act. It is our view that the impact of the Internet involves costs to privacy that go well beyond the benefit to public interest.
To reconcile both goals of transparency of government and privacy of individuals in relation to administrative tribunals, our Office, in collaboration with our provincial counterparts, has developed a Guidance document on Electronic Disclosure of Personal Information in the Decisions of Administrative Tribunals.
This guidance document recommends that:
- A tribunal first assess what legal obligation it has to make its decision available to the public at large;
- That it assesses whether the disclosure of the information publicly is necessary or appropriate, based on public interest;
- That public interest may include,
- Protecting the public from fraud, physical harm or profesisonal misconduct, or
- Promoting deterrence;
- If there is public interest to disclose it must be weighed against sensitivity, accuracy and possibility and level of harm that could come.
Privacy by Design
Privacy by Design is a pre-emptive approach that requires the integration of privacy considerations into new programs and databases from the outset, and not as an afterthought.
This concept is an essential component of open government.
A key part of open government is to build trust between government and the citizens it serves and an important way to build that trust is to treat people’s personal information with respect, to safeguard it and to ensure it is not inappropriately disclosed.
That is why data protection authorities here and around the world are increasingly convinced that governments need to build privacy considerations directly into the design of any program or service where personal data is being collected. Privacy must be the default position, rather than something added on as an afterthought.
At an operational level, it is important to identify in detail the logistics, architecture and risks in open government projects. Given the pace with which governments are moving, it is vital that consideration be paid to:
- ongoing employee privacy training, especially in IT project areas;
- proper rules and processes for disclosing information, and,
- the mechanics and resourcing of the existing access to information and privacy system.
Assessing Open Government Initiatives
Every release of government information requires a careful assessment to ensure continued compliance with the Privacy Act. Each data set may require a varied assessment given the type of data in question, the intended objectives of releasing the data, the nature of the organization and issues at play.
We are pleased to assist departments and agencies strengthen their privacy practices through our reviews of their Privacy Impact Assessments.
In conclusion, I want to make clear that our Office supports open government as a key principle of democracy. Transparency should not, however, come at the cost of individuals’ statutory rights to privacy.
The delicate balance we have established until now between transparency and privacy must not be compromised by new technology that makes information at once more accessible and sought after than ever.
I urge the government to continue to incorporate privacy protections in the development of new IT systems and databases and to continue to value privacy in its immutable characteristic of human dignity.
Thank you and I look forward to your questions.
- Date modified: