Annual Report to Parliament 1995-1996
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
The Privacy Commissioner of Canada
112 Kent Street
(613) 995-2410, 1-800-267-0441
Fax (613) 947-6850
TDD (613) 992-9190
Canada Communications Group
Cat. No. IP 30-1/1996
This publication is available on audio cassette, computer diskette and on the Office's Internet home page at http://infoweb.magi.com/~privcan/
Privacy Commissioner of Canada
Commissaire à la protection de la vie privée du Canada
The Honourable Gildas L. Molgat
Dear Mr. Molgat:
I have the honour to submit to Parliament my annual report which covers the period from April 1, 1995 to March 31, 1996.
(Original signed by)
Privacy Commissioner of Canada
Privacy Commissioner of Canada
Commissaire à la protection de la vie privée du Canada
The Honourable Gilbert Parent
The House of Commons
Dear Mr. Parent:
I have the honour to submit to Parliament my annual report which covers the period from April 1, 1995 to March 31, 1996.
(Original signed by)
Privacy Commissioner of Canada
A Day in the Life...or how to help build your Super File
Nothing to hide? It's just as well...from the time we get up in the morning until we climb into bed at night we leave a trail of data behind us for others to collect, merge, analyze, massage and even sell-often without our knowledge or consent. And there is no law against it (except in Quebec).
8:30 - Exit apartment parking lot (Cameras, and possibly a card, record departure)
8:35 - Pull onto toll highway (Device records your entry and exit points to send bill at the end of the month)
8:42 - Caught in traffic jam, call work to delay meeting (Cellular phone calls can be easily intercepted; new personal telephones will signal your whereabouts to satellites to deliver calls)
9:17 - Enter office parking lot (Card records entry and time, cameras monitor garage)
9:20 - Enter main office/plant door ("Swipe" cards record comings and goings; active badges allow others to locate you anywhere in the building)
9:25 - Log on to computer (System records time in)
9:29 - Send personal E-mail to friend, business message to colleague (Both can be read by the employer; simple deletion does not erase them from the computer's hard drive)
10:45 - Call your mother (Supervisors may monitor phone calls)
11:00 - Make a delivery using company vehicle (Many company vehicles have geo-positioning devices to plot vehicle location; some have "black boxes" to record driving habits)
12:05 - Stop at bank machine (System records details of transactions, cameras overhead or in machine record your behaviour)
12:10 - Buy birthday gift for friend (Credit card records details of purchase, retailer's loyalty card profiles purchase for points and directed discounts; banks may use spending patterns to help assemble complete customer profile)
12:35 - Doctor's appointment (Health cards will soon contain small computer chips to record your complete medical history on the card, blood samples contain DNA which could be tested for wide variety of conditions, doctor's diagnosis may need to be disclosed to insurance company if you buy life or disability insurance and details sent to centralized registry in U.S run by insurance companies)
1:15 - Pick up prescription (Some provinces have on-line drug networks which share your drug history with pharmacies across the province and may be disclosed to police tracking drug abuse)
1:30 - Return to work (Card records your return)
2:45 - Provide urine sample for employer's new drug testing program (Reveals use of targeted drugs but not impairment; sample may also reveal use of legal drugs such as birth control pills, insulin and anti-depressants)
3:30 - Meeting in secure area (Pass through security which scans retina to confirm identity)
5:30 - Complete first draft of report (Computer records content, can also store keyboard speed, error rate, length of pauses and absences)
6:15 - Leave office (Exit recorded by computer, entry system and parking lot)
6:30 - Buy groceries (Debit card purchase recorded, loyalty card tracks selections for marketing and targeted discounts)
6:45 - Pick up video (Computer records viewing preferences, Social Insurance Number; store may sell your viewing preferences-say, Erotica-to other companies)
7:20 - Listen to phone messages (Your phone has recorded callers' phone numbers, displays your number when you call others-unless you enter code to block the display)
8:20 - Order clothing from catalogue (Company records personal details and credit card number and may sell the information to database-list-marketers)
8:30 - Subscribe to new magazine (Many magazines routinely sell their subscribers' list to mass mailers)
8:35 - Survey company calls (Company gathers political views, social attitudes and personal views. Some surveys are actually marketing calls to collect personal data for future sales. Legitimate surveys destroy personal identifiers once data processed)
8:45 - Political canvasser at the door (Political contributions of more than $100-amounts and the party-are listed in public records)
9:10 - Log onto Internet (Your choice of chat groups and your messages can be monitored and a profile assembled by anyone, including police; some Web sites monitor your visits); see Privacy in Cyberspace p.27.
Increasingly, living a modern urban life seems to mean there is nowhere to hide. In our search for security and convenience, are we hitching ourselves to an electronic leash?
- Canadians' privacy protection weakening as government sells off operations with no binding privacy clauses (page 1);
- Under construction: permanent voters list-some warning markers around the potholes (page 14);
- Violent offenders in the community-is publicity the answer? (page 22);
- Privacy in Cyberspace-tips for surfers (page 27);
- A framework for introducing multi-function smart cards (page 8);
- 1681 complaints investigated, more than 9000 inquiries handled (page 33).
"Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves."-William Pitt the Younger, 1793.
The great British parliamentarian's words, uttered more than 200 years ago, have never been more relevant, timely or applicable than they are in today's struggle to hang on to our right to a private life.
Society, in the throes of an unparalleled technological revolution, is confronted daily by arguments that yet another infringement of our personal freedom is necessary, the usual necessity being those seductive benefits: efficiency, convenience and economy. Sometimes the benefit is real; sometimes it is merely promised, not proven; often it is mostly for the efficiency, convenience and profit of its proponents.
Yet if there is a tyrant, it is not some jackbooted dictator. It is the tyranny of ignorance, of unthinking acceptance of technology without regard to the consequences. The tyrant and the slave are one and the same. It is ourselves.
A Backward Leap
Sadly the struggle-thought to have been largely won in the public sector-suffered a body blow this past year. Thousands of Canadians lost their rights under the Privacy Act as the federal government began downsizing and privatizing. Information previously collected by government entities will soon be moved from under the protection of the Privacy Act and into the control of private companies. This means that innumerable bits of personal data no longer will have to be managed in accordance with fair information practices; the subjects of all this information will have no legal right of access to the information and no legal control over what information is collected about them, how it may be used, disclosed or otherwise disposed of.
Most immediately, commercialization affects the thousands of federal government employees who are transferring to the private sector. But equally important, it touches the untold numbers of Canadians who use services previously managed by government.
This constitutes nothing less than a privacy disaster, and is a dark stain on the otherwise progressive record of the Canadian government in protecting Canadians' privacy rights. This consequence of privatization may have been entirely unintended; it can hardly have been unforeseen. And, regrettably, it was entirely preventable.
The issue arose in dramatic fashion during the transfer of the air traffic control system to a private company, NAVCANADA. An estimated 6,000 federal employees will move from government to private employment. As well, the air traffic control system generates substantial personal information in its contacts with thousands of users of the system.
Given the magnitude of the transfer, the Commissioner wrote to the government last November pointing out the consequences to privacy protection and offering a solution. He suggested inserting a condition to the agreement between the government and NAVCANADA making the company subject to the Privacy Act, as it is subject to the Official Languages Act.
Although the government conceded the importance of the issue, it took no action. The Commissioner then appeared before the Commons Transport Committee studying the transfer. The committee accepted the proposal and recommended it to the House of Commons. The government objected to the recommendation and, despite a further intervention before the Senate committee, the bill has now cleared both Houses with no privacy protection.
Among the objections put forward both by NAVCANADA and the government, foremost was the contention that binding NAVCANADA to the Privacy Act would single it out for special treatment by a government which otherwise has not enforced privacy law in the commercial sector. There is ample precedent.
It is government policy to recommend that contracts between government departments and outside service providers contain clauses extending Privacy Act protection to any personal data. Furthermore, at least one huge enterprise, Canada Post, was required to abide by the Privacy Act when its corporate structure was revamped and its mandate altered to make it operate in the manner of a private sector, profit-and-loss corporation. Although owned by government, Canada Post must compete in the open market for much of its business. This is not a problem NAVCANADA, a monopoly, will ever face.
Whatever one makes of these arguments, the government has an obligation not to sacrifice basic rights such as privacy and data protection as it commercializes operations, particularly when the available defence is as simple as insisting on a privacy clause. It is worth pointing out that one of the chief government negotiators publicly stated that Privacy Act protection would not have been a "deal-breaker".
As for the company, NAVCANADA has undertaken to seek employees' consent for transferring personal files and to keep the records confidential "pursuant to government policy". Fine words but not ones that convey any legal rights, and far from the protection they now enjoy. The Office intends to audit the personal records before Transport Canada transfers them to NAVCANADA.
Canada's air traffic control system is simply one of several operations to be commercialized. Next on the block is Canada Communications Group, the government's massive printing, distribution and inquiries operation. Already gone are the harbours and many airports. And in the works are a new breed of "service agencies" to provide selected services of existing government institutions. These include Parks Canada (formerly Environment Canada), a single food inspection agency (Agri-Food Canada) and the Canada Revenue Commission (Revenue Canada). These new agencies will be given greater autonomy to improve service and reduce costs and have more flexibility to allow provincial participation. At issue is whether "streamlined rules and flexible authorities" and separate legislation also spell the end of privacy protection for clients and employees.
"Twixt Darkness and Dawn"
The light at the end of this murky tunnel may be the news contained in the government's response to the recommendations of the Information Highway Advisory Council. Perhaps saving the best for last, Industry Minister John Manley announced the most important privacy development of recent years, and potentially the most important in Canadian history: the federal government's commitment to introduce legislation bringing the commercial world under the ambit of privacy laws.
The report, Moving Canada into the 21st Century, acknowledges that when it comes to protecting personal information in an information society, "security procedures and technologies cannot do the job alone. The right to privacy must be recognized in law, especially in an electronic world of private databases where it is all too easy to collect and exploit information about individual citizens".
The ministers of Industry and Justice undertook to consult with the provinces "and other stakeholders" and bring forward proposals for "a legislative framework governing the protection of personal data in the private sector".
Here, at last, is at least the prospect of meaningful action.
To meet the threats to privacy posed by the information revolution, nothing equals the need for bringing order, fairness and decency to the information management practices of the private sector. This is where most personal information is collected and used, and this is where there is the least protection for, and recognition of the rights of individuals.
The government, in developing this framework legislation, has the opportunity to build on what may be a growing consensus for action. One early indication of support came in the Canadian Direct Marketing Association's brave announcement of support for legislation to protect personal data in the private sector. In CDMA President John Gustavson's words "legislation is the most effective means of ensuring all private sector organizations adhere to the same basic set of rules...". And the trail has already been substantially blazed by the Canadian Standards Association's now-final model privacy code. The code was drafted with major private sector players such as the banks and telecom-munications companies and contains all the essential elements for good privacy protection save independent oversight and the force of law.
Mr. Manley's announcement included no details, for the good and obvious reason that the work is just beginning. As usual, the devil is in the details. The government can bring forward truly effective legislation, heralding a new dawn in which technology follows a path lighted by civilized standards of respect for the rights of human beings. Or, if the action is excessively timid or, as is so often the case, the bold initial thrust is emasculated by concessions to special interests, we will find ourselves mired in the grip of ineffectual patchwork laws with little ahead but a gathering gloom of greater surveillance and less control over what others know about us. Such an outcome would be worse than no action at all, deluding us, as it would, with a mere illusion of protection.
So Canadian society finds itself at a critical point, where its privacy is poised between salvation and sinking. Everything now depends on the will and creativity of governments and Parliament.
Toward a new birth of civility
Although we have placed great emphasis on the need for better privacy laws, laws alone are not the answer. They are merely the written expression and refinement of a social consensus of fundamental dos and don'ts-those ethical principles on which we build common values and our individual and collective behaviour. Breathing life into our laws demands a climate of broadly-accepted ethical principles, a sort of ethical glue. It is time we took a hard look at the ethical issues raised by new technology.
Any casual perusal of the daily press demonstrates that our ethical glue is losing its sticking power. Look only at the chaos of hacking, unauthorized access into private and personal computer files, systems pranks and vandalism, software piracy, electronic harassment and bulletin boards of hate, pornography and violence. In short, technology has thrust us into the information age but we have arrived having given little thought to our social responsibilities.
We seem to suffer a stunning inability to put the pursuit of human dignity at the heart of our development and progress. It is not enough that new technology satisfy material needs. It must also play its part in affirming human dignity and human potential. Otherwise, we are conducting a technical exercise in a moral vacuum-moulding our lives to fit technology, not making technology fit our lives.
Social responsibility in the electronic world is everyone's business. It is maintaining the delicate balance between meeting legitimate information needs and simply respecting people, their property and their rights. We can no longer-if we ever could-afford to do things simply because we have the technical capacity. We must dedicate time and resources to the process of discerning ethical dimensions and integrating ethical decisions into the technology design process. We must educate young people about the rules of morality, civility and mutual respect in cyberspace. Our enthusiasm and expectations will be pointless if we simply become more technically adept but not more learned, thoughtful and considerate. In short, we must build an ethical foundation for technology.
It all comes down to the degree to which we respect one another as unique individuals, each with our own set of values, which we are entitled to conceal or reveal as we choose. To truly respect your neighbour, you must grant that person a private life. The limits of our personal privacy define in large part the limits of our freedom. As Supreme Court Justice La Forest put it in a 1990 decision "...not to be compelled to share our confidences with others is the very hallmark of a free society". If we discard the notion of privacy and simply treat one another as data subjects, as objects of surveillance, we abandon that fundamental, democratic notion of autonomy and self-determination.
Let us be clear. No amount of information or technology will do much good unless we consider the values it serves.
Of Ethics and Smart Cards
ID card stories are standard fare for Privacy Commissioners' annual reports. This year's menu is rich. Governments' appetite to cut spending, simplify and privatize program delivery, and to ferret out cheats, has led to a plethora of proposals most of which are supported by new, glitzy technologies.
The key component of these proposals is often a multi-purpose ID card or a smart card which looks like the pieces of plastic found in most wallets. However, imbedded in them are powerful microchips and circuitry which allow the collection, storage and manipulation of vast amounts of data. The cards can be inserted into electronic readers and operate like a personal computer plugged into a network. They are low cost, versatile, simple and powerful; hence their attraction. They are yet another intriguing new option for bureaucrats and private sector administrators to deliver programs more efficiently and more cheaply for our benefit and their profit. As journalist John Ibbitson described them in a recent Ottawa Citizen article, they are fast becoming a "plastic panacea".
Improperly applied, these technologies can be powerful surveillance tools, delivering the fatal blow to an already fragile and embattled right. Those who consider the fears exaggerated need look no further than the quoted words of the Ontario Cabinet Minister on Ontario's plan to introduce a multi-purpose smart card. This proposed card would replace existing driver's licences, health and welfare cards and keep a timely record of citizen's use of the system " ... like Visa or Mastercard where they can tell you where you were an hour ago and how much you spent, that would be a great step forward for the health system in Ontario". Perhaps a great step forward for efficient administration of the health care system, but certainly a giant leap backwards for autonomy and privacy.
Toronto's welfare card
An example of the efficiency and the surveillance capacity offered by smart card technology is the Metro Toronto proposal for welfare recipients to carry cards containing a digitized fingerprint. The fingerprint is not a conventional inked impression but a picture transformed into an encrypted numerical code (known as a "biocrypt"). Welfare claimants would be required to produce their cards to claim a service. A reader will scan the biocrypt to ensure it matches the code imbedded in the card. The system allows the code to be stored only on the card thus allowing the claimant to retain control.
The downside is that welfare payments could be credited to a card which can then be used for direct debits at stores. While it is clear the present proposal will not track the behaviour of people, it would be a simple matter, once implemented, for the system to collect information about the life styles and the spending habits of welfare recipients. There is an added human cost which is to require a segment of the population to be monitored in a way, usually reserved for criminals, that no other citizens have to suffer. The data may also prove to be attractive to social science researchers. Officials estimate that the cards will save $32-million from the annual $1.1-billion cost of operating the welfare system by eliminating claimants collecting more than one cheque.
A similar proposal in B.C. using laser photo smart cards would merge drivers' licences, welfare cards and health cards. B.C. Privacy Commissioner David Flaherty termed the proposal an invasion of privacy, and the B.C. Civil Liberties Association considered it acceptable only if used for identification purposes.
The SmartHealth process
The prairie provinces have all considered switching to smart card technology to deliver health care services, hoping that stricter monitoring and control of patient claims and health practitioners' billings will lead to savings. One early example is Manitoba's proposal for a Health Information Network to exchange patients' health care information throughout the health care system and make it available for research. The province awarded a contract to SmartHealth, owned by the Royal Bank of Canada, to examine the proposal.
Manitoba's approach illustrates how best to use the technology; first define the needs and then look for the technology solution. SmartHealth conducted numerous focus groups, surveys and interviews and found "among the most cited concerns were fears of personal health information falling into the wrong hands". Manitoba has concluded that privacy safeguards must be in place before the network is developed; it will then select the most appropriate technology for the task. A smart card is simply one of the options.
However, Manitoba's proposal also illustrates what is a growing (and potentially alarming) trend to deliver government services in partnership with the private sector. Personal information now largely protected by privacy rules will be shared with the private sector which is subject to no privacy laws and increasingly anxious not to be. Private sector "opting in" to voluntary privacy codes is a grossly inadequate trade-off for gaining access to data and transactions which now have legal protection.
There is also a ray of hope in a Québec proposal to introduce smart card technology as part of the government's information highway strategy. Like other provinces, Quebec's multi-purpose smart card would replace existing government identification cards. Unlike some other proposals, however, the Québec card would be used for all program delivery, including such things as hunting and fishing licences. The most important difference lies in the government's stated intention to measure technological initiatives against three fundamental principles: universal and equitable access, privacy and the confidentiality of personal information, and respect for existing social values.
The project could well build on the province's experience with a pilot project to introduce a health smart card in Rimouski. In his report on the pilot project, Quebec Privacy Commissioner Paul-André Comeau observed
"...the success of the project (was) due first and foremost to the guarantees of confidentiality offered by project designers and the choice of a technology able to ensure confidentiality..."
Smart cards have the potential to destroy our privacy or to enhance it. We can use them as a powerful surveillance tool to monitor and control individuals; or we can use them, not only as a device to protect the security and confidentiality of our personal data, but also as a device that will allow us to exercise a greater degree of control over uses and disclosures of our personal information. Should our lives fit technology or technology fit our lives? Ultimately the choice is ours.
A Privacy Framework for Smart Cards
The Privacy Act sets out the ground rules for federal government collection, use, disclosure and protection of personal information and establishes a commissioner as independent oversight of government compliance with the law. Since smart cards are potentially major data collection, storage and disclosure tools, the Office proposes a framework to ensure that government institutions take privacy and other ethical principles into account in the applications design phase of smart cards. We welcome readers' comments and suggestions.
Is the collection related to a government program?
The Privacy Act requires that government institutions collect no personal information unless it relates directly to an operating program or activity.
Regulatory/legislative framework: To show a direct relation to an operating program or activity, an institution must ordinarily demonstrate that it has Parliamentary authority to collect the information. Thus, some legal mechanism (legislation or regulation) should govern each smart card system whether for client services or program delivery. These should specify not only the technical and administrative characteristics of program delivery but also the ethical codes which will govern privacy, confidentiality and security.
Is the information collected directly from the individual and he or she notified of the purpose?
The Privacy Act generally requires that personal information be collected directly from the individual and the individual informed of the purpose for collection.
Public notice of systems: In the broadest sense, government should alert the public to the system's development-for example, its objectives, extent, the type of data and clients affected-before the system is implemented.
Individual written notification: The government should provide each card holder, in writing, the essential information about program participation and use of the card. This includes details about the purpose, nature, operation of the system, contents of the card, and the individuals authorized to access it (either read or record).
Government should also inform card holders of all possible communications between the issuer (the government agency) and the card users (the service provider/point of delivery of that program).
How long will the information be kept?
The Privacy Act requires government to prescribe retention spans for personal information.
Data conservation: Card issuers and users must establish retention and disposal schemes for data. Issuers should establish regulations governing the nature of information conserved and the security measures taken to guarantee confidentiality of the data.
How will accuracy of the information be ensured?
The Privacy Act requires a government institution to take all reasonable steps to ensure that personal information is as accurate, up-to-date and complete as possible.
Responsibility for inaccurate information: Card users should not automatically accept the accuracy of the information simply because it is recorded on the card-the data could be false, incomplete or obsolete. Accuracy is a joint responsibility of the card issuer, card user and card holder.
How will the information be destroyed?
The Privacy Act requires that disposal of personal information be regulated to ensure the data can no longer be used or improperly disclosed.
Card renewal: Government must establish which data from old cards should be transferred to the new card; and whether old data should be rendered anonymous and available for research purposes.
Destruction of the card: Subject to the regulatory authority governing destruction of the card, individuals should have the right to request that the card be destroyed; this would include rendering anonymous all data stored by the card issuer about the card and its contents.
How will the data be used and disclosed?
The Privacy Act sets out principles of fair information practices governing how personal information may be used or disclosed.
Reading the card: Government must determine who it will authorize to read the card, the extent of authorization (total or partial), and the protocols governing the reading function.
Restricting reading access or use for other purposes: Government must establish conditions and measures to prevent unauthorized access to card files or uses other than those originally intended. Access must be restricted only to those who have an authorized need-to-know under the Privacy Act.
Restricting unauthorized use, disclosure and copying: Government must institute proper controls to prevent card users from unauthorized down-loading of information from the smart card to other databases and then using it for purposes unknown to the card holder.
All non-government card users or readers must operate under regulatory restrictions by agreement with the government program authority and have no automatic rights to copy other data from the card-this must be subject to the card holder's authorization.
Card structure: The card chip should be structured in different zones of access to assure selective or limited degrees of access as well as segregation of identification data, administrative data, and sensitive data such as medical or emergency help information.
Government should segregate each application on the card to prevent merging or cross-overs of data. Readers and public point-of-delivery devices must secure transactions to and from the host computer.
Individual authorization for reading access: The file contents of the card shall not be accessed by third parties except by a positive act of the card holder (or by the card holder's authorized agent, as in a medical emergency). Such positive action would generally be punching in a PIN or other code.
Entering/removing information on the card: Government must determine who may enter, change or delete data on a card, either directly or through the delivery authority. Issuers must consider the individual's right to demand erasure of parts of information on the data card from every institution that makes entries.
Visible data on the card surface: The card exterior should contain only the minimum amount of nominative information required for the purposes of program participation.
Do individuals have right of access to the personal data?
The Privacy Act gives individuals the right of access to personal information about them.
Transparency of data on the card: Individual card holders must be able to know the type of information held on the card.
Right of card holder to read the file: Government should provide individuals the means to read their own cards. They should also be prepared to interpret the data for card holders.
Data entry/transaction record: Card issuers and users must compile and maintain a record of all significant data entries as well as all communications between them concerning the card holder. These records should also be available to the card holder.
This suggested framework is based on the privacy checklist for technology set out in the Commissioner's 1992-93 annual report (see page 14).
To obtain copies of the complete text of the Privacy Framework for Smart Card Applications, or to submit your comments, please contact the Office or visit our Web site.
Building a DNA Database-Carefully
Last year we reported our recommendations on the proposed bill to allow police to obtain DNA samples from a person suspected of a serious crime. The law was enacted in July 1995.
However, the legislation did not deal with several privacy issues, the most important of which was whether to establish a database of genetic samples or analyses derived from those samples. Early in 1996, the Solicitor General issued a consultation document, Establishing a National DNA Databank, that dealt with many of the remaining privacy issues. Our response made several proposals:
- samples should be taken for the database only after the person has been convicted (as opposed to samples taken during an investigation to prove the crime in question). For the "less serious" of these serious offences, a judicial warrant would be needed to acquire the sample for the database. For the more serious offences, taking the sample would be automatic;
- once the analysis of a sample appears on the database, either automatically or by judicial warrant, the police should be permitted access to the database whenever they have DNA evidence from a crime scene that may match a sample taken for the database;
- only the forensic analysis of DNA samples taken from convicted offenders should be kept, not the actual samples. Discarding the actual samples would prevent unrelated secondary uses, including ethically problematic research into genetic links to crime;
- volunteered samples for a criminal investigation (for example, when the police appeal to a community to volunteer DNA to help track down a violent criminal) should be used only for the investigation of the offence in question; the samples and the analysis of the samples should be destroyed immediately after the donors are exonerated;
- DNA identification information on the database should not be kept indefinitely. It should be destroyed when it is no longer needed-for example, after the offender has died or after sufficient time has passed (perhaps decades in some cases) and the offender is not likely to reoffend;
- legislation establishing a DNA database should provide for a review of the database operation within two to three years of the legislation coming into force. The review would include a privacy audit.
The privacy audit is particularly important. Two or three years experience with the database should give a good idea of its utility in solving crimes. It will also help to ensure that the database does not become subject to "function creep". We want to avoid an ever-lengthening list of offences for which a DNA database or DNA sampling in criminal investigations is allowed. The pressure to do just that is already present in our society, a product of the very existence of technology and the belief that technology can solve all our woes, if only we let it.
Legislation dealing with these remaining aspects of forensic DNA analysis has yet to be introduced in Parliament. We await any such proposed legislation to ensure that it meets our criteria.
As a final note on this subject, we commend both the Department of Justice and the Ministry of the Solicitor General for recognizing privacy issues as among the most significant in the discussion of forensic DNA sampling and DNA databases. We also commend them for involving our office in the consultation process before legislation is introduced. Their willingness to discuss the privacy issues with our office ensures a hearing at a time when changes can be accommodated with little political embarrassment.
A Vote for Privacy?
Canada's Chief Electoral Officer recently proposed amendments to the Canada Elections Act which would give him authority to create a permanent voters register. The notion is not new. It was considered, but not recommended, by the 1991 Royal Commission on electoral reform. Canadians have traditionally resisted such proposals because population registers pose a potential threat to human rights and freedom. Wartime memories are etched in the minds of many.
Political climates change, however. In the age of "fiscal responsibility", what was previously unacceptable is now fashionable on condition that millions of dollars can be trimmed from public expenses. Québec and British Colombia have recently created permanent voters registers citing budget reductions and efficiency. The federal government now proposes to follow suit. "Efficiency, economy and accuracy" is the rallying cry; there are other equally important considerations.
Elections Canada proposed to create the permanent register from one last traditional door-to-door enumeration. Enumerators would collect the name, address, sex, date of birth, telephone number, and confirm citizenship of potential voters. The Chief Electoral Officer would also have the authority to collect additional information if necessary. Once collected and validated, the data would be stored in an automated database. Individuals would not have to register and could have their names removed at any time.
Elections Canada also proposed to conduct periodic data matches with other government data bases such as tax and motor vehicle records to update addresses; with vital statistics to remove the names of deceased persons; with citizenship records to add new Canadians entitled to vote, and with provincial election lists after elections to update the data.
Provinces, municipalities and school boards could obtain information from the register to conduct local elections. And every year all members of Parliament would receive the list of voters in their respective constituencies.
It is both laudable, and consistent with existing Privacy Act rules, to begin by direct individual enumeration. This gives citizens the opportunity to decide whether to be included on the list and to provide the information directly. However, there are several concerns.
Telephone numbers The Office questioned the proposal to collect a new data element-telephone numbers. Telephone numbers are not needed now and their appearance on a voters' list would seem to beg intrusive calls. Elections Canada explained that the numbers will be used only for internal administrative purposes and will not be included on the lists.
Power to collect more data The provision allowing the Chief Electoral Officer to collect additional information aroused some early concern, opening the door-as it seemed-to a broader collection than legislators may intend. The provision is simply to permit the federal agency to collect additional personal details if required by provincial election laws. The Chief Electoral Officer undertook to make this clear in the legislation.
Annual disclosure of lists to legislators Annual disclosures of the list appears excessive in light of the list's express purpose of conducting elections or referenda. Given that no jurisdiction conducts annual elections, this frequent a disclosure seems more suited to repeated canvassing by political parties, not the election itself. The Chief Electoral Officer agreed to re-examine the need for annual disclosures.
Collection by data matching Updating the register by data matches with other federal data banks is worrisome. On principle, the Commissioner opposes mining other government databases for unrelated uses. Datamatching is invisible and inconsistent with the federal Privacy Act. The preferred method is for Elections Canada to collect the information directly from the Canadian public, with their knowledge and consent.
The Commissioner suggested that Elections Canada arrange to include a consent box on other federal government forms to authorize departments like Revenue Canada or Human Resources Development Canada to transmit the personal data. British Columbia uses this system to maintain its electors' register. Or Elections Canada could develop a specific form to be enclosed in all government mailings and returned directly to Elections Canada. The Chief Electoral Officer undertook to pursue the idea.
Other uses of the list By far the greatest concern is pressure for secondary uses of the register. It will be a very attractive list of the majority of Canadian citizens and hold enormous potential for any number of public organizations. Other levels of government which have created permanent registers have found that requests for access by other government programs soon follow. These are difficult to resist. Growing authorized access to Revenue Canada's list of tax filers-once virtually off-limits-leads one to suspect that the voters' register will soon be targeted.
The Chief Electoral Officer explained that requests for access to the list for any unrelated purposes-which the Commissioner would strenuously oppose-would require Parliamentary approval and thus be a matter for public debate.
The bottom line
The best conceivable privacy protection is resisting the temptation to administer a program by assembling vast amounts of personal information in an automated data base. If it is impossible to design an electoral process without such a collection-and Canadians accept the necessity of a permanent voters register-then the following conditions must be met:
- limit the personal information collection to those details needed for Canadians to exercise their right to vote;
- collect the information directly from citizens-with their knowledge and consent;
- limit uses of the register to those required for Canadians to exercise their right to vote, and
- prohibit disclosures of personal information from the register unless to conduct federal, provincial, municipal or school board elections-and then only where equal legal privacy protection exists.
And the Walls Come Tumbling Down
Early in 1994, Treasury Board Secretariat tabled its Blueprint for Renewing Government Services Using Information Technology. The blueprint responded to the federal government's call for a leaner and more efficient public service, encouraging every federal institution to use computer technology to streamline operations and eliminate inefficiencies.
Given the impact of several of the Blueprint recommendations on government handling of personal records, the Office asked to be involved in projects which federal institutions undertake. While more than 30 federal institutions have since begun re-examining their operations, two departments have taken a clear lead. Both have approached us for guidance.
Citizenship & Immigration Canada CIC's Business Process Re-engineering is the first major Blueprint initiative, one which other departments are viewing as a test project. CIC aims to become a "horizontally-integrated" work environment which means sharing more information about immigrants and refugee claimants both inside and outside CIC. CIC now segregates data according to its purpose or program (the vertical or "stovepipe" information environment common to most federal institutions). CIC has begun the transition to a horizontal environment which will integrate all its information resources.
Human Resources Development Canada (HRDC) is the other leader. HRDC is streamlining its delivery of employment insurance, Canada Pension Plan, workforce training and job bank programs and substantially reducing the number of Canada Employment Centres. HRD will deliver service to many communities by satellite and telephone centres, electronic kiosks, frequently in partnership with private businesses, Crown Corporations, special agencies or provincial and municipal governments.
The two initiatives illustrate two government trends and, if not properly planned, the risks they pose. They are data warehousing and shared service delivery.
Perhaps the most significant development in government information management is the steady move toward departments developing so-called "data warehouses" to store and manipulate all their program data-including, of course, personal information used to make decisions about individuals. Human Resources Canada and Veterans Affairs Canada are just two of the institutions that are developing data warehouses.
A data warehouse is a sort of super repository which integrates data from a variety of sources, reconciles any anomalies, then makes it easily accessible for search, analysis and manipulation. Rather than segmenting the data by its intended use-for example, paying taxes, claiming Canada Pension Plan, or applying for a student loan-all the data is organized by the person's name and other personal identifiers. Find the individual and you have a record of all their transactions with the federal government.
For managers, the prospect is exciting. For privacy, it is troubling. Data warehouses, by definition, consolidate information thus making more details accessible to more people. Personal information collected for one purpose could become available for different and unrelated purposes.
And consolidation pushes demand for even more information-the data warehouse as insatiable appetite. This is what privacy advocates call "function creep". Warehousing data also permits the creation of client profiles-or more insidious-"client intimacy" systems drawn from historical transactions and relationships previously unknown.
Ultimately, the system demands a unique identifier to link to the individual's data file. Thus we arrive at the single number, single file, single card without which we are no-one. Like all advanced systems, the data risks becoming paramount, not the person; we are all reduced to bits and bytes.
Technological advances are undermining individual control over personal information. They may even be undermining privacy laws because protecting privacy becomes increasingly difficult as systems become more developed, more widespread and more complex.
That does not justify throwing up our hands. Nor does it justify the angry outbursts that privacy is the impediment to new systems development. The accusation that something cannot be done because of privacy is more often simply an excuse offered at the end of the systems development cycle; an attempt to assign blame elsewhere for not having done the work properly at the outset.
The accusation is simply wrong and short-sighted. Privacy does not restrict good systems design-it enhances it. Systems designers simply have to build in controls to limit employees' access to the data elements necessary to deliver the program or service. Privacy protection is an essential component of good information management and a good systems development plan; one which helps ensure public confidence in government's computer based systems. It's time to get on with it.
Shared Service Delivery
The second administrative trend with privacy implications is sharing service delivery points with other federal agencies, with other levels of government, and perhaps even private sector operators. The concept could be a boon to citizens-one-stop-shopping for municipal taxes, drivers' licenses, UI benefits and Canada Student Loan applications. But the privacy problems are evident. How will several levels of government protect the individual's records? Will the data and terminals be separate? Are the records under the "control" of the federal government, subject to the provincial privacy law or, if the centre is operated by the private sector-by contract compliance? Or will it be unprotected?
As with data warehousing, shared service delivery must be done with great care. If we are going to share services with provincial or municipal governments, we must make the obligations of various parties clear at the outset. And the answer is not sinking to the lowest level of privacy protection-in some jurisdictions, that is virtually none.
Much as the Office lauds federal government efforts to become more efficient, there are real privacy concerns with horizontal integration and shared service delivery. While our work with CIC and HRDC has allayed some fears, Blueprint initiatives may well create the unique on-line client file designed to be shared by federal, provincial, private or even foreign organizations who may need access.
Not only is this incompatible with the current Privacy Act, it raises the spectre of a surveillance society; one in which anyone will be able to learn anything about anybody. We have yet to confront two unavoidable realities: no computer system in the world has yet proven safe from hackers, and the weakest link in any computer system is the authorized users.
This Year's Telecom News
While technology may (and, occasionally, may not) enhance our quality of life, there is little doubt that it can have a dark side for privacy. Even its creators often do not fully understand the potential, let alone the users. Privacy is sometimes a victim of entrepreneurship, and this year's technological headline may again prove the point.
Personal Communications Systems
In December 1995 Industry Canada licensed four companies to offer Personal Communications Services (PCS). The small, hand-held devices, which can transmit voice, data, graphics and video, operate on separate frequencies from cellular telephones, relying on digital-rather than analog-transmission. Digital networks offer cheaper, better and more secure transmission and the increased ability to send text and images.
Given PCS marked improvement over cellular telephony, what is the problem? There are two of which Canadians should be aware.
First, PCS communications are still transmitted over the airways and so can be intercepted, albeit with more sophisticated and more expensive equipment. Second, PCS service must know your exact location at all times-at home, on the ski slope or in a shopping mall-to deliver calls. Unsettling enough, but its power to locate the user also makes it a tempting tool for criminals, law enforcement agencies, jealous spouses or direct marketers.
These two problems could be addressed by
- encrypting transmissions-this would provide sufficient protection for most users. Of course, encrypted communications can sometime be deciphered, witness the recent breach of Netscape's Internet browser encryption algorithm;
- "locking" the handset so that the user requires a personal access code.
Industry Canada plans to limit the use of digital scanners, thus reducing the chance for interception of PCS communication. But another needed step is to prohibit PCS companies from either using or disclosing information about the subscriber's whereabouts for any purpose other than routing calls or billing PCS service. And PCS invoices should not display the exact location of a calling or called party.
Although the Canadian Radio-television and Telecommunications Commission (CRTC) does not now regulate PCS companies, it will hold public hearings later this year to determine which, if any, aspects of wireless telecommunications (including PCS) it will regulate.
If both manufacturers and regulators would safeguard the handset, the transmissions and the records, Canadians will reap only the intended benefits, not find themselves under surveillance from another piece of electronic wizardry designed to ease their lives
Other telecommunications news
De-regulating conventional telephone service has opened several cans of worms, some of these concern the right of competing companies to have access to the customer lists of full-service telephone companies. One immediate impact of disclosure of customer data to long-distance re-sellers was a blizzard of mail and marketing calls, and in some cases, clients being switched to other companies without their knowledge or consent.
The CRTC authorizes the full service companies to disclose their customer data to long distance resellers on request and with proof of the customer's interest. However, the re-sellers (which buy blocks of long distance calls from the telephone companies) are not regulated by the CRTC and some customers have been unaware of the switch until receiving their first bill. Customers can be returned to their original provider at no cost. More recently, private directory publishers have asked the CRTC for access to electronic client lists to publish directories, now published mainly by Tele-Direct, a Bell Canada subsidiary.
While the CRTC agreed that White Directory could compete against existing directory publishers, it ordered telephone companies to enable subscribers to remove their names and addresses from the electronic directory files before they were given to White Directory. White Directory appealed the "de-listing" mechanism to the CRTC, arguing that it would be at an immediate disadvantage because its directories would likely contain fewer listings than current directories, should many subscribers opt out. The CRTC upheld its earlier decision and White Directory filed a petition with the Governor in Council seeking to overturn the CRTC order.
The Privacy Commissioner supported the CRTC decision and urged to the Governor in Council to guarantee subscribers the right to full control over their personal information. The Governor in Council has up to one year to make a decision.
One Size Does Not Fit All
There appears to be a growing public outcry about releasing violent offenders into the community either on parole or at the end of their sentence. The concern is most acute with pedophiles. There is no doubt that some danger exists and Canadians have the right to try to minimize those dangers. An incident in Fort St. John, B.C. illustrates.
Fort St. John City Council, told that a known sex-offender was in the community, agreed to help local community groups print and distribute posters publicizing the man's presence. At a later meeting the Council resolved to pass on the information to other communities in B.C., Yukon and Alberta. The poster contained a photograph, physical description, list of convictions, as well as a notation about withdrawn charges. During the storm of publicity, the man left the community.
Both B.C. Information and Privacy Commissioner David Flaherty and this Office inquired-Dr. Flaherty into the actions of the municipality, and this Office into an allegation that the RCMP improperly disclosed information to the mayor of Fort St. John (information which actually appeared to be publicly available). Both commissioners concluded that while disclosure may be appropriate in some circumstances, the "shotgun approach", as Dr. Flaherty describes it, is often not the answer. Both agreed that a consistent national policy and process would help officials determine when disclosure is needed.
In an effort to shed some light on a heated discussion, the Office produced a discussion paper entitled Publicizing the identity of violent offenders on their release into the community.
Protecting the public from violent offenders is primarily the responsibility of the criminal justice system, mental health institutions and social welfare agencies. It is not usually a privacy issue. However, in part because the justice system is fallible and prison rehabilitation programs sometimes ineffectual, governments and the public look to other means of protection.
Is publicity the answer?
ublicity is becoming the cheap "solution" to a complex problem caused partly by structural weaknesses in the correctional system. Publicity also means governments are disclosing personal information about offenders without their consent. It is these disclosures that have drawn federal and provincial privacy commissioners into the debate.
Notifying the public about the presence of a violent offender may prevent further harm in some cases. However, publicity may actually produce greater harms:
- publicity may drive some offenders underground and away from treatment, making them more dangerous;
- publicity may give the community a false sense of security that all dangerous offenders have been identified, when in fact most likely have not;
- publicity may make it impossible for a released offender to remain in a community, thus hurting chances for successful reintegration into society;
- since many violent offenders will not reoffend, disclosing information about them may unjustifiably harm them; and
- unwarranted publicity may threaten the physical safety of offenders, often with no consequential benefit to society.
From a privacy perspective, any measures that warrant breaching the offender's privacy should have a demonstrable public benefit. If there is no benefit, there should be no disclosure. Two questions need answering: When is it appropriate to release personal information about an offender who has left an institution on parole, under statutory remission, or at the end of the sentence? Who should have authority to release the information, and to whom?
The discussion paper examines several possible disclosure programs for releasing violent offenders into the community. Among them are those used in B.C. and Manitoba. Both programs involve the interested parties-police, correctional officials and, in Manitoba, public interest groups-in examining the circumstances of an offender and then deciding whether disclosure is warranted and if so, to what extent.
Privacy Act does not prevent release
All too often officials claim that the federal Privacy Act prevents them from releasing personal information that would identify a pedophile or other dangerous offender in a community-even if it might serve the public interest to do so.
This is not so. The Privacy Act's prohibition against disclosure of personal information may be overridden if the head of the government institution concludes that there is a demonstrable public interest. The head must then notify the Commissioner's Office. Staff examine the circumstances leading to the disclosure proposal and the type of disclosure. The Commissioner then decides whether to notify the individual about the disclosure; however, the Commissioner has no authority to stop the release.
To repeat this oft-misunderstood point: The Privacy Commissioner has no power-other than that of persuasion-over releasing information about a potentially dangerous offender to the public. The Privacy Commissioner neither initiates or prevents the release. If anything, the Privacy Act provides rules to facilitate the release of personal information in the public interest.
Striking the balance
There is no easy solution to these complex issue of protecting society against dangerous human behaviour. To determine whether disclosure may help to resolve the problem, we recommend establishing a process to assess the factors. Among the factors that need assessing are the risk that the person will re-offend, the ability of measures other than publicity to reduce the threat, the possible harms that may flow from publicity-both to the community and the offender-and the extent of any publicity that is warranted.
The schemes used in B.C. and Manitoba appear reasonable models for striking a balance between the public interest in knowing the presence of a potentially dangerous person and that person's right of privacy. Our discussion paper offers tentative support for such schemes for any offender who poses a certain level of risk of serious violence to the community, not merely sex offenders. For provinces that do not have such schemes, a federally appointed government/lay committee could make recommendations to the RCMP, Correctional Service Canada and the National Parole Board about disclosure in the public interest.
Copies of the discussion paper will be available from the Office and on our Web site.
Refining the Criminal Records System
A criminal history records system is a vital tool for police forces and other agencies which investigate and prevent crime. This powerful and sensitive record collection is maintained by the RCMP in its information bank CMP PPU 030, Criminal History Records and Identification Fingerprints. The database is subject to the Privacy Act and during the past year Office staff completed a study of its contents and administration.
The study helped dispel a number of misconceptions that had developed about what information is contained in criminal history records and how it is managed. The RCMP is aware of the sensitivity of this personal information, of the need to ensure it is accurate and up-to-date, and of its responsibilities to properly manage the information. Interviews with members of the RCMP and other police forces helped confirm that the RCMP makes every possible effort to ensure the information is accessible only to individuals and organizations who need to know.
Although the RCMP's overall management of the information continues to respect the Privacy Act, staff identified several opportunities to strengthen compliance. They include the following issues:
Mandate Although the study identified a number of pieces of legislation that refer to the RCMP's maintenance of criminal history records, neither Office or RCMP staff were able to identify a comprehensive authority. Since the information is used daily by police agencies and other organizations to make significant decisions about individuals, specific legislation or amendments to existing legislation would better serve the interests of both the RCMP and the Canadian public. The legislation should spell out what information may be collected, how it may be used and to whom it may be disclosed.
Content of Criminal History Records The current definition of criminal history includes not only charges for which an individual has been convicted, but also charges stayed, withdrawn or for which the individual was found not guilty. Although information about charges for which an accused was not convicted can be valuable to police forces, it should be held in a separate information bank to which access is more limited. This would ensure it would be available only for authorized police investigations and not for such other uses as screening employees. Since the 1987 Ministerial Directive on disclosure of criminal history information is being revised, the time seems right to consider creating a second bank for records for which there was no conviction.
Cessation of Pardon The Criminal Records Act provides the National Parole Board with the power to revoke a pardon after giving the individual an opportunity to make representations.
The Act also provides that a pardon ceases if an individual is subsequently convicted of an indictable or hybrid offence. In these cases, the Act requires the RCMP to restore all entries concerning the pardoned offences into the regular criminal records system. The individual has no opportunity to make representations or to be advised that the pardon has ceased. This may lead the accused to believe that information once inaccessible because of the pardon, is once again available for use against the individual.
The RCMP should modify its procedures to include notifying the individual, whenever possible, that pardon has been revoked, thus making the system much more open to everyone concerned.
Info Source Description The RCMP's criminal history records do not always contain an individual's complete criminal history because police and correctional agencies are not obliged to provide information to the system. The bank description in Info Source is unclear and could lead readers to conclude that the bank is a complete history of all criminal charges and convictions. The RCMP should amend the bank description to describe the information more accurately.
Printed copies of the Study of Criminal History Records Maintained by the RCMP can be ordered from the Office or obtained from our Web site.
Privacy in Cyberspace-A surfer's guide
At last count (or best guesstimate) 40 million people worldwide are surfing the Net for fun and profit. Surprisingly, many of them are simply unaware that their communications, transactions-and perhaps even the data on their own computer-are available for others to see (unless they take precautions).
The openness of the Internet should not be surprising-the Net evolved from a U.S. Defence Department communications network (ARPANET) linking military bases, university research centres and defence contractors. It was designed to be open and accessible-to communicate and to be impervious to nuclear attack. Other computer networks and universities quickly joined.
Today the Net is multiple networks with many pathways connecting many computers. Messages can be routed around the world to reach across town and seldom travel the same route twice. The Net resides nowhere and everywhere; it has no headquarters and no-one is "in charge". That is its power-and its challenge to privacy.
Sitting quietly in front of our personal computers, it's easy to be lulled into forgetting that sending E-mail is not like making a telephone call; it's more like broadcasting. We should have few expectations of privacy. In fact, not only are our messages to public newsgroups or forums accessible to others, software available on the Net allows others to assemble a profile of our messages and interests. Soon marketers will systematically mine the Net to assemble personal profiles and target lists to sell products and services on line. And shopping and banking over the Net pose their own risks unless the service is protected by encryption.
The power and reach of the Internet gives users and system operators extraordinary access to data, including personal information. In January 1989 the Association for Computing Machinery (ACM), recognizing the social impact of their profession, drew up a code of ethics to articulate members' responsibilities. One of these is to "respect the privacy of others".
But, given the nature of the Net, individual users must also take responsibility. Here, then are some suggestions for protecting privacy in Cyberspace, adapted with their permission (and our gratitude) from a fact sheet of the Privacy Rights Clearinghouse at the Centre for Public Interest Law, University of San Diego, California.
- Create a secure password Make up something nonsensical from a combination of upper and lower case letters, numbers and symbols, or something no-one could guess; a combination of family names, birthdates or interests.
- Shop around Investigate new services before you use them. Post a question in a dependable forum or newsgroup. If others have had a bad experience, you will hear quickly-news gets around in cyberspace.
- Assume your communications are not private Unless you encrypt, do not send sensitive personal information (phone numbers, passwords, addresses, credit card numbers, vacation dates, social insurance numbers) by chat lines, forum postings, e-mail or in your on-line biography.
- Be cautious of "start-up" software Programs which make the initial connection to a service may ask for your credit card number, chequing account numbers, Social Insurance Numbers, then upload the information automatically for billing purposes. These programs may also be able to access records in your computer without your knowledge. Ask the service for alternate subscription methods.
- Don't leave footprints Use anonymous remailers to avoid leaving tracks of your logins and the commands you executed both at your service provider and remote sites.
- Remember the "Delete" command doesn't...make your messages disappear, that is. They can still be retrieved from back-up systems and your hard drive.
- On-line identities may not be what they seem Many network users adopt one or more on-line disguises.
- Avoid listing sensitive or controversial newsgroups as "favourites" If your on-line service allows you to compile a list of favourite newsgroups, avoid listing those with which you do not want to be publicly identified.
- Take care creating your on-line biography If you need to protect your identity, don't create a biography, and ask the operator to remove you from its on-line directory. Biographies may be searched system-wide or "fingered" remotely.
- Setting up a personal Web page makes you a marketing target This seems self-evident, but it's often forgotten.
- Be alert to social dangers Harassment, stalking, being "flamed"-subjected to emotional verbal attacks, or "spammed"-sent repeated unsolicited messages, are all possible on the Net. Women can be particularly vulnerable; use gender neutral on-line IDs.
- Teach your children well Make sure your children also learn the privacy lessons. Caution them against revealing information about themselves or your family.
- Use privacy protection tools If you are concerned, consider using technologies which help on-line users protect their privacy. These are:
Encryption: these scramble e-mail messages or files, making them gibberish to both the system operator and anyone other than the intended recipient. Various encryption programs (such as PGP-Pretty Good Privacy) are available on-line;
Anonymous remailers: these servers act as intermediaries for your message, stripping off the identifiers before forwarding the message;
Memory protection software: programs which prevent unauthorized on-line access to your home computer. Some include an "audit trail" to record all activity on your computer.
Canadian Institute for Health Information - a national medical record collection
The 1993-94 annual report discussed the privacy issues in a new national body set up to gather personalized medical data from provincial health institutions and transform it into aggregate statistical data for research. Since the Canadian Institute for Health Information (CIHI) is not a federal agency, the Commissioner was concerned about removing sensitive medical data from the protection of the federal Privacy Act (and even tougher Statistics Act) with no compensating safeguards in place. He offered any input that might prove helpful to ensure that sensitive medical data was properly protected . CIHI's initial response was tepid but the past year has seen a sea-change.
Until 1994, provincial health centres provided information about individual hospital admissions, treatments and deaths directly to Statistics Canada and Health and Welfare (covered by federal privacy legislation), as well as to two non-governmental organizations, the MIS Group and the Hospital Medical Records Institute. These agencies rendered the personalized data into aggregate statistics and made it available for research.
A study by the National Council on Health Information concluded that the arrangement duplicated effort and produced overlapping responsibilities. The Council recommended integrating all the organizations' relevant activities into a single federally-chartered, non-profit organization with a mandate to create and maintain a completely integrated health information system for Canada. This is CIHI.
Midway through 1995, CIHI seized on the privacy issue and determined to draw up guidelines on protecting the vast store of sensitive personal data of which it is custodian. Senior CIHI staff sought the office's input; the result is four documents on privacy and confidentiality, one of which-Privacy and Confidentiality of Health Information at CIHI-sets out the guidelines. They include:
- 10 guiding principles governing collection, use and disclosure of personal information (based on the CSA Model Privacy Code);
- Security and Privacy Guidelines for Health Information Systems adopted from the Canadian Organization for the Advancement of Computers in Health (COACH);
- a data linkage policy modelled on Statistics Canada's Policy on Record Linkage, and
- a formal process for handling external requests for CIHI data.
These new guidelines will apply as minimum standards to all data under the control of CIHI. They will be implemented in 1996-97.
Two questions remain. One is unsettling; is it advisable to centralize so much sensitive medical information given the unprecedented power for surveillance and linkage its systems grant health bureaucrats? And notwithstanding the security systems in place, concentration of data increases the potential for information leaks.
The second question concerns the wisdom of CIHI piloting a national survey of some 22,000 Canadian households about their living habits, use of health services and their health problems. Previous health surveys were conducted under the stringent protection of the Statistics Act and the added safeguards of the Privacy Act. CIHI's guidelines are a brave statement of principle but they hold no power in law.
Update - The Privacy Patchwork
The past year was a quiet one for new privacy laws in Canada and abroad.
Alberta's Freedom of Information and Protection of Privacy Act came into force on October 1st. The law currently applies to provincial government records but will be extended to municipal and regional governments in the future. In November, British Columbia extended its Act to cover records of self-governing professional bodies such as the provincial College of Physicians and Surgeons-a first in Canada.
The New Brunswick legislature established an all-party committee to examine comprehensive privacy legislation to replace the province's current privacy code. Residents now have a legal right of access to their personal records but none to challenge the government's collection, use and disclosure of their personal records. Nova Scotia has begun reviewing its 1993 Act for possible amendment. Prince Edward Island remains the only province without any kind of access to information or privacy legislation.
Winnipeg appears to have broken new ground. In January, city council's new By-law relating to Access to Information came into force giving city residents rights of access to and correction of their personal information in city records (Manitoba's privacy law does not extend to regional and municipal governments).
Abroad, Australia's federal government is considering extending its Privacy Act, which applies only to federal records, to the private sector. In July the European Parliament ratified the Directive on data protection, which is now in force. Member countries of the European Union have until the summer of 1998 to adopt or adapt national privacy laws to comply with the Directive. Section 25 of the Directive prohibits member nations (and businesses within the country) from transferring personal information to a non-member country whose laws do not guarantee adequate protection of the information.
In the absence of nation-wide privacy protection laws covering both the governments and the private sector (except in Quebec), Canada may not meet the Directive's adequacy test and risks being at a trade disadvantage with other countries.
The Branch's intake of new complaints levelled off at 1625 during 1995-96. Investigators completed 1681 cases, leaving 1630 open case files-virtually an entire year's workload-to be carried into the next fiscal year.
Two issues need highlighting in this report; both are the result of this huge backlog of complaints the Office continues to face.
Like virtually all federal government institutions, the Office is struggling with dwindling financial resources. But the combination of across-the-board percentage cuts and climbing caseload has pushed the Office to the critical point far more quickly than larger agencies. The Commissioner is funded only to investigate and cannot turn away-or charge-complainants.
Coupled with budget cuts are clients' increasing demands. Canadians demonstrate growing awareness of privacy threats, increased sophistication in framing complaints and a greater demand for respect for their privacy rights. More provinces have passed privacy legislation, there is a standard privacy code in the private sector, as well as a steady barrage of media stories about the dangers to privacy protection from technological advances.
The Office recognizes that it will cease to be relevant if it cannot respond to complainants in a timely fashion-justice is already being seriously delayed. To serve clients properly, the Office should have no more than 500 complaint investigations open at any time; about 35 cases per investigator.
The only option was to streamline the process substantially. In late 1995 the Office undertook an in-depth examination of its investigation process, including one-on-one meetings with staff in departmental privacy offices. The new process will reduce the paper burden, remove some of the formality, eliminate steps in the review process and allow greater reliance on the telephone-in short, a fast track approach to handling many of the complaints, one that builds on the strength and flexibility of the ombudsman role.
At the same time, the Branch implemented quality service standards aimed at reducing the time and effort required to investigate complaints, created a unit to focus on backlogged complaints, and another to concentrate on complaints about improper collection, use, disclosure and disposal of personal records (sections 4 to 8 of the Privacy Act). The Office will monitor the changes carefully, and fine-tune where needed.
Following are selected complaints from the year's caseload.
Three strikes-CIC out
Three times the owner of a Vancouver construction company returned packages of misdirected immigration files to the local Citizenship and Immigration Canada office. The fourth time, his patience ran out. He sent the file to the local Vancouver newspaper-the Province.
Apparently the Surrey CIC office had closed and the priority courier, unable to find a current address, continued to deliver packages (addressed to "CIC") to the nearest likely destination-CIC Construction in West Vancouver.
The journalist called the Vancouver CIC office. The manager reacted immediately, retrieving the file, calling the Montreal office to correct the address, and then the courier service which traced the deliveries. The courier acknowledged that the packages should have been returned, or instructions sought from the sender. The manager agreed to be interviewed and photographed but asked the journalist not to identify the subject of the file in the article. The journalist agreed but had already called the man for his reaction to the disclosure and asked him about his immigration status. Understandably upset, the man complained to the Commissioner.
It was obvious that the immigration file (which contains photographs, fingerprints and sworn statements about his political background and reasons for seeking refuge in Canada) had been improperly disclosed. Despite three earlier opportunities, CIC had failed to determine why files were being returned or take proper measures to guarantee safe transfer of very sensitive personal information. Had they done so, the file would never have found its way to the newspaper, exposing the man to the journalist and to his probing questions. Fortunately the newspaper agreed not to compound the problem by naming the man in its article.
The department apologized to the complainant. It also undertook to update its mailing lists, instruct employees on proper addressing and distribution of personal files and distribute information about the case to staff to illustrate the serious personal consequences of documents going astray. The complaint was well-founded.
Privacy not a screen for defaulting loans
Obviously not all complaints are well-founded. Privacy must sometimes give way before other demands-one of which is Canadians' obligations to pay their debts. The Office continues to receive complaints that Human Resources Development Canada has "improperly disclosed" information about their defaulted Canada Student Loan payments to private collection agencies.
The government has a legitimate right and obligation to collect outstanding debts, and-having no collection agency of its own-it contracts debt collection to outside agencies. This does not violate the Privacy Act. Nevertheless, the Office ensures that contracts specify that agencies collection and use of the information does comply with the Privacy Act.
Surplus employee can see successful candidates' assessments
Government lay-offs prompted a complaint, not from one of the employees declared surplus, but from one offered a position. He complained that Public Works and Government Services had provided its personal assessment of his performance to an unsuccessful candidate to justify its decision to offer him, and not the other employee, the job.
In order to determine who would fill the remaining positions, Public Works developed selection criteria, established questions, a rating guide and the method of assessment for each job. From this process it established a list in reverse order of merit. Depending on the number of positions, employees were offered a position or declared surplus. Unsuccessful employees who grieved the process were provided the assessments of those ranked higher on the merit list.
This disclosure follows Public Service Commission policy which provides the information to ensure the fairness of the process; the employee can see that he/she was fairly evaluated against objective criteria and against other employees. The department collected the information to establish the reverse order of merit list. It is entitled to disclose the list and assessments to aggrieved employees to defend its decisions in establishing its merit list. In short, the disclosure is consistent with the purpose for the original collection. The Commissioner was satisfied that the disclosure of the higher-ranked employees' personal information was in accordance with the Privacy Act.
Must keep interview panel members' notes
Several RCMP members complained that they were unable to examine notes made by panel members during various selection boards. Members take handwritten notes to help them assess and rank the candidates. Some board members had kept the notes for as long as six months in their own files. Others' notes were shredded following the interviews, apparently on instructions from RCMP personnel staff. But ultimately all were destroyed-in two cases, between the time the complainants sought access informally and then made formal requests.
The Act is clear; personal information used by a government institution to make an administrative decision about an individual is accessible and should be kept for a minimum of two years. Several board members interviewed could see no difficulty with retaining the notes. In fact, next year's non-commissioned officer selection boards will include a candidate de-briefing which is likely to require board members to retain their notes to go over individuals' answers to specific questions.
The RCMP has agreed to change its policy and will gather members' notes at the conclusion of the process and keep them in staffing files.
Garnishment notice not an "improper disclosure"
A Toronto woman argued that Revenue Canada's notice to her former employer that she owed back taxes was an improper disclosure of her personal information.
After several attempts to collect the arrears (which the woman was trying to reduce by periodic payments), Revenue Canada sent her a "pre-legal" letter demanding a response in 15 days. When the letter and phone call to her workplace produced no response, Revenue Canada issued a "Requirement to Pay" notice against the employer. In the meantime, the woman had left the job and says she wrote to Revenue Canada to advise them.
The investigator found no trace of a hard copy of the woman's letter or any entry in the taxation computer diary. Since Revenue Canada was attempting to collect taxes owing, did not know that she had left the job, and its authority is set out in the Income Tax Act, the Commissioner concluded that there had been no improper disclosure.
Labour market survey not compulsory
Statistics Canada's surveys always prompt telephone calls to the Commissioner. A Montreal woman complained that a Statistics Canada's labour market survey was an excessive collection of personal information that she was told she must provide. She also objected to the survey taker's demand for access to her future tax returns, as well as her telephone number or that of a family member or friend. The woman wanted the Office's help in refusing to answer Statistics Canada's questions.
It appeared that Statistics Canada had sent the woman a letter of introduction prior to taking the survey, explaining that the survey is voluntary. Unlike the Census, there are no legal obligations to respond to Statistics Canada surveys. An enthusiastic Statistics Canada staffer may have attempted to persuade the woman to participate and his or her persistence may have given the woman the impression she had to respond. However, the documents are clear.
Since the study is a six-year longitudinal survey, participants are followed up at regular intervals. Statistics Canada asks for an alternate telephone number; for example, of family members or friends, if it is unable to reach the person for an extended period.
The request for access to future tax returns was intended to help reduce the burden on respondents-much of the financial information needed for the survey duplicates details in individual tax returns. The question was apparently hypothetical-to assess respondents' willingness to approve such a disclosure. It was never made.
The Commissioner concluded that Statistics Canada had the authority to conduct the survey, had properly explained its purpose and made it clear that participation was voluntary. Statistics Canada undertook not to approach the woman again although there is nothing to prevent her name from appearing at random in future surveys.
MPs have no special access
An individual complained that someone at Citizenship and Immigration had improperly disclosed information about him to a member of Parliament. The investigation confirmed that an immigration officer wrote to the MP providing information about the complainant's immigration status in Canada and his criminal record.
While the Privacy Act allows departments to disclose personal information to MPs (with the individual's consent) for the member to help resolve the constituent's problem, MPs have no special access rights to other individuals' records. In this case, the MP was not helping the person concerned. In fact, he was acting on behalf of the complainant's estranged wife. The department did not have the complainant's consent to disclose his information to the MP, nor was there any reason to do so. The Privacy Commissioner concluded that Citizenship had made an improper disclosure.
Regrettably, once personal information has been disclosed, it cannot be retracted. There is no remedy that can undo the damage to the individual. However, the department has assured the Commissioner that there will be no repeat of the incident. Citizenship officials agreed to develop and disseminate a policy to provide better direction to departmental officials responding to MPs' inquiries about its clients.
Supervisor leaves; computer transferred-with employee files
A Health Canada employee inherited a new computer from a departing supervisor and got more than simply more power. He found notes about another employee's performance on the hard drive and reported the discovery to a departmental official.
Health Canada erased the information, apologized and has issued a directive to all staff to check computer hard drives before re-assigning them to other staff.
Unfortunately, restoring the other employees privacy is impossible. The case is an object lesson for everyone who stores personal data on computers with little thought for the long-term consequences. Without help from their minders, these machines never forget.
DND public affairs staff reveal details to media
Government public affairs staff are often between the proverbial rock and hard place; criticized by the media for being secretive and, in this case, by family members for being too open.
A young soldier died in tragic circumstances and his parents pressed for the details. Unsatisfied with DND's explanations, they went to the media. DND public affairs staff responded to journalists' questions with details about the soldier's alcohol problems and DND's attempts to help him. In another interview, the public affairs officer also revealed that the soldier had not named his parents as next-of-kin to be called in an emergency.
Video recordings of television interviews established two of the disclosures. A print journalist learned some of the details from one of the television interviews, not public affairs staff as the family maintained.
Nevertheless, the Commissioner concluded that the disclosures were improper. DND will revise its policy and provide information sessions to guide public affairs officers when handling media demands for personal information.
Human error misdirects mail
Two instances of human error saw mail delivered to wrong addresses.
In the first case, a man's Change of Address card-the notice to the local Canada Post letter carrier to intercept and forward his mail-ended up being delivered to his former landlord. Canada Post apologized for what was an isolated incident.
The second case was potentially far more damaging; a letter from Revenue Canada's Audit Services to a taxpayer was enclosed in material being mailed to a third party. Fortunately the recipient returned the letter to Revenue Canada; it contained information about the woman's income tax returns.
Apparently Revenue Canada's Toronto East Tax Services Office provides mailing service to its Audit Services Branch. Mailing staff had gathered up the woman's letter inadvertently with other material. Revenue Canada apologized to the woman, has changed some mailing procedures and now conducts routine spot checks to try to prevent any recurrence.
Employee tax guidelines working
Last year we reported Revenue Canada's introduction of guidelines on using employees' tax files for supervision and performance assessment. This year an employee complained that Revenue Canada had breached those guidelines by using his tax files to make a case for firing him.
The investigator examined the employee's personnel files and found that the employee and manager had repeatedly discussed his behaviour, absences from his desk and frequent personal phone calls. Concerned about the employee's low productivity and on-the-job activities, the manager asked for an Internal Affairs audit.
The audit followed the trail left by the employee as he accessed key tax data available on Revenue Canada's computer system-selected tax items, not the complete return. The audit revealed that the employee had unauthorized access to his own tax data, as well as those of several family members and an acquaintance, none of which were needed for his job. It also revealed that despite having earned income, the employee had not filed a tax return for several years.
However, the audit did not intentionally target the employee's tax data-it simply followed the trail he left which included accessing his own file. There were no tax details in his personnel files. While Revenue Canada ultimately fired the employee, it was due to his work habits, lack of productivity and unauthorized access to his own and others' tax data. The department also asked him to file tax returns for the missing years.
The Commissioner concluded that the complaint was not well-founded. Had the manager made a deliberate decision to investigate an employee's income tax return, the guidelines require him to provide substantial justification and obtain the approval of the assistant deputy minister.
Many callers cannot be helped because the Commissioner has no jurisdiction over the private sector; banks, insurance companies or transportation companies.
Some callers were angry about Sprint Canada's request for customers' SIN. Others objected to Purolator Courier requiring all employees to be fingerprinted. And several calls from Air Canada employees wanted investigators to examine the airline's use of personnel files and its access to employees' e-Mail.
Despite having been Crown corporations, neither Air Canada or Via Rail (also the subject of several inquiries) have ever been covered by federal privacy legislation. Employees have no legal right to examine their personnel records unless privacy rights are negotiated in collective agreements.
Several calls from OC Transpo employees also denied access to their files illustrate the unusual status of the Ottawa-Carlton area's public transit company. Its regular routes to Hull, Quebec, make it an "interprovincial" service and thus federally-regulated. However, it is not subject to federal privacy legislation, nor the Ontario privacy act which covers other Ontario transit authorities.
According to the Ontario Privacy Commissioner's office, OC Transpo tries to follow the Ontario legislation. The Ontario Privacy Commissioner has been able to gain access to employee files except those dealing with harassment or grievance cases. These OC Transpo officials refuse to open.
Old Age Security Card - SIN
Three callers complained that their Social Insurance Number appears on their Old Age Security Cards, requiring them to reveal the SIN each time they use the card to identify themselves for benefits; for example, to get a seniors discount from a department store. Most of the callers declined to lodge a formal complaint, saying "it's not worth stirring up the hornet's nest". Clearly another senior disagreed because, shortly afterwards, the Office received a formal complaint which it is now investigating.
Personal Information Request Forms
Dozens of callers complain they are unable to find the Personal Information Request Forms needed to access their personal records. Several had been improperly directed to post offices; Canada Employment Centres don't have them, as advertised, and many tell us the Employment Centre staff have never heard of the forms. Since distribution of the supporting materials is Treasury Board's responsibility, staff attempt to point out the gaps to TB staff as they occur. In the meantime, however, the Office ships thousands of forms each year.
The forms and accompanying directory, Info Source, should be available in employment centres, federal government libraries and reading rooms, large public and university and college libraries, MPs' constituency offices and native band council offices.
Top Ten Departments by Complaints Received
|Correctional Service Canada||312||113||157||42|
|Royal Canadian Mounted Police||138||82||23||33|
|Citizenship and Immigration Canada||106||31||67||8|
|Canadian Security Intelligence Service||90||82||6||2|
|Human Resources Development Canada||80||33||22||25|
|Treasury Board of Canada Secretariat||67||3||0||64|
|Canada Post Corporation||46||27||0||19|
|National Archives of Canada||41||25||5||11|
Completed Complaints by Grounds and Results
|Grounds||Well-founded||Well-founded; Resolved||Not Well-founded||Resolved||Discontinued||TOTAL|
|Retention & Disposal||10||6||9||2||2||29|
|Use & Disclosure||30||19||95||4||13||161|
Complaints Completed by Grounds
Origin of Completed Investigations
|Prince Edward Island||
|National Capital Region - Québec||
|National Capital Region - Ontario||
Completed Complaints by Department and Result
|Department||Total||Well-founded||Well-founded; Resolved||Not well founded||Discon-tinued||Resolved|
|Agriculture and Agri-Food Canada||33||4||5||22||1||1|
|Atlantic Canada Opportunities Agency||1||1||0||0||0||0|
|Business Development Bank of Canada||1||0||1||0||0||0|
|Canada Mortgage and Housing Corporation||2||0||0||2||0||0|
|Canada Ports Corporation||2||0||1||1||0||0|
|Canada Post Corporation||41||10||10||18||1||2|
|Canadian Human Rights Commission||4||0||0||3||0||1|
|Canadian International Dev. Agency||4||1||0||2||1||0|
|Canadian Security Intelligence Service||101||0||0||101||0||0|
|Citizenship and Immigration Canada||143||95||11||26||10||1|
|Commissioner of Official Languages||7||3||0||4||0||0|
|Consumer and Corporate Affairs||2||1||0||1||0||0|
|Correctional Investigator Canada||4||1||1||1||1||0|
|Correctional Service Canada||305||106||31||152||10||6|
|Farm Credit Corporation Canada||3||0||2||1||0||0|
|Fisheries and Oceans||4||1||0||3||0||0|
|Foreign Affairs and Int. Trade Canada||5||3||0||2||0||0|
|Freshwater Fish Marketing Corporation||2||0||0||2||0||0|
|Human Resources Development Canada||102||24||8||66||4||0|
|Immigration and Refugee Board||22||2||17||1||2||0|
|Indian and Northern Affairs Canada||1||0||1||0||0||0|
|Inspector General of CSIS, Office of||1||0||0||1||0||0|
|International Centre for Human Rights||1||0||0||1||0||0|
|Justice Canada, Department of||19||2||2||15||0||0|
|National Archives of Canada||32||5||3||23||1||0|
|National Arts Centre||1||0||1||0||0||0|
|National Capital Commission||1||0||0||1||0||0|
|National Film Board||5||1||3||1||0||0|
|National Parole Board||17||1||4||12||0||0|
|National Research Council Canada||4||0||0||4||0||0|
|Natural Resources Canada||3||1||1||1||0||0|
|Office of the Auditor General of Canada||2||0||1||1||0||0|
|Privy Council Office||1||1||0||0||0||0|
|Public Service Commission of Canada||7||0||1||4||2||0|
|Public Works and Govt. Services Canada||21||1||7||9||1||3|
|Royal Canadian Mint||4||0||2||2||0||0|
|Royal Canadian Mounted Police||136||19||11||85||15||6|
|RCMP Public Complaints Commission||2||2||0||0||0||0|
|Social Sciences and Humanities Res. Coun.||1||0||0||1||0||0|
|Solicitor General Canada||3||0||0||3||0||0|
|Treasury Board of Canada Secretariat||1||0||0||1||0||0|
|Veterans Affairs Canada||3||0||0||3||0||0|
The Branch's portfolio system had a thorough workout this year. Less time was spent on formal audits and follow-ups; far more on consultation and discussion with government staff. This reflects the evolving trends in the public service; becoming more active and service oriented.
Privacy staff are now more likely to be consulted early in program design and service delivery; in some cases, sitting on internal or interdepartmental committees to examine new initiatives. Two recent examples are the Office's work with Elections Canada on the permanent voters' register (see A Vote for Privacy? page 14) and ongoing discussions with the Justice Department on the new firearms registry. Preempting problems is the priority.
An ounce of prevention...
Ensuring compliance with the Privacy Act goes beyond auditing. Prevention also includes providing ongoing guidance to federal institutions. The timeliness of this guidance is crucial: the earlier the better. An increasing number of federal institutions recognize the benefits of involving portfolio leaders at the outset, whether developing new policy or launching activities which could affect clients' and employees' privacy. This year, staff dealt with many initiatives involving personal data; the following are some examples.
Atomic Energy Control Board: miner exposure to radon
Atomic Energy Control Board (AECB) sought the office's input when Dennison Mines asked AECB's consent to destroy files documenting workers' exposure to radon. Dennison had mined uranium in Elliot Lake during the 1950s and 1960s.
AECB regulates atomic energy in Canada. Among its responsibilities is monitoring the health effects of radioactive substances on workers. AECB requires uranium mining companies to keep records of workers' exposure to radon-a known carcinogen.
Rather than see destroyed an invaluable source of data for research into the long-term effects of radon exposure, AECB asked Dennison for the records. The company agreed. AECB was then faced with ensuring that its collection and use of this information complied with the Privacy Act.
AECB anticipates matching the data with Statistics Canada's mortality database to determine the effects of exposure on employees' lifespan and their mortality rates from lung cancer. The use is consistent with the mining companies' original collection of the data - to monitor the health effects of exposure to radioactive substances.
To ensure that the database meets privacy requirements, the portfolio leader confirmed that:
- the research is part of AECB's responsibility-controlling health and safety aspects of radioactive substances;
- the information was originally collected directly from the individuals concerned (although AECB collected it second-hand from Dennison Mines). Obtaining consent of former employees for the transfer to AECB would have proven extremely difficult since virtually all left Elliot Lake when the mines closed;
- a retention schedule is in place. AECB intends keeping the information until the youngest miner has reached the age of 100 (assuming an age of 18 when hired);
- one current use of the data is consistent with the original collection: at the request of the Ontario Workers' Compensation Board, AECB confirms ex-miners' radon exposure to help the Board assess benefit entitlements for those diagnosed with lung cancer, and
- workers have right of access to their data. AECB will establish a personal information bank to hold the records. This prepares a safe repository for similar records should other uranium mining companies close operations.
Rideau Hall: Order of Canada nominees criminal record checks
Last spring, the Chancellery at Rideau Hall approached our office to discuss submitting Order of Canada nominees to criminal record checks. Finding a recipient had a criminal record could put the reputation of the Order at risk. Staff suggested a compromise which could satisfy the Chancellery's needs and respect the nominees' privacy. Nominees will be advised they have been recommended for the Order of Canada and asked to obtain confirmation from the RCMP that they have no criminal record or, if they prefer, to consent to the Chancellery verifying on their behalf. Nominees would then have the option to refuse, even if this meant withdrawing their names.
RCMP: removing personal data from surplus equipment
Following the revelation (in last year's annual report) that the Office had found RCMP documents in a safe it purchased from Crown Assets, the RCMP asked the portfolio leader to review a new section of its internal Security Manual drafted to ensure that staff remove all information from surplus furniture before disposal.
Communications Research Centre: employee phone records
Telecommunications staff at the research centre (part of Industry Canada) asked for guidance on managers having access to employees telephone call records to contest long-distance charges or deal with suspected abuse of government long-distance lines. Privacy staff suggested advising employees before reviewing their call records and blocking out the last four digits of the number to protect the privacy of the party called. In fact, call records can be singularly unhelpful if employees deal regularly with the public from a central office which handles calls from across the country.
Public Works and Government Services: automating security screening
Screening potential government employees or contract staff for security and reliability is a huge job-PWGSC processes an estimated 29,000 a year. In an effort to simplify and automate the process, the department has developed the Personnel Screening Data Collection Automation System to reduce paperwork and turnaround time.
The new system uses software designed to help private companies working on government contracts to gather and transmit personal data on employees who need security screening. The employer can load the software into a personal computer, gather the information and send it on line to the department. PWGSC will offer the service to 2,600 companies which do business with the federal government, as well as government departments and agencies.
Given the amount and type of personal information required-family information and work history-the Office was concerned about making private sector organizations responsible for its collection and storage when they are subject to no privacy laws.
The department provided privacy staff with the proposed security agreement to bind companies which have delegated authority to collect and store the screening information. The agreements will impose contractual obligations to protect the information in accordance with the Government Security Policy and spell out the government's ownership of the information. A pilot project is underway to test the system.
Public Service Commission: privacy clauses for outside surveys
The Public Service Commission agreed to the portfolio leader's recommendations to change procedures following its disclosure to a survey firm of names, addresses and phone numbers of those using PSC recourse services. The company surveyed complainants to assess their satisfaction with PSC service. The most noteworthy change is the planned inclusion of clauses binding private companies to the provisions of the Privacy Act.
RCMP: suspends ride along program
Personal safety is a growing public concern. However, the RCMP agreed with the Office that exposing crime in a television program should not override the right of the individuals filmed during police patrols to be presumed innocent until tried in court. The RCMP interrupted its cooperation with the program To Serve and Protect, filmed in British Columbia, until producers agreed to blank out the faces, addresses and licence plates of the individuals-a common practice in similar U.S. programming. The RCMP undertook to develop a nation-wide policy on participating with communities and the media on fighting crime.
Human Resources: using Internet
The federal government too is on the Net. However, as governments go on-line, security of personal data is a pressing concern. Human Resources Development Canada (HRDC)-custodian of personal information on virtually every working Canadian-is the first to devise a federal policy on serving clients over the Net. HRDC sought the office's input to safeguard information collected from the general public visiting HRDC's Web site, and to prohibit transmission of personal information by Internet. HRD's policy should serve as a useful model for other government departments. (The Privacy Commissioner's own Web site is served by stand-alone terminals; there is no physical link to the internal network.)
Human Resources: the Electronic Labour Exchange
Another electronic project of HRDC is an Internet-based electronic labour exchange which "matches jobs to people and people to jobs". Employers use the exchange to specify the experience, skills and responsibilities of the position offered; job seekers describe their education, skills and experience. The exchange (an HRDC pilot project in the Ottawa area), attempts to bring the two together. Privacy staff offered HRDC guidance on collection and retention of job seekers' profiles, as well as subsequent uses of the personal data for labour market analysis.
The Privacy Act gives the Commissioner the power (and the discretion) to investigate federal government compliance with the act's fair information code-the rules governing collection, use, disclosure and disposal of individuals' personal information.
Traditionally, the Office selects a handful of organizations and examines their information handling practices (or, when the organization is large, one aspect of their operations). Given the near impossibility of systematic auditing, the Office has shifted its emphasis to examining privacy issues government-wide.
Nevertheless, the Office completed two audits during the past year-the Communications Security Establishment and the Canadian Centre for Management Development-and reviewed the internal compliance audit for a third-Canada Post's Central Division.
Communications Security Establishment (CSE)
CSE provides the federal government both the advice and the means to secure its own communications. It also provides the entire government with foreign "signals intelligence"; gathering and analyzing information about foreign countries by intercepting and studying their radio, radar and other electronic communications. CSE reports to the Minister of National Defence.
This audit proved to be one of the more complex the Office has undertaken, for several reasons. First, the nature of the material gathered and handled by CSE is extremely sensitive and demanded high-level security clearances for investigators, physical modifications to office space, and special equipment to process documents.
Second, in the midst of the audit, there were several public allegations that CSE was gathering data about Canadians and monitoring their legitimate political activities. Unfortunately, the ensuing public debate, and revelation that the office was conducting a routine audit, may have raised unrealistic expectations as to what the Privacy Commissioner could report.
Third, the Official Secrets Act also binds the Privacy Commissioner. This necessarily limits what he can report publicly.
Finally, and most germane to the Office's investigation, is that CSE's mandate is not set out in enabling legislation (as with most other government agencies)
except those unspecified powers conferred on the minister under the National Defence Act. Privacy audits usually rely on enabling legislation to assess an organization's compliance with the Privacy Act. A legislated mandate is the benchmark against which an organization's information management is measured; what information is collected and how, and how it is used, disclosed and ultimately destroyed. The government has given CSE a stated rather than legislated mandate to conduct foreign signals intelligence. It was against this stated mandate that the Office assessed compliance.
From a representative sampling of SIGINT data and reports, Office investigators concluded that CSE collects only information which serves the government's established foreign intelligence criteria. They found no evidence to support any allegations that CSE "targets Canadians" or monitors their communications. It is inevitable that any monitoring of foreign electronic communications will inadvertently trap information about some Canadians. However, CSE has strict procedures to minimize the possibility and to destroy any such information that does not meet government's foreign intelligence needs. Finally, the investigators also found that CSE's intelligence reports to government did not violate the act.
Nevertheless, the government should introduce legislation establishing explicitly a legal framework and review mechanism for CSE's operating programs and activities. Not only would this allow its personal information management practices to be measured objectively, it would establish in law protection for Canadians' liberties-as well as a clear underpinning for CSE. Legislation would stimulate informed debate about the agency's mandate and better understanding of its activities. In short, more light; less heat. The timing appears right: as we go to press, the government announced it will establish an independent oversight body for CSE.
Canadian Centre for Management Development (CCMD)
CCMD provides management orientation and training courses to senior federal government managers and appointees. Its two National Capital Region campuses and Edmonton satellite office employ about 200 government and private sector researchers, professors and other staff. The Centre holds personal information about both staff and approximately 30 per cent of the almost 12,000 students who attend CCMD courses and seminars each year. (No personal information is gathered from the other participants.)
This first audit of the CCMD examined how the Centre collects, keeps, uses, discloses, and protects its personal information holdings, and assessed employees' general knowledge and awareness of their obligations under the Privacy Act.
The audit identified several problems with the Centre's management of personal information. For example, files containing personal information were stored in insecure locations; some personal information holdings had not been identified and described in Info Source; disposal schedules had not been developed, or were not being applied, leading to information being stored longer than needed, and contracts requiring access to personal information did not bind contractors to comply with the Privacy Act. Before the audit, staff knew little about the requirements of the Act. This explains most of the shortcomings identified. However, staff understood the concept of "confidentiality" well, and were willing to learn.
Privacy audit staff made several recommendations to the Centre, including:
- within one year, implement a personal information management policy covering the entire cycle from collection to disposal;
- properly organize, file and control circulation of its personal information holdings;
- revise its forms to avoid collecting unnecessary personal details from students and to advise them of their rights under the Privacy Act;
- with the help of the National Archives, implement a retention and disposal schedule for its personal information holdings, and review its current holdings to determine those which should be disposed of;
- implement measures to protect its personal information holdings from unauthorized access;
- exercise caution when transmitting personal information by fax;
- state in all contracts with third parties that the personal information to which they have access is under the control of the CCMD and subject to the Act;
- educate current and new CCMD employees on these initiatives and about the requirements of the Act; and
- accurately describe all of its information holdings in Info Source.
CCMD reacted quickly to the recommendations and is taking action to deal with all issues raised.
Canada Post Corporation - Huron Division
Advised of the Office's planned audit, Canada Post reacted by launching its own. Spurred by discussion in the Privacy Commissioner's last annual report about Huron Division managers keeping "shadow" files on their employees (and refusing access to the files under the Privacy Act), Canada Post's Central Area privacy office began examining former Huron Division files.
The audit confirmed the problem of "shadow" files and led Canada Post to concrete action. Managers were told that they "may" retain in their personal files documents such as attendance calendars or other records needed to "support the supervision of employees, especially at remote work sites". However, two conditions were imposed:
- these documents must only be copies of documents found in official employee files, and
- the documents must be described in a new personal information bank listed in Info Source.
Privacy staff examined the results of Canada Post's preliminary compliance review and concluded that the proposed changes to the corporations's business practices made it unnecessary for the Office to conduct its own audit at this point. Instead the Office will monitor complaints against Canada Post to help assess whether the corrective action produces a long-term solution.
Citizenship & Immigration (CIC)
Last year we reported recommendations from our audit of CIC's informatics system. CIC was (and still is) in the midst of a massive re-organization. Despite these pressures, CIC has prepared an action plan for each of the recommen-dations. It has also agreed to present specific compliance reports and action plans to respond to the Office's requests prompted by the audit. These include:
- developing a department-wide plan for ongoing privacy training;
- completely overhauling its listings in Info Source;
- reviewing a sample of its information sharing agreements;
- reviewing its retention and disposal schedules for personal records, and
- reviewing its personal information collection and procedures to ensure compliance with the Privacy Act.
This year, staff continued following up earlier audits to determine whether federal institutions complied with our recommendations. Once again, staff found a high degree of compliance.
Canadian Human Rights Commission (CHRC)
Staff returned to the Commission, first audited in 1992. CHRC has begun addressing several problems the audit identified, including how the Commission describes, keeps and protects access to its paper and electronic files. CHRC has also developed guidelines for its staff on using fax machines to transmit sensitive complaint information.
Some work remains to be done on three recommendations. The Commission has not conducted a complete security and risk assessment for areas where complaints are processed and stored. And while CHRC contracts now require outside contractors to respect the confidentiality of the information they process on its behalf, they do not contain satisfactory clauses clearly establishing that any personal information gathered is deemed to be under the control of the Commission and subject to the Privacy Act. Finally, the Commission's mailing lists need to be described in Info Source as a personal information bank, rather than a general information holding.
National Research Council (NRC)
Following the Office's 1992 audit, NRC has complied with all but one recommendation, and work on the one outstanding issue-weeding out old personal records-is well under way.
- written explicit privacy language into its contracts with contractors providing Employee Assistance Plan services;
- listed in Info Source its collection of personal information on employees who have undergone reliability checks;
- split its personnel files into three components to control access to the information, and destroyed duplicate dormant files maintained in a regional office, and
- designed a segment for an existing course, Managing a Diverse Workforce, given nationally to improve employees' awareness of privacy law. The course is mandatory for managers, supervisors and all headquarters staff.
National Defence (DND)
DND has acted on all but three of the outstanding recommendations from the Office's 1991 audit. Those three concerned Canadian Forces Base Lahr, now closed.
Royal Canadian Mounted Police (RCMP)
All eight outstanding recommendations from the 1991 audit have been dealt with. They included creating a new information bank for Benefit Trust Fund records, amending other bank descriptions, extending the retention period for some records to the required two years, and ensuring that crime victims consent before investigators give their names to victim's services volunteers.
Information Sharing Study
This year the branch analyzed returns from its survey of government sharing and data matching of personal record holdings. The survey attempted to identify both disclosures under various information sharing agreements and "arrangements", and data matches-of which the Commissioner receives suspiciously few notifications.
Statistics Canada staff advised on the structure of the questionnaire and an advisory committee guided the project and reviewed the findings. The Office distributed the survey to all deputy heads in February 1995 and completed data collection late in 1995. The final results are based on 107 of 109 institutions responding. Some blatant errors were corrected but generally the data was entered as reported. While the survey results are not exhaustive (and have not been verified), they are revealing.
Why sharing needs tallying
Although the Privacy Act protects clients' and employees' personal information, the law allows several disclosures. One of these permits federal government agencies to share information under "an agreement or arrangement" with other levels of government and international organizations. However, the sharing is to be described publicly so that individuals understand how government uses and discloses their information. This is the "informed" part of informed consent.
The Act is also clear that personal information collected for one purpose cannot be used for other unrelated purposes-this includes sharing between programs within a single department for which there is no provision. New uses for data are permitted if they are "consistent" with the original purpose, the Commissioner is notified and the new use described in Info Source.
The results are summarized here. Datamatches were examined to determine whether they started before the Treasury Board's policy was put in place or, if after, whether the Commissioner was notified as required.
|Institutions sharing internally||35||33|
|Number of internal sharing arrangements||137||N/A|
|Number reported in Info Source||70||51|
|Institutions sharing externally||51||48|
|Number of external arrangements/agreements||861||N/A|
|Number reported in Info Source||591||69|
|Number reported in survey||66||N/A|
|Data matches reported in||6||9|
Few Info Source bank descriptions mention internal sharing clearly and explicitly. There are some oblique references to the program with which the information is shared, other examples require the reader to refer back to program records. There is often no apparent consistency between the new and original collection purpose. Finally, information from several programs is stored in an integrated computer system, providing staff access to (and, presumably, use of) all information in the system.
Even those 70 cases of sharing which departments consider they have reported in Info Source are difficult to detect by experienced staff, let alone the public. They demand both careful perusal and liberal interpretation.
External sharing is reported more frequently in Info Source, occasionally (but not usually) citing a clear authority for the sharing-one listing named "the Constitution of Canada" as the authority. No further details were provided.
The number of sharing agreements and arrangements may appear high. However, they are inflated by two departments, Statistics Canada and Revenue Canada which together reported 434-more than 50 per cent of the total 861. Of this 434, 319 were covered by written agreements.
The survey reports 66 data matches; of which only six are reported in Info Source. Our already low expectations were based on the 30 proposals submitted for the Commissioner's review since 1987. Departments have apparently lost track of even these 30 and public descriptions of the six are unclear. One institution's survey response maintained that it did not data match yet all its personal information bank descriptions state that the information may be used for datamatching.
There was another anomaly: some matches were reported by one institution, but not the other. Although the reporting institution may be considered the "matching" institution (and the other merely provided information), at the least the information provider should report the disclosure as external sharing. This was not the case.
Only eight internal data matches were reported; surprising given the proliferation of computer systems.
While Treasury Board's instructions on conducting a data match are clear, some privacy coordinators seem unsure about its application. The result: neither the public or the Commissioner is being told. Far greater cooperation is needed between departmental privacy coordinators and the program staff who devise the matching proposals.
It is evident that the returned questionnaires are not always accurate or complete; for example, they revealed:
- incomplete responses to questions on the existence of written agreements to cover an activity;
- no list of personal information banks which describe a sharing or matching activity;
- information the Office knows to be inaccurate;
- failure to list data matches reviewed by the Office, and
- suspected under-reporting of both matching and sharing.
While it may be risky to draw conclusions from the returns, one thing is clear-Info Source is a difficult tool to use in its present form, even for experienced staff. It demands careful perusal to determine the extent of government datamatching, or consistent uses departments make of personal information under its control. Even then, the references are often oblique.
Our sympathy is with uninitiated readers trying to find their way through this thicket. It's time for the government to be much clearer and more forthright on its uses of clients' and employees' data.
In the Courts
Minister of Finance v. Michael Dagg
The Supreme Court of Canada has agreed to hear Mr. Dagg's appeal of a lower court decision denying him access to the Department of Finance's after-hour employee sign-in sheets. The Privacy Commissioner will intervene in the case.
Last year's annual report described the Federal Court of Appeal's decision (see page 26) which established clearly that the Privacy Act and the Access to Information Act are of equal status. Once information sought under the Access Act is found to be "personal", it may only be given to third parties if disclosure is permitted by the Privacy Act.
The Court has yet to set a date for the hearing.
Rubin v. Clerk of the Privy Council
This case, although brought under the Access to Information Act, also has significance for the Privacy Commissioner because an identical provision appears in section 33(2) of the Privacy Act.
The Supreme Court confirmed a lower court decision that no-one has a right to have access to another person's representations to the Information Commissioner and that confidentiality continues, even when the investigation is completed. Mr. Rubin had argued that the confidentiality of representations should end, once the investigation is finished.
The ruling suggests that the Court would reach a similar conclusion about representations to the Privacy Commissioner.
Privacy Commissioner v. Canada Labour Relations Board
The Federal Court heard this case early in June. The case, reported in some detail in the 1994-95 report (see page 27) concerns access to personal information contained in handwritten notes taken by Board members at a labour relations hearing. The decision is expected in the Fall.
Taking the Show on the Road
Despite government's apparently firm conviction that the Privacy Commissioner has no education role (and certainly needs no money to inform Canadians) taxpayers think otherwise. The Office handled 1304 publication and media requests and there were more than 30,000 visits to the Commissioner's new Web site. In fact, the Office was one of the first dozen federal agencies to establish a site as part of the Open Government pilot project. In addition to providing the Office's information and publications, the site links to other privacy sites.
Commissioner and staff gave more than 30 speeches this year-and had to gracefully decline almost as many. The cupboard is bare.
Consumers, business, professionals and the media are alive to privacy as an issue. The recent survey by Ekos Research Associates for the Public Interest Advocacy Centre (PIAC) and the Fédération nationale des associations de consommateurs du Québec (FNACQ) demonstrates the public's growing concern.
Overwhelmingly Canadians want to be informed about the collection of their personal information and the uses to which it is put. They insist that their permission be obtained before their information is passed to another organization. And 87 per cent think government should treat the issue as a priority. (Copies of the entire report are available from PIAC in Ottawa and FNACQ in Montreal.)
Among the speaking engagements, Commissioner and staff spoke about the privacy implication of information technology to
- the Canadian Telecommunications Superconference;
- the 11th annual General Assembly of the World Teleport Association;
- the annual Winter Cities conference of northern mayors;
- the Communications Security Establishment's annual computer Security Conference, and
- the University of Victoria's Leading Edge Technologies conference.
Interest in bringing the law into the information age led to speeches to the Canadian Bar Association and the Commissioner delivering
- the Law Society of Manitoba's annual Isaac Pitblado lecture;
- the annual I.P Sharp lecture to the University of Toronto's Information Management faculty, and
- a Legislative Library Noon-Hour talk to New Brunswick legislators, staff and the public.
Where to draw the line on DNA testing-in criminal investigations and insurance underwriting-were the subject of speeches to
- the Genetics and the Law symposium at Osgoode Hall, Toronto, and
- the annual conference of the Canadian Life Insurance Medical Officers' Association in Regina.
The Privacy and Information Commissioners share premises and administrative services but operate independently under their separate statutory authorities. Corporate Management Branch provides centralized administrative services to avoid duplication of effort and realize cost savings to the government. The services include finance, personnel, information technology advice and support, telecommunications, library services and general administration.
The Branch has just 15 staff (who perform a variety of tasks) and a budget representing 15 per cent of the overall OIPC budget. Subject to modest savings through information technology, the Branch has gone as far as it reasonably can to simplify and streamline service delivery.
The Offices' combined Main Estimates for the 1995-96 fiscal year were $6,186,000, a decrease of $236,000 over 1994-95. Actual expenditures for the 1995-96 period were $6,516,792 of which, personnel costs of $5,435,439 and professional and special services expenditures of $565,170 accounted for more that 92 per cent of all expenditures. The remaining $516,183 covered all other expenditures including postage, telephone, office equipment and supplies.
Figure 1: 1995-96 Resources by Organization/Activity
HUMAN RESOURCES (FULL-TIME EQUIVALENTS)
FINANCIAL RESOURCES ($000)
Figure 2: Details by Object of Expenditure
|Employee Benefit Plan Contributions||
|Transportation and Communication||
|Professional and Special Services||
|Purchased Repair and Maintenance||
|Utilities, Materials And Supplies||
|Acquisition of Machinery and Equipment||
|* Expenditure Figures do not incorporate final year-end adjustments reflected in the Offices' 1995-96 Public Accounts.|
- Date modified: