Annual Report to Parliament 1999-2000

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

The Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 995-8210, 1-800-282-1376
Fax (613) 947-6850
TDD (613) 992-9190

© Minister of Public Works and Government Services Canada 2000
Cat. No. IP 30-1/2000
ISBN 0-662-64957-5

This publication is available on audio cassette, computer diskette and on
the Office's Internet home page at


Coat of Arms

Privacy Commissioner of Canada
Commissaire à la protection de la vie privée du Canada


May 2000

The Honourable Gildas L. Molgat
The Speaker
The Senate

Dear Mr. Molgat:

I have the honour to submit to Parliament my annual report which covers the period from April 1, 1999 to March 31, 2000.


Yours sincerely,

(Original signed by)

Bruce Phillips
Privacy Commissioner of Canada

Coat of Arms

Privacy Commissioner of Canada
Commissaire à la protection de la vie privée du Canada


May 2000


The Honourable Gilbert Parent
The Speaker
The House of Commons


Dear Mr. Parent:

I have the honour to submit to Parliament my annual report which covers the period from April 1, 1999 to March 31, 2000.


Yours sincerely,


(Original signed by)

Bruce Phillips
Privacy Commissioner of Canada


Our thanks to the cartoonists who have enlivened this year's annual report— John Grimes, Cathy Guisewite, and Chris Slane—Peter Lefebvre of CURSOR communications who prepared this year's cover, and Guylaine Duval of Canada Communication Group who supervised the printing of the report.

Pausing to reflect—and soldiering on

Advocating and defending privacy is, most of the time, a labour of love, but it does help sometimes—particularly in the face of adversity—to reflect on exactly what it is that we are trying to do. While all of us have our thoughts on what privacy is and what it means, the following help us to remember why it is important.


.the right to be let alone - the most comprehensive of rights, and the right most valued by civilised men.

U.S. Supreme Court Associate Justice Louis Brandeis, 1928

Conceal your life

attributed to Neocles, father of Epicure, 3rd century BC

This notion of privacy derives from the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain as he sees fit.

— Privacy and Computers, 1972

Knowing what to conceal is knowledge for a king.

— Cardinal Richelieu, statesman, 1640

Civilization is the progress of a society toward privacy. The savage's whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from man.

— Ayn Rand, author, 1943

My soul has its secrets, my life its mysteries.

— Félix Arvers, poet, 1833

A man has a right to pass through this world, if he wills, without having his picture published, his business enterprises discussed, his successful experiments written for the benefit of others, or his eccentricities commented upon, whether in handbills, circulars, catalogues, newspapers or periodicals.

- New York State Court of Appeals Chief Justice Alton B. Parker, 1901

One's true worth is measured by the ability to do alone what one could do in public.

- François de La Rochefoucauld, moralist, 1664

If a society without social justice is not a good society, then a society without privacy is a society without social justice. We must operate in the knowledge that the sanctity of the individual is what we must preserve as if your lives depended upon it - because they do.


It has long been recognized that this freedom not to be compelled to share our confidence with others is the very hallmark of a free society.

— Supreme Court Justice Gerard La Forest, R. v. Duarte, 1990

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.

—Professor Alan Westin, 1967

Privacy is related entirely to the degree to which we respect each other as unique individuals, each with our own sets of values which we are entitled to make known or not as we see fit. To truly respect your neighbour, you must grant that person a private life. Respecting one another's privacy means the difference between a life of liberty, autonomy and dignity, and a hollow and intimidating existence under a cloud of constant oppressive surveillance.

— Bruce Phillips, Privacy Commissioner of Canada, 1999

Table of Contents

A Commissioner's Reflections 1
The Past Ten Years 3
Bill C-6—Private Sector Data Protection, at Last 23
Trust and Control: Canadians' Attitudes Towards Privacy 29
Personal Health Information: Too Many Demands, Too Little Privacy 32
Progress on the Canada Health Infoway, but what about protection for patients? 36
What's in a name? The Alberta Health Information Act 39
A lifetime medical identification number for physicians 41
Privacy Act Reform 43
Counting Canadians—Keeping Promises, Building Trust 49
2001 Census—enhancing transparency in the census collection 49
Historical census records 52
SIN, Again 57
A Citizen Profile in all but Name—HRDC's Longitudinal Labour Force File 64
On the Hill 71
Cleaning up money laundering: Update on the Proceeds of Crime Act 76
Clearing customs: Flying the unfriendly skies 79
Providing taxpayer/business information to provincial statistical agencies 80
Filling the gaps: A charter of privacy rights 83
Issues Management and Assessment Branch 85
Assessing Privacy Impacts 85
Data sharing at the Canada Customs and Revenue Agency 87
Conducting client survey research 88
Review of Firearms Registry/Canadian Firearms Centre 91
Data matching proposals—births and deaths with Canada Child Tax Benefit database 92
Incident investigation—loss of laptop in Halifax —Correctional Service Canada 93
Public interest disclosure—medical information about a deceased member of the Canadian Armed Forces 95
Reporting on the administration of the Privacy Act—minimal compliance is not enough 95
Complaints 98
Definitions of Complaint Findings and Dispositions 101
Advice for all interviewers: Never assume the person sitting across from you can't read upside-down 103
A well-founded complaint about a serious matter—disclosure of personal income tax information 106
"Smith" the good citizen or "Smythe" the criminal? It's all the same to some computer databases 108
Appeal board witness grilled—about irrelevant private matters 110
RCMP officer vs. seatbelt violators: Next, he was going to tell their mothers on them 112
The mystery of the missing missive: Canada Post finds after agreeing to seek 114
Young Offenders Act: Not all matters of privacy are matters for the federal Privacy Commissioner 116
Personal information gets trashed-or so Elections Canada hopes 117
Lax information technology procedures in prison cause a dangerous breach of privacy 120
A case about a case, not properly secured 122
Improper destruction of records: A reprehensible act 123
Information access: A matter of give and take 125
The SINs of our fathers: At least some of them will not be visited upon us 127
Partial remission of SIN: a fair compromise, albeit another dubious pun 128
Inquiries 130
In the Courts 138
Ten years of significant court decisions 138
Ongoing cases 140
Complementing C-6: Private Sector Initiatives 143
Reclaiming your internet privacy: technology to the rescue! 143
Marketing to children: The Canadian Marketing Association's guidelines 145
Privacy Update 147
The provinces and territories 147
Privacy around the world 150
Stories we read in the news 154
Corporate Management 159
A Tip of the Hat 162

A Commissioner's Reflections

It is almost ten years since this commissioner took office. This annual report, therefore, is something of a retrospective, summing up some of the major issues and developments of the period.

The report records many improvements, large and small, which have resulted from the efforts of this office. It also shows how far we have yet to go in the ongoing battle to protect the right to a life free of surveillance and intrusion.

Doubtless the recent passage of legislation extending privacy law into the Canadian commercial sector is the most important development of this last decade. It covers a major part of the information world. But it is by no means the whole answer. Still missing is an adequate legal regime covering such things as video surveillance, physical privacy, biomedical privacy, drug and DNA testing, to mention a few.

Also necessary is a revision of the privacy law which governs the information holdings of the Government of Canada. This law, now approaching two decades in age, in some important ways imposes less rigorous standards on government than the new private sector bill does on Canadian business. It should be the other way around. This issue needs to be addressed, urgently.

It's now a cliché that the last ten years have brought forth an information management revolution, thanks to ever more mind-boggling advances in computer and communications technology. It's even more true that the law still lags far behind in its duty to ensure this technology is harnessed to the cause of human liberation and not to its subjugation.

On a personal note, let me say these ten years have given me the greatest privilege and honor I have ever known, namely the chance to go to bat for my fellow Canadians. This office of Parliament, as Teddy Roosevelt would say, is a bully pulpit. Used without fear or favour, dedicated solely to the advancement of human freedom, it can be a powerful voice.

One rueful observation: in ten years, I have yet to meet one person, in public or private life, who has not professed great belief in the right to privacy. But I have witnessed some of those same persons engaged in activities utterly destructive of that right. Talking the talk is no substitute for walking the walk. This job demands a skeptic, albeit an optimist as well.

Finally, it must be said that whatever good we've achieved here in the last decade could not have been done without a truly magnificent staff, as committed and competent a group as I have ever encountered. Their names, past and present, are recorded elsewhere in this report. I am in their debt.

Bruce Phillips
Privacy Commissioner of Canada

The Past Ten Years

Government Rationalization and Privatization
The past decade has seen all levels of government subjected to unrelenting pressures to eliminate waste and manage and deliver public goods and services more efficiently. Governments have responded by contracting out functions once performed by government employees, transferring government operations to the private sector, centralizing and consolidating operations, and striking partnership agreements with other levels of government to deliver services.

Contracting around privacy obligations
These trends, which arguably contribute to more efficient public administration, have also undermined and circumvented the law protecting Canadians' informational privacy rights. Government "contracting out" was the first of these trends, one that prompted us to try to stem the tide of personal information being leaked to the private sector without adequate privacy protection.

We have always argued that once government hires private contractors, they become "agents" for the Crown and thus covered by the Privacy Act. However, many contractors neither recognized nor respected this principle, treating the information they gathered or produced as their own. In an effort to stop this end run around the act, we began working with Supply and Services Canada, as it was then called, and Treasury Board to develop model service contracts with clauses specifically designed to bind the contractor to the act. However, years after devising the model contract, our audits continue to reveal contracts without any privacy provisions.

Contracting out presented a challenge that was manageable; privatization of significant government holdings was a challenge of another magnitude. The threat to privacy was brought into dramatic relief in 1995 with privatization of Canada's air traffic control system. The creation of NAV CAN saw the transfer of some 6000 federal government employees and the personal files of many more thousands of users of the system out from under the protection of the Privacy Act. Their rights to access and control their personal information were gone. Government ignored our repeated recommendations to bind the new entity to the Privacy Act, a move we observed "constituted nothing less than a privacy disaster." A lesson may have been learned; the government's transfer of the St. Lawrence Seaway Authority was scrupulously done.

When the federal government was not offloading significant assets, it was merging, centralizing and consolidating government operations under new or reconfigured government departments. A remarkable example of this trend was the 1994 amalgamation of various components of the departments of Employment and Immigration, Health and Welfare, Labour, Multiculturalism and Citizenship, and the Secretary of State under the newly constituted Human Resource Development Canada (HRDC). This new "super department" presides over such vast areas as unemployment insurance, pensions, occupational health and safety, child and family support benefits, disability benefits, education, occupational training, and job creation. This amalgamation brought under one department's control personal information of a nature and on a scale unprecedented in Canadian history. HRDC reaches into virtually every Canadian's life.

Information Management Technology
Quotation by Dr. Roger Magnusson, 1999

The explosion in information technology in the 1990s gave the government a new tool in its drive to reduce costs and increase administrative efficiency. In its 1994 Blueprint for Renewing Government Services Using Information Technology, the government outlined its plan to use advanced computer technology to "streamline," "re-engineer" and "modernize" the federal public service.

The report advocated an integrated electronic web linking all branches of government, based on a standardized and interoperable communications system that would allow federal and provincial governments, as well as private companies delivering government services, to share information.

Anticipating the impact of this technology on citizens' privacy, we developed a "Privacy Check List". The checklist was published in the 1992-93 annual report in an effort to alert senior government officials to the privacy impact of new information management systems, and to guide departments on building privacy into the design and application of these new systems. Although the Blueprint acknowledged the need to ensure the "security, integrity and privacy" of information, in many respects the report's recommendations were a frontal assault on the privacy principles. How, for example, can sharing information across multiple levels of government and the private sector be reconciled with the fundamental privacy tenet that government should only use or disclose personal information for the purpose for which it was collected?

We warned that elements of the Blueprint "could dismantle the protective walls around personal data" erected by the federal Privacy Act.

Another advanced data processing technology loomed in the 1990s, the "data warehouse". HRDC was one of the first federal government departments to recognize its potential as an information management tool and to install such a system. A data warehouse integrates data from a variety of different sources and places it in a central electronic repository where the information is standardized and made available for use and manipulation by a number of different users. For managers, the potential is exciting. For privacy, however, the data warehouse rings alarms. Personal information collected for one purpose could become available for different and unrelated purposes. Warehousing data also permits the creation of client profiles—or more insidious—"client intimacy" systems drawn from historical transaction and relationships previously unknown.

Personal Identifiers
The Blueprint's vision of a "horizontally-integrated" public service, and initiatives such as data warehousing, require a unique identifier to link information to the individual. With so many partners in the system, each wants to be sure that they are collecting information about—and delivering services to—the proper person. No surprise then that the whole process of "re-engineering" government would demand a national common client identifier. And no surprise that government would focus on the Social Insurance Number (SIN), already a de facto national identifier through a lack of legislative controls.

In the mid-1990s a group of information technology managers from the income security departments of the federal, provincial and territorial governments began studying the feasibility of a national common client identifier. The group's 1996 report, Enhancing Service Delivery Through a Common Client Identifier: Options and Opportunities, concluded that using a common client identifier (and its supporting database) could yield governments significant gains. These gains included properly identifying legitimate claimants before benefits were paid, eliminating duplicated costs from issuing multiple identifiers, and facilitating accurate data matching to detect fraud. Although the group considered several options, it concluded that a "modernized" SIN was the best option. It recommended equipping the SIN card with enhanced security features—including a possible biometric feature to prevent forgery and to accurately link the card to the individual. We could agree with one aspect of the report, its conclusion that privacy was the single greatest barrier to developing a common client identifier.

The Auditor General's 1998 report, Management of the Social Insurance Number, confirmed long held suspicions that the existing legislative and administrative framework governing SINs served neither the interests of government nor the privacy rights of the public. Not only did the Auditor General recommend improvements to government management of SINs, he called for Parliament to review the broader policy issues associated with the number, particularly its possible role as a national common client identifier. Parliament responded by directing the Standing Committee on Human Resources Development and the Status of Persons with Disabilities to study both the administration and policy regime governing the SIN. The Standing Committee tabled its report, entitled Beyond the Numbers: The Future of the Social Insurance Number System in Canada in the spring of 1999. The committee directed HRDC to prepare a report by year's end that would settle the future role of SIN as national personal identifier.

Privacy concerns have figured prominently in the debate about SIN since its inception. Public resistance to SIN becoming a universal identifier, fortified by the Parliamentary review committee's recommendations in Open and Shut, prompted the 1989 Treasury Board directive limiting federal government uses of SIN. Successive Privacy Commissioners have warned of the dangers of establishing any system of universal identification, be it a modified SIN or some other number. We have repeated these warnings but perhaps never more forcefully than in the late 1990s when Canadians faced the real prospect of their government adopting a universal system of client identification.

At the heart of our apprehension is our loss of control: control over what information others have about us, control over how they use that information, control over our ability to influence events and decisions that affect our lives, and ultimately control over our ability to make choices based on our own rational self interest. A universal system of identification threatens to undermine our control by allowing organizations to use the identifier to obtain information about us without our knowledge or consent. It greatly increases governments' ability to gather information from various sources and assemble profiles, as well as to monitor and track an individual's behaviour. When the identifier is compulsory—almost unavoidable when it is widely used and required by all government departments and agencies—the identifier effectively becomes an "internal passport" without which we are nobody. In the "horizontally-integrated" public infrastructure envisioned in the federal government's Blueprint, a universal common client identifier threatens our personal autonomy by exposing our lives to continual scrutiny.

In December 1999, HRDC tabled its position paper on the SIN, entitled A Commitment to Improvement: The Government of Canada's Social Insurance Number Policy. To our relief, the paper rejected transforming the SIN into a national personal identifier. HRDC cited two reasons: such a system would be hugely expensive with little evidence of payback; and establishing a comprehensive national system of identification would carry with it "severe privacy concerns". However, the position paper, to be discussed later in this report, did not endorse the Standing Committee's (and our) recommendation to legislate restrictions on SIN, nor did it reject using the number as a common government client identifier. The jury is still out.

Electronic Networks and the Internet
Government's gradual replacement of paper-based records management and communications with electronic systems has led to growing concern over data integrity and security. Unlike conventional mail, information transmitted electronically offers no sealed envelopes to protect confidentiality, and no trusted system to ensure safe delivery. Neither the sender nor the recipient can control (or know) who reads their e-mail while in transit. The privacy implications are obvious for individuals whose personal information is transmitted over open systems. A message sent in the open allows anyone with access to the system to read, record, monitor, tamper with or even destroy the message en route. For employees, it means the threat of supervision through constant electronic surveillance.

To its credit, the Treasury Board Secretariat recognized the implications for employees and developed its Policy on the Use of Electronic Networks, published in 1998. The policy clarifies both employers' and employees' expectations and rights when using electronic networks in the workplace. The policy endorses the principle that employees have a reasonable expectation of privacy in their workplace, even if using government equipment. The policy also defines and limits the circumstances in which senior management can legitimately monitor or intercept communications on the government network. Those circumstances include when there are reasonable grounds to suspect an employee of misusing the network, or when monitoring is part of routine network maintenance. Although the policy recognizes employees' right to reasonable privacy in the workplace, it also suggests that an employer could diminish that reasonable expectation simply by notifying employees that monitoring will occur.

Of course, electronic networks threaten the public's privacy when dealing with government through such a system. The federal government commissioned surveys in the mid-1990s to assess the public's comfort level with new interactive technology, and their willingness to use it to deal with government. The surveys consistently revealed high public anxiety about the security of electronic transactions as well as the systems' ability to protect personal privacy. These findings led the National Advisory Council on the Information Highway, which was developing the federal government's strategy for Canada's information highway, to an inescapable conclusion: assuring the public that electronic transactions are secure from unauthorized access, monitoring, modification and misuse would be critical to government success in modernizing the public service, and preparing the Canadian economy for the information age.

By the late 1990s, encryption was seen as a valuable tool for protecting electronic transmissions. Encryption is the science of transforming plain text into cipher text and vice versa, and is supported by a Public Key Infrastructure (PKI). PKI cryptography is based on a two key system: a public key (known to many) to encrypt the data, and a private key (known only to one party) to decrypt the data. While the keys make a matched pair, one cannot derive the private key from knowing the public key. Thus, no one except the person holding the private key could decrypt the message. This system, combined with a system of digital authentication, holds great promise for protecting security and privacy in electronic communications.

The federal government's system, however, requires some trusted authority to generate the keys, certify their validity, and manage their secure distribution. Here lies the Achille's heel of PKI. To make the system operable, some central authority must know everyone's private key, and hence hold the power to decrypt all our communications. Both Canada Post and the Communications Security Establishment have been touted as the trusted authority. Meanwhile, several federal gernment departments—Health Canada, Human Resources Development Canada, and Public Works and Government Services Canada—are experimenting with PKI technology. The test results will point the way to its more universal application. However, Canada needs a vigorous debate before government hands any agency the keys to unlock our most private communications.

Surveillance, on the Job and off
In 1992, a senior Office of the Privacy Commissioner manager, addressing a group of human resources professionals, set out an argument for respect for privacy in the workplace, as part of an overall ethical approach to labour relations. His focus was on what might be called the "traditional" threats to privacy in the workplace: excessive demands for employees' personal information, misuse of the information, denial or limitation of access to it, and careless disclosure of it outside the employer's organization. But he also mentioned, in passing, drug testing and genetic testing and a privacy issue that was just beginning to emerge as a dark side of computerization and electronic information management: electronic surveillance.

Systematic surveillance of workers has a long history, going back at least as far as Frederick Taylor's "scientific management" with its detailed and precise measurements of workers' body movements. The blurring of the line between employers' legitimate interests and employees' private lives also has a long history. Henry Ford, who sent investigators from his "Sociological Department" to workers' homes to report on their moral behaviour, was probably not the first and certainly not the last employer who wanted to look at more than just the result of his employees' work.

Modern times have seen us move beyond searches, background checks, private detectives, medical and psychological testing, and even polygraph testing. The new surveillance includes closed-circuit television systems, keystroke monitoring, computerized surveillance of vehicle use, second-by-second tracking of employee location, and monitoring of telephone, Internet, and e-mail use.

Employers have legitimate reasons, of course, to be concerned about security, trade secrets, reputation, work environment, and possible overloads and crashes of their computer systems. But vigilance should not be confused with hysteria. The surveillance systems they introduce may have consequences far worse than the perceived problem they are set up to address.

CartoonAbuse of surveillance systems is an obvious risk. Any system is only as good as the people operating it. Surveillance can creep beyond what is properly the employer's business, to union activities or identification of whistleblowers, for example. Malice can lead to selective building of negative records on particular employees. Sensitive information can end up in the wrong hands, and find its way into blackmail schemes.

But even when surveillance systems are used exactly as intended, they raise troubling questions. Given the length of working days, is it reasonable to put an absolute prohibition on employees communicating privately, without employer surveillance, with family, friends, and others? Employees who work full-time and live alone may have no choice but to conduct some personal business from the workplace. Moreover, it is inevitable when people work together that they will communicate. Such interaction can make the most boring job bearable—and can be the breeding ground for ideas about how work can be done better. There is also a valid argument that workers need to be able to let out some steam during the daily grind.

In short, we would argue, employees have a legitimate interest in a reasonable quality of work life, and privacy is an essential element of that. This is even more acute with the growth of telework and the fading of the distinction between work and home—and the need to put limits on presumed links between off-duty activities and work performance.

Our complementary roles of monitoring the application of the Privacy Act by federal institutions and monitoring developing privacy issues beyond the scope of the act have given us an interesting vantage point. We take some satisfaction in observing that federal institutions have avoided the excesses seen elsewhere.

In the 1992-93 annual report, we reported on the Department of Communications' project to develop a smart card for employees that would be used as a purchase card, allow access to computer files, control high-tech inventory, and replace the employee in/out board. We noted that the most likely government-wide application of a card that could validate identity, employment status, and security clearance would be as a government employee card. The danger would be that such a card could become a tracking device. We observed that the government could devise standards and guidelines that would control its use.

Also in 1992-93, we reported on the Federal Government's Telework project committee, tasked with reporting on a 3-year pilot project allowing employees to work at home and deliver their products to the employer electronically. This was introduced for valid objectives: allowing employees to balance work and home, and reducing energy consumption, pollution, and traffic congestion. But we had concerns about adequate security and privacy safeguards for personal information being worked on in the home and transmitted electronically, and the risk of compromising employees' home lives, by introducing the element of supervision and monitoring into their homes.

In 1994, we reported on the Royal Canadian Mint's monitoring of employee telephone conversations. The Commissioner, although he had reservations, concluded that the Mint's practice was not in violation of the Privacy Act, since the monitoring was for performance evaluation purposes and employees were advised in advance. Nonetheless, the Commissioner reminded the Mint of employees' rights to examine notes made of the monitoring, and recommended that it develop procedures to take account of other privacy concerns, including customers' rights. The Mint took note of his concerns and undertook to address them.

Video surveillance was the subject of a complaint reported in the 1997-1998 annual report. We observed at the time that covert videotaping, as one of the most intrusive tools, demands the most rigorous justification. Concerned about the general privacy issue, the Commissioner wrote to Treasury Board, urging it to develop a government-wide policy on covert surveillance. He recommended that the policy specify, among other things, that surveillance should be based on reasonable suspicion and used only after less intrusive methods had been ruled out, that reasonable expectations of privacy should be respected, and that surveillance should be restricted as much as possible to the person under suspicion, rather than sweeping in employees indiscriminately. These recommendations, while specifically addressing video surveillance, arguably apply to all forms of workplace surveillance.

Some of the Commissioner's concerns about surveillance were addressed by the Treasury Board Policy on the Use of Electronic Networks, published in 1998. Although, as noted above, that policy is not without its shortcomings, it did ensure that electronic networks were not the basis of an "electronic sweatshop." And in April, 1999, Treasury Board released a policy on video surveillance, which adopted all the recommendations made by the Commissioner the previous year.

Federal Government workplaces, then, have not become quite the Orwellian world that some had feared. This is due in large part to the long-standing recognition of the principles of fair information practices embodied in the Privacy Act, and to the fact that privacy issues are debated and discussed in a legal framework. We might even take some small measure of credit ourselves.

Discussing the surveillance of employees' e-mail and Internet use, a manager was recently quoted as saying, "You live in a democracy; you don't work in one." How absolutely should we accept this? Are we prepared to accept that Canadians, upon entering the workplace, lose all their privacy rights? It is established in Canadian law that certain fundamental human rights are a matter of public policy; they cannot be conjured away by means of an employment contract. Privacy has not yet been recognized in this way by the courts. The Federal Government, to its credit, has listened when we have made the case, and has recognized that strict legality is one thing, fairness and good management another. With the Office's new responsibilities, we will certainly be looking closely at workplace privacy in the private sector—including not just electronic surveillance, but biomedical issues as well.

Biomedical Technology
Biomedical technology has developed dramatically in the last 10 years, and, as is so often the case with new technology, it is a double-edged sword. We have consistently urged citizens to recognize technology's potential for both good and harm, and to frame decisions about technology around fundamental questions of what kind of society we want.

Genetic mysteries are being solved; the sequencing of the entire human genome is said to be imminent, years ahead of schedule. Yet while this research holds great hope for society's understanding of the genetic components of diseases, it also threatens to engulf us in a wave of information deeply personal, only half-understood, and with the potential for new and invidious forms of discrimination.

The use of DNA analysis for forensic identification, hailed as a breakthrough for both prosecuting criminals and clearing the innocent, also offers the possibility of genetic dossiers on large numbers of citizens.

An upsurge in drug testing—less pronounced in Canada than in the U.S., but significant nonetheless—has given the state and employers unprecedented power to peer into our bodies at random, searching for evidence of socially unacceptable behaviour.

And biometrics—such as digitized fingerprints, retinal scans, and facial recognition technology—press our very bodies into service as personal identifiers, and this intimate, indelible information is then scattered and shared beyond our control.

Genetic testing
Genetic testing and analysis hold great potential for early identification and treatment of those predisposed to particular medical conditions. Genetics may also help employers and employees improve workplace safety and health by screening for genetically linked conditions that could be aggravated by particular environments. Monitoring genetic changes and genetic conditions in the workplace can also help early identification and intervention.

But genetic testing also holds the potential for great harm. Genetic analysis can reveal highly sensitive, intimate information about both the person tested and his or her relatives. Once a person is tested, there is real risk that the results could be used to select and promote genetically "fit" employees and reject the "unfit" and to determine who is eligible for benefits and insurance.

CartoonIn 1992, we released our Genetic Testing and Privacy report, a comprehensive look at the privacy implications of the new technology. The first of our 22 recommendations urged the government to study the extent to which public and private sector employers were conducting genetic tests, and the uses they were making of the information. We also recommended the government adopt legislation to ensure that genetic material was collected within a legal framework, that no one was forced to give up genetic material, that genetic testing would not be a condition of employment, and that no one would suffer discrimination for refusing to be tested. We also proposed amending the definition of personal information in the Privacy Act to ensure that it included both genetic samples and the information derived from their analysis.

Virtually all the recommendations have fallen on deaf ears. With the costs for genetic tests falling, a lengthening list of conditions that tests can identify, and pressure building to develop comprehensive linked health information banks on Canadians, we still have no legal framework for this intrusive technology. We do not even know how and how much employers are using genetic testing.

Genetic testing was one of the privacy issues examined by the House Standing Committee on Human Rights and the Status of Persons with Disabilities. In its April 1997 report, the Committee urged the government to take immediate action to deal with privacy violations and discrimination flowing from genetic testing. The Committee envisaged a review of genetic testing policies and practices in the employment, health, insurance, and criminal justice sectors. In addition, the Committee recommended reviewing existing legal instruments, holding public consultations, and developing legislation to specifically address privacy and discrimination issues.

Parliament was dissolved shortly after the Committee delivered its report; thus the government did not respond to the recommendations at that time. The recommendations were later adopted by the Standing Committee on Human Resources Development and the Status of Persons with Disabilities as part of its examination of the administration of the Social Insurance Number. However, the government did not address the issue of genetic testing in responding to this committee's report.

Protection of genetic privacy has received considerably more attention in the United States. A significant number of states have passed laws banning genetic discrimination in employment, insurance, or both. Dissatisfied with patchwork protection, some U.S. legislators are sponsoring Congressional bills with similar provisions to apply to private sector employment and insurance. This February, U.S. President Clinton signed an executive order prohibiting the federal government from conducting mandatory genetic testing of its workforce and discriminating based on genetic information.

Forensic DNA analysis
Forensic DNA testing, one of the most rapidly developing and perhaps best-known areas of biomedical technologies has profound privacy implications. Forensic DNA testing takes bodily substances from suspects or volunteers, analyzes the samples and compares them to biological evidence—skin, hair, blood, or semen found in connection with a crime. Analysis of a suspect's DNA is then compared with DNA found at a crime scene. The results can either eliminate the suspect or establish with a high degree of certainty (although that point is not without its critics) that the two samples match.

DNA matching has been widely applauded as the most important development in criminal identification since fingerprinting. A relatively new and uncertain technique at the beginning of the 1990s, it has recently become high profile, particularly when it produces dramatic proof of innocence and a wrongful conviction as in the David Milgaard and Guy Paul Morin cases. Not so high profile, however, has been the subtle trend towards capturing and retaining DNA information about an increasingly large segment of the population.

We can support using DNA evidence, but reject a forensic investigation tool evolving into a national file of biological identifiers. Of particular concern is banking not just results, but also the samples themselves. Maintaining a bank of samples from a segment of the population virtually begs using the genetic material for research and other unrelated purposes. Reports from the U.S. indicate that pressure is building to retest samples so that "markers"— race, gender, physical characteristics, potential psychiatric disorders—can be added to the identification data to which DNA data banks are presently limited.

Forensic DNA evidence was first used in Canada in 1988, but there was no legislation to authorize law enforcement officers taking DNA samples from suspects until 1995, when Parliament amended the Criminal Code to permit obtaining samples under warrant. Soon after, the Solicitor General began consultations on creating a national DNA data bank to facilitate criminal investigations. The data bank would hold samples and analyses from crime scenes and from those convicted of a range of offences. The Solicitor General's discussion papers noted many of the privacy implications pointed out in Genetic Testing and Privacy.

We urged that the data bank be limited to results of analysis and not include biological samples. We also asked that the range of offences be limited to violent offences for which future DNA evidence would likely be available. However, several groups and politicians pressed to expand collection to include taking DNA samples automatically when the person is charged with an indictable offence, just as fingerprints are now. This would have led to collecting DNA for offences as minor—and as unlikely to yield any DNA evidence—as swearing a false affidavit.

When the DNA Identification Act finally passed in December 1998, it included some, though not all, of our recommendations. The forensic DNA data bank will include both the analyses and the samples themselves, and the range of offences is broader than we think necessary. Nonetheless, many of our recommendations prompted privacy protections in the legislation, not least of which was a prohibition (clarified in later amendments) against using genetic material for anything other than forensic identification purposes. This should reduce the risk of "function creep." Amendments introduced late in 1999, but not yet passed, would require the RCMP Commissioner to report to the Solicitor General every year on the operation of the DNA data bank; the Solicitor General will then table the report in Parliament. An advisory committee, of which the Privacy Commissioner is a member, will oversee the bank's operations.

We commend the government's cautious approach in the face of heavy pressure to expand forensic DNA sampling and analysis. Late in 1999, the International Association of Police Chiefs, which represents police agencies in 112 countries, urged legislatures to pass laws requiring DNA samples from anyone arrested on any charge, whether the charge was murder, impaired driving, or shoplifting. In Britain, the Lothian and Borders Police instituted a program of genetic sampling of people charged with any offence, including routine traffic violations.

The greatest danger of a forensic DNA data bank is its potential to engulf a significant part of the population and become a genetic population register. Recovering abducted children, assisting adults with amnesia, providing security for Alzheimer's patients: all could be offered as justification for extending genetic sampling—and would blur the line between forensic and non-forensic uses.

More than ten years ago, Gary T. Marx, a U.S. academic with a special interest in privacy and surveillance, looked at then-recent but burgeoning forensic DNA testing. He highlighted the danger of what he called "surveillance creep"; what was once a serious intrusion comes to be accepted as business as usual. New uses are found for surveillance systems until the new technology has put us into the twilight zone so aptly described by U.S. Justice William O. Douglas: "As night-fall does not come at once, neither does oppression..It is in such twilight that we all must be most aware of change in the air—however slight—lest we become unwitting victims of the darkness."

Drug testing
Twelve years after we first rang the alarm against drug tests creeping over the border and into Canadian workplaces, we have not changed our minds. Drug testing is a serious privacy intrusion that is justified neither by the problem it purports to address nor by any evidence of its effectiveness. A positive drug test result does not reveal past or present impairment or a risk of impairment. It does not show how much the person took or when. In fact, it does not even confirm that the person took the drug. What it does show is that, at some point, the person came into contact with the drug. And a negative drug test does not establish that a person has not taken a drug because drug metabolites take several hours to appear in urine. Education, support, and treatment are the most effective approaches to drug abuse. Sometimes improving working conditions can help employees' problems; far better to help employees recognize risks and seek help than to treat them all as suspects.

Drug testing was already an important privacy issue at the beginning of the 1990s. U.S. President Reagan's 1986 order for mandatory random drug testing of federal government employees started U.S. citizens down the road to widespread testing. Canada has not followed the lead of the U.S., but there were calls for drug testing from various quarters within both government and the private sector. The Office of the Privacy Commissioner responded to these calls with a vigorous defence of privacy in the report, Drug Testing and Privacy.

At the time that report was written, Transport Canada had proposed mandatory random drug testing for workers in surface, air, and marine transportation, the Minister of National Defence had announced mandatory random tests for Canadian Forces members, and Correctional Services Canada was testing prisoners in federal penitentiaries. The report looked at those programs, at drug testing and its rationale, at the Privacy Act, and at the broader privacy implications.

We concluded that the justifications offered for drug testing generally, and mandatory random testing particularly, did not withstand close scrutiny. The lack of evidence of a serious drug problem, and existing evidence that testing was ineffective in enhancing workplace safety, did not justify its extreme intrusiveness.

Whether the report had influence or not, Transport Canada abandoned its plan to test transportation workers, and the government has not introduced anything similar since, much less tried to extend drug testing as has the U.S. government. The Canadian Forces abandoned its random testing program in 1995.

They may all have saved themselves some trouble. Drug testing suffered two significant legal setbacks in the 1990s. In 1996, Imperial Oil's drug and alcohol policy was found by an Ontario Human Rights Board of Inquiry to contravene the Ontario Human Rights Code. The decision was upheld by the Ontario Court General Division in February 1998; Imperial Oil's appeal to the next level is still pending. The Imperial Oil decision was particularly significant because it concerned work in the highly dangerous environment of an oil refinery. The courts found nonetheless that the company could deal with the safety risks without resorting to random drug testing. In July 1998, the Federal Court of Appeal ruled that the Toronto Dominion Bank's policy of testing new and returning employees contravened the Canadian Human Rights Act . TD has abandoned the policy.

Pressures for drug testing have not disappeared, due in part to the increasing integration of the Canadian and U.S. economies. Perhaps the most significant example came in 1996 with the application of U.S. regulations requiring drug testing of all truck drivers, regardless of nationality, who operate vehicles on U.S. highways. Any Canadian trucking company that uses U.S. roads at any point must now conduct mandatory random drug testing. In 1998, apparently inspired by U.S. law, a Senate special committee examining transportation safety and security recommended random drug and alcohol testing in Canada. (The Committee dissolved without issuing a final report, so it is unknown how the Government would have responded.)

Measures to improve public safety are welcomed. Were the proponents of drug testing able to demonstrate that these programs actually reveal impairment as breath-alcohol testing does, or that there is a significant drug problem in the transportation workforce, or that drug testing significantly reduces risk, our conclusions might be different. But that is not what we see. Without a demonstrable positive effect on public safety, all we are left with is a humiliating intrusion into workers' private lives.

Canada has not followed the trend in the U.S. where in 1996, according to an American Management Association study, 81 per cent of major firms tested their employees for drugs. However, we have seen some parroting of American rhetoric, and its translation into action; Ontario tests social assistance recipients for drugs and imposes mandatory treatment on those who test positive. This mirrors similar American programs, where the war on drugs and the demonization of social assistance recipients have become potent tools for demagogues. So far, no one has challenged the tests before the Ontario courts, but it seems likely that someone will. Ontario law considers drug dependence a disability, and refusing services such as social assistance benefits on the basis of a disability is prohibited

A satirical article in a 1998 Privacy Journal proposed guidelines for parents on drug testing their children. One of the difficulties, the author suggested, was that children might turn the tables and test their parents. His solution? Parents should be sure to lecture children about the importance of communication and trust in the family. The point, while ironic, should be kept in mind by those concerned about substance abuse in schools, workplaces, and society generally.

While it is early to say that we have seen a revolution, we have witnessed a trend in the way we verify and authenticate people's identity: from something you have, such as a card, through something you know, such as password or PIN, to something you are: biometrics.

Using technology that scans and measures physical or behavioural characteristics such as fingerprints, facial features, or voice, iris, or retinal patterns to authenticate identity, was first introduced in the 1970s. However, in most people's experience biometrics was virtually science fiction at the beginning of the 1990s. A series of performance failures in the 1980s sent industry in other directions—to keypads, access cards, and PINs.

Quotation by Roberto Unger, 1984But interest resumed early in the 1990s. Sales of biometric devices, excluding those for law-enforcement use, more than doubled in 1991. The increase may have reflected price decreases; in 1995, according to an industry report, the "average price per access point protected" dropped under $2,000 from more than $6,000 five years earlier. The report predicted that "$500 and under devices may help make biometrics a more common sight in daily life." By 1998, a U.S. company was selling fingerprint scanners for $99.

As the cost of the technology drops, what once was an idle wish becomes a pressing need; what used to be a fantasy becomes a reality. We hear almost daily of some new use for biometric technologies—in automated banking, policing, computer security, administering social benefits, and preventing school truancy.

In the early 1990s, the U.S. Immigration and Naturalization Service introduced a new travel document to speed passengers pre-clearing customs at Pearson International Airport in Toronto. The card was imbedded with the pattern of the bearer's hand; electronic readers in the airport could authenticate the identity of a traveller by matching the image on the card with the traveller. This use of biometrics appeared to be designed with some privacy considerations since the biometric image is stored in the card, not in a government record.

Later in the decade, a more problematic application surfaced: Metro Toronto's decision to require social assistance recipients to carry a smart card containing their digitized fingerprints. The cards would be credited with social assistance payments, and then could be used as debit cards for direct payment in stores. As we noted in an earlier report, the problem with this system lies largely in its potential to provide a database for unrelated uses—for example, for social science research into social assistance recipients' spending habits. The system eventually approved for all municipalities uses biometrics for identification only, not for debit cards, and includes a number of important privacy protections. But the problem remains, fingerprinting is associated with criminality. And once again, social assistance recipients are singled out for treatment that no other citizens suffer—and arguably, that no other citizens would suffer.

By the end of the 1990s, news about biometrics was everywhere. In December 1998, the Globe and Mail reported that a Toronto fitness club controlled members' admissions by scanning handprints, and Disney World used fingerprint scanners to identify annual pass holders. The Globe cited a U.S. estimate of $500 million spent worldwide on biometric devices in the previous year, with one-third of the sales to the private sector. The Globe predicted that sales of fingerprint devices alone would rise to $1 billion in 2001, from $145 million in 1997. Early this year, the Financial Post reported that an Australian technology and investment company was preparing to launch a voice-recognition feature for its on-line trading business. It also reported that an iris-recognition system would soon control employee access at a U.S. airport, and a Canadian bank is beginning to use fingerprint readers for a similar purpose. Another Canadian company plans to develop a computer mouse that will identify users' fingerprints for on-line banking. Chicago's O'Hare International Airport uses fingerprint biometrics to control access in its baggage handling areas. And the Post also reported that an American hospital had installed a finger-recognition system that helps speed up registration of patients, prevents fraudulent insurance claims, and gives hospital staff immediate access to patients' medical records. The same company makes a system that controls access to computers by verifying fingerprints.

Privacy advocates have frequently called attention to the privacy implications of biometrics—both collecting, using, and storing this intimate personal information, and the potential it offers for matching different activities and transactions through a single identifier. But the public has yet to be engaged in a serious debate.

Biometric technology offers unquestionable advantages. Authenticating identity, regardless of how it is done, is often critical, particularly as more businesses move more operations onto the Internet. Unlike passwords, a biometric identifier cannot be given away, lost, or forgotten. If technology can ensure that limited funds for social benefits and assistance are available only to those who are genuinely entitled, surely this helps, rather than hurts, social assistance recipients. With sensitive issues such as health information—and for that matter, receiving social assistance—a biometric identifier can provide highly secure storage. And who can argue with controlling employee access, especially in safety-critical operations like airports?

But the accuracy of biometrics combined with their falling cost can be seductive, leading people to seek and eventually require proof of identity where none is really needed. Many activities can be done anonymously, just as most cash transactions are now; there is no need to identify the parties. As with identity cards—as with all systems of identification—we need to be careful about letting occasional necessity lead to casual optional use, which in turn prompts suspicion and eventually exclusion of those who refuse to identify themselves when it is unnecessary.

A further problem with biometrics is its integration into the authentication system required for electronic commerce, and particularly a public key infrastructure. The system would store biometric features with a "trusted third party", which would issue digital identity-verification certificates. Who will be the third party we are supposed to trust? When we exchange security for privacy—for example, giving up our name, address, social insurance number, and other personal information in exchange for a digital certificate—we cannot retrieve the privacy we have surrendered. But when we entrust indelible, unchangeable, and highly personal individual markers drawn from our physical selves to another, the risk to us and the burden on the recipient are far greater.

Biometrics is intimately tied, not just to proving identity but also to surveillance. It may be as simple as using fingerprint-controlled access to computers to verify that employees are checking in when they say. Or it could be much more: facial recognition technology, a biometric application touted as useful for controlling access, is also the basis of video surveillance systems that can pick individual faces out of crowds. In fact, video surveillance is making facial recognition one of the fastest growing markets in biometrics. According to the Globe and Mail, a recently developed system enables driver's licence bureaus to match a face with a record in a database of 1.5 million images. And The 1997 Advanced Card and Identification Technology Sourcebook noted, apparently with approval and no intended irony, that the same facial recognition technology that would permit screening social assistance databases for duplicates and airport lounges for terrorists would also likely enable your multimedia PC to recognize you for teleconferencing on the electronic superhighway.

Privacy Act Reform
Government restructuring and the development of advanced information, surveillance and biomedical technologies are all sorely testing the efficacy of the Privacy Act; a law written in the information technology dark ages of the early 1980s. Although the act has proven to be fairly adaptable, it is fast becoming creaky. We have tried to keep our fingers on its pulse and report regularly on developing aches and pains but it is clear that what the act needs is not some nips and tucks but major surgery.

The entire scope of the legislation needs changing to make it live up to its name. In 1998, we began a comprehensive in-house review of the legislation. That review, discussed later in this report, was completed late in 1999 and contains more than 100 recommendations designed to prepare the act for the staggering challenges ahead. With its work on Bill C-6 largely over, Parliament now needs to return to where it all began—protecting Canadians' privacy against a well meaning, some would say zealous, state.

Bill C-6
It seems fitting to conclude this ten-year review by commenting on the Personal Information Protection and Electronic Documents Act, the highlight of this Commissioner's term. (The act is discussed in more detail in the section that follows.) For several years, this Office has been urging the federal government to pass legislation to protect Canadians' privacy rights in the private sector. With the legislation a reality, we are now looking forward to the challenge of fulfilling the Privacy Commissioner's mandate as established by the act.

We have stated many times that, of all the clauses in the act, none is more important than the one that requires the Privacy Commissioner to promote understanding and knowledge about privacy. One of our goals will be to inform Canadians about their rights, and about threats to their privacy, including the personal and social consequences of privacy intrusions. We want to do more than inform and educate; we intend to make the Office of the Privacy Commissioner a place where Canadians can turn for assistance when they feel deprived of a privacy right.

We also stand ready to help the business community. We recognize that businesses will need time to learn how to work with this legislation just as we will need time to learn how business works. Businesses are understandably concerned about how the act will affect their companies and how the Privacy Commissioner will exercise the Office's authority. While we will do everything we can to avoid impeding business, we do not want to convey the impression that nothing will change. Many businesses, we expect, will have to adjust their personal information practices to meet the obligations set out in the act. More than anything else, what is most needed is a new consciousness on the part of businesses about personal information. This information must be seen not as just another resource—in some cases a company's most important resource—but as an asset over which business can never claim complete ownership. In short, businesses must become trustees.

Bill C-6—Private Sector Data Protection, at Last

Parliament's passage of the Personal Information Protection and Electronic Documents Act has taken Canada a major step forward in protecting its citizens' privacy rights. This landmark law puts Canada into the enviable ranks of leading industrialized nations that have recognized the need for privacy regulations in the private sector.

Public interest in privacy protection has grown steadily over the past two decades, prompted by social, economic and technological change. The development of a global economy, proliferating computer networks, exponential growth in Internet transactions, satellite-based telecommunications, and sophisticated surveillance technologies all contributed to a general public uneasiness about eroding personal privacy.


The Canadian government's first response to calls to protect personal information—or data protection, as it is frequently called in Europe—was to include limited privacy protection in Part IV of the 1978 Canadian Human Rights Act. But Part IV provided far from comprehensive data protection; it focused on limiting access to records and lacked controls on government collection, use and disclosure of personal information. In 1982, Parliament enacted the Privacy Act, which extended privacy protection to most but not all of the federal public sector, as of July 1, 1983.

In 1984, Canada joined 22 other industrialized nations in adhering to the Organization for Economic Cooperation and Development's Guidelines for the Protection of Privacy and Transborder Flows of Personal Data. The OECD guidelines were intended to harmonize data protection laws and practices among member countries by establishing minimum standards for handling personal data in each country. The guidelines were not enforceable, but they were a benchmark and a starting point for creating data protection legislation in a number of countries around the world.

The federal Privacy Act and equivalent provincial legislation have largely fulfilled Canada's commitment to establish fair information practices for the handling of personal information in the public sector. However, until the government introduced the Personal Information Protection and Electronic Documents Act in 1998, little had been done, except in Quebec, to protect Canadians' privacy rights in the private sector. The Personal Information Protection and Electronic Documents Act addresses this deficiency.

So it has taken almost two decades for Canada to extend to the private sector the fair information practices embodied in the OECD guidelines and the Privacy Act. Private sector opposition to legislation, a lack of will on the part of the government, the inability to reach a consensus on how best to protect personal information in the private sector, and the changing technological environment are but some of the explanations for the delay.

Prompted in part by the OECD Guidelines, and possibly by the fear of what might follow if they did not act, the private sector took the initiative in the 1980s, introducing privacy codes to address growing public concern about the actual or potential misuse of personal information gathered during commercial transactions. The life insurance industry led the way in 1980 with "Right to Privacy" guidelines; the banks, the direct marketing industry, computer companies, and the telecommunications industry followed. Although welcome, these codes and guidelines did not provide comprehensive privacy protection. In particular, these voluntary codes do not provide for an independent oversight body to monitor their implementation and receive complaints from consumers.

In 1991, a CSA International (formerly the Canadian Standards Association) committee made up of business, consumer, government, and labour representatives began work on a model privacy code for the private sector. Using the OECD Guidelines as a starting point, the committee agreed on a draft model code that was circulated for comment at the end of 1994 and approved by the stakeholders in 1996.

While supporting the CSA process and other voluntary initiatives, the Privacy Commissioner was becoming convinced that goodwill alone was not enough. In 1992, he lobbied two Senate committees in support of changes to the Bank Act that would empower the Governor in Council to regulate the collection, use and disclosure of customer information, and the inclusion of the protection of privacy as a policy objective in the Telecommunications Act. Commenting on CSA's draft model code in the 1994-95 annual report, the Privacy Commissioner observed, "The greatest significance of the CSA Code may lie, not in its proposed form as a voluntary code for business, but in its embodiment into national framework legislation—a national standard of privacy against which all sectors can be held accountable."

Several new developments contributed to the Commissioner's belief that comprehensive legislation was needed: growing commercial trade in customer information; evidence that customers' information was being collected, used and disclosed without their knowledge or consent even in industries that had adopted voluntary privacy codes; wide variations in the protection provided by privacy codes in different industries; continuing lack of a truly effective oversight body in any industry using voluntary codes; and, finally, Quebec's passage of privacy protection law for the private sector.

In 1995, the Canadian Direct Marketing Association called on Parliament to use the CSA's model privacy code as the basis for legislation. In his response to the Information Highway Advisory Council's recommendation that private sector privacy protection was needed, Industry Minister John Manley announced that the federal government would introduce such legislation. In 1996, Justice Minister Allan Rock reiterated this pledge before a meeting of the world's privacy commissioners, promising that legislation controlling the federally regulated private sector would be in place by the year 2000.

Meanwhile, the European Union Data Protection Directive came into force in October 1998. The Directive established EU data protection standards thus facilitating transfers of personal data among EU member countries. But the EU Directive also imposes an "adequacy" test on non-member countries. EU members may only transfer personal data to other countries such as Canada, if that country ensures an adequate level of protection.

These events culminated in the government tabling Bill C-54, the Personal Information Protection and Electronic Documents Act, in the fall of 1998. The introduction of this bill was one of the most significant milestones in the history of privacy protection in this country. The law regulates commercial uses of personal information, requiring business to respect a code of fair information practices. Equally important, it provides an independent oversight of business practice—mandating the Privacy Commissioner to investigate complaints, issue reports and conduct audits. As a last resort, it provides individuals with recourse to the Federal Court and empowers the Court to award damages.

Finally, it gives the Commissioner a broad mandate to promote the act through public education and research. The Privacy Commissioner's office has struggled over the years to inform Canadians about their privacy rights and developments that strengthen or threaten those rights. Yet there has been no formal authority for the Commissioner to conduct public education. The bill addresses this deficiency, requiring the Commissioner to develop and conduct programs to foster public understanding and recognition of the purposes of the bill.

After its introduction in the fall of 1998, the Commons Standing Committee on Industry held extensive hearings on the bill; about 60 witnesses representing business, associations, academics, consumers and the privacy community appeared. Representations fell into two main categories: business, which felt that it was too rigorous; and consumer and civil rights groups who argued it was too gentle. At the end of the hearings, the Committee's report to Parliament made more than 20 recommendations. These ranged from adding a primacy clause and a reasonable person test, defining publicly available information by regulation, adding some circumstances where information might be disclosed without consent, and whistleblower protection. The House accepted all the Committee's recommendations.

Parliament rose for the 1999 summer recess leaving the Personal Information Protection and Electronic Documents Act at Report Stage in the House of Commons. With the start of a new session in October, the bill was mentioned in the Throne Speech and re-introduced as Bill C-6, returning to Report Stage.

The parties in the House moved a substantial number of motions. The amendments provided exclusions for the law enforcement community, extended coverage to the non-profit sector on barter and sale of lists and clarified the act's operation in the first three years. The latter amendment added the phrase "discloses the information outside the province for consideration" (emphasis added) to clarify the circumstances in which provincially regulated organizations would be subject to the act during the first three years. The House of Commons passed the bill, with these amendments, on October 26, 1999.

The bill then moved to the Senate's Standing Committee on Social Affairs, Science & Technology. The committee heard at length from the healthcare community and concluded that it was the only sector that was not part of theQuotation by Beverly Wookward, 1995broad consensus supporting the bill. In fact, the healthcare sector itself was divided: one part recommending tougher provisions on patient consent and subsequent uses of personal health information, the other arguing that the bill would constrain operational activities in the healthcare sector. Faced with such divergent views, the Committee recommended delaying application of the law to personal health information for one year after the bill comes into force. This allows the healthcare community and governments approximately two years to determine how to manage personal health information used in commercial activities.

The Senate passed the bill in December with this amendment and a related one defining personal health information. "Personal health information" was defined as information concerning the physical or mental health of an individual, living or dead, and information collected in the course of, or incidental to, providing health services to the individual. The definition also includes information concerning an individual's donation of any body part or bodily substance, as well as information derived from medical tests. These amendments were approved by Parliament on April 4, 2000.

Some businesses have expressed uneasiness about the act and the Privacy Commissioner's role, worrying that compliance will cost them time or money. However, the Commissioner has made a commitment to help business adjust to the new legislation and will take a cautious and even-handed approach to its implementation. Business can ease the transition by handling personal information with care before the law comes into force, and reviewing and revising their information handling to meet the standards set out in the act. Businesses that can demonstrate respect for their customers' privacy will avoid complaints and reap the rewards of greater customer confidence.

Initial Application of the Personal Information Protection and Electronic Documents Act

Trust and Control: Canadians' Attitudes Towards Privacy

Surveying people about privacy is a challenge—those most likely to be concerned are least likely to answer the questions, and many consider calls from survey firms to be intrusive. As well, respondents (and most Canadians) may simply not be aware of the steady erosion of their privacy. When businesses and governments use hidden cameras, "cookies," data matching and e-mail monitoring to collect personal information and monitor their employees, customers, or citizens, they seldom issue press releases. To borrow the old saw about obscenity—"I know it when I see it"—people may know a privacy invasion when they see it, but they probably cannot see it.

Nevertheless, surveys are still the most effective way to assess people's views. We have always been keenly interested in Canadians' attitudes towards privacy; we were one of the sponsors of the first comprehensive privacy study, Privacy Revealed: The Canadian Privacy Survey, conducted by EKOS Research Associates Inc in 1992.

In 1999, we participated in another EKOS study, Rethinking the Information Highway: Privacy, Access and the Shifting Marketplace. The study had a broad scope—attitudes towards privacy were just one of the topics covered. Other topics included access to communication technologies, use of the Internet, and Canadians' willingness to use the Internet to access government services. The study was comprised of two separate surveys: one with a random sample of 5,014 Canadians aged 16 and over in June 1999, and a second follow up survey in late fall 1999 of 1,830 participants from the first survey. The results of the two surveys are considered to be statistically accurate +/- 1.4 percentage points and +/- 2.3 percentage points, 19 times out of 20 respectively.

In general, Canadians appear to be less concerned about privacy than they were in the 1992 study. By 1999, 47 per cent of Canadians agreed with the statement, "I feel that I have less personal privacy in my daily life than I did ten years ago," compared with 60 per cent in 1992. The number of Canadians who agreed with the statement, "There is no real privacy because government can learn anything it wants about you," dropped to 63 per cent from 81 per cent. The number of Canadians who agreed with a similar statement about business dropped to 57 per cent from 71 per cent.

The 1999 study suggests that Canadians are also becoming more sophisticated in their attitudes towards privacy. Fifty per cent said that they now "feel confident that they have enough information to know how new technology might affect their personal privacy", up from 43 per cent in 1992.

A majority of Canadians (54 per cent) don't mind companies using personal information as long as they know about it and can stop it. Canadians may be willing to provide personal information in certain circumstances, and may even be willing to sacrifice some of their privacy, but they want to know what they are getting in return. One thing they want is control.

CartoonCanadians demonstrated a surprising willingness to make privacy tradeoffs in return for tangible benefits. Forty-two per cent of respondents said that they would agree to having their grocery shopping habits monitored, allowing the store to develop a client profile, in return for a 10 per cent discount on their groceries. Slightly more than a third of Internet users (36 per cent) would agree to having their online habits monitored by a reputable company in return for a new computer and free Internet access. Nevertheless, even these very significant benefits were not enough to convince a majority of Canadians to trade away their privacy. The two questions assume that the people involved in such programs would be fully informed of the personal information being collected and how it is being used. In the real world of customer loyalty programs, this is rarely the case.

The survey asked a number of related questions about Canadians' willingness to accept potential privacy intrusions that could further public policy objectives such as helping criminal investigations or reducing abuse of social programs. A bare majority (51 per cent) believes that governments should be able to link databases to ensure that individuals are not cheating on social programs, while 44 per cent oppose such data-matching activities because it would allow governments to monitor individuals. Sixty-one per cent agree that law enforcement officials need to be able to monitor e-mails during criminal investigations. Fifty-five per cent of Canadians agreed with the concept of creating electronic networks of health records on the assumption that it would improve health care. On the other hand, a majority of Canadians (55 per cent) believe that governments collect more information than they need to provide services.

QuotationCanadians appear to be very comfortable providing certain types of information to one organization, but extremely uncomfortable with another. For example, the study found that while only 19 per cent of Canadians were "extremely" concerned about providing personal information to doctors or hospitals, the proportion climbed to 27 per cent for governments, 40 per cent for polling and research companies, 49 per cent for Internet service providers and 62 per cent for telemarketing companies.

The survey revealed that Canadians have substantial concerns about the ability of business and governments to protect personal information provided over the Internet. For example, Canadian Internet users were only "somewhat confident" on average that any organization would be able to fully protect personal information submitted online. Likewise, only 12 per cent of Canadians said that they would be willing to give their credit card number over the Internet to make a purchase.

What does all this mean? Clearly, privacy is a very complex issue and many Canadians remain very concerned. There is also a growing emphasis on security issues; Canadians want to make sure that personal information is safe. And they are deeply divided on government initiatives that may trade off privacy protection in favour of improved health care or greater efficiency. More than four out of ten Canadians opposed the storage of health records on a secure electronic network even when the question suggested that it would improve health care. The Office of the Privacy Commissioner believes that the relatively small majority support for these initiatives is a weak justification for ignoring the real concerns, not to mention the privacy rights, of significant numbers of Canadians.

Personal Health Information: Too Many Demands, Too Little Privacy

Quotation by JRI Health Law InstitutePatients' privacy is steadily eroding in the name of health research, ready access to personal information and administrative efficiency—and Canadians are the last to know. A recent survey conducted for the Canadian Medical Association (CMA)revealed that three out of four Canadians believe that the information they give their doctor is kept confidential. The reality is far different; the lineup behind our doctors—all claiming to "need to know"—is long and growing.

Personal health information stored in electronic systems is becoming fair game for bureaucrats, researchers, as well as insurance and pharmaceutical companies, among others. Many such organizations are already surreptitiously collecting and using personal health information without even the courtesy of telling us that our lives are being categorized and our records dissected.

And technology offers new ways of amassing health information without our consent. For example, many Net surfers now do background research on medical conditions and treatments for friends and family on the Web. Who would have thought that many health-related web sites, despite promises to protect site visitors' privacy, actually share the information they collect? A recent survey of 21 sites by the California HealthCare Foundation revealed just that.

We should also be sceptical of the protection reputedly offered by so-called "anonymized" health information. American computer scientist Latanya Sweeney demonstrates that simply removing identifying details from patient records will not assure their privacy; the resulting data only appear anonymous. Ms. Sweeney argues that retaining too many patient-specific facts, particularly when they refer to a rare condition or unusual procedure, can identify individuals. The resulting data can also be linked or matched with information from separate sources, like a birth date or postal code, to identify people in an "inferential disclosure".

Researchers and bureaucrats frequently make the appalling argument that patients would never agree to having their information used in research if they were asked. But current survey data finds the opposite. In fact, the CMA survey revealed that almost eight out of ten Canadians either strongly or somewhat agreed that they would allow their personal health information to be released to governments and researchers, but only if their consent were sought. Without consent, 51 per cent of Canadians would not agree to release their personal health information even if any identifying information were removed. Governments and researchers take note.

Protecting patients' privacy is critical to the success of electronic health networks; reminding proponents seems a truly endless task. For all the benefits these initiatives promise, they pose other substantial risks including possible inaccuracy. Dr. Denise Nagel, Executive Director of the U.S. National Coalition for Patient Rights observed that

.coerced data are not reliable data. Patients who know their health care records will be viewed by legions of strangers and non-strangers will not be truthful. They will have an incentive to omit details or fail to see a doctor at all if they feel a breach of confidentiality will have serious consequences.

Until quite recently, patients were categorically denied access to their own medical records—apparently they could not be trusted with too much information. How offensive that view seems today. Yet the same argument is made; patients are not competent to decide whether to provide their personal health information for research or administrative uses.

Among the vaunted benefits of a health information network are grandiose promises of better health care. Yet advocates offer few specific examples of real benefits (beyond virtually instant delivery of a patient's record to an emergency room). Health information networks might well help Canadians receive better healthcare in the long run. In the short run, the risks to patient confidentiality outweigh the benefits. We can and must eliminate those risks—one of which is that without proper privacy safeguards, the networks could fail from patient distrust.

To gain that trust, health related organizations and government agencies have a lot of questions to answer. For one, they must begin to explain how health information flows from the patient's primary care physician to all the secondary users. Despite repeated requests, no one seems able to chart that flow. It is difficult to have a meaningful discussion about the privacy implications of any proposed health network when all we have are generalities about what happens now.

And we all have to be clear on the definitions of the terms we use. For example, an inability to distinguish privacy from confidentiality, and both from security, is a critical misunderstanding. Ensuring confidentiality and security does not necessarily protect privacy.

Privacy is the right to be let alone, to be free from interference, from surveillance and from intrusions. It is a human right that a former Supreme Court Justice described as "at the heart of liberty in a modern state". Infringements on privacy are infringements on liberty and autonomy. To protect privacy in a health context could mean not collecting information at all.

Confidentiality implies a trust relationship between the person supplying information and the individual or organization collecting it; the relationship is built on an assurance that the information will not be disclosed without the person's permission. Confidentiality assumes information has been provided.

Security is the technology or administrative arrangements organizations use to prevent confidential information from being disclosed. It too assumes there is information to protect.

CartoonBeing clear on other key definitions is also important. For example, at a May 1999 meeting on the proposed National Health Surveillance System, some participants used the term "data collectors" to mean a provincial government, laboratory or health authority. Others took it to mean the primary care physician. Even the architects of the health networks do not seem to be speaking the same language.

And even if we do manage to speak the same language, we have many issues yet to resolve. For example, of all the arguments challenging the practicality of patient privacy that need rejecting, opposition to consent is one of the most important. As Donald Haines of the American Civil Liberties Union stated in 1996, "Medical information is like the patient's right arm, and abuse of such information would be more deleterious than abuse of the arm. Whatever you wouldn't do to the right arm without patient consent, you shouldn't do to the medical information about the patient". To be able to trust any health network, we need governments to commit to making patient privacy a priority. For example, last year's annual report recommended spending some Canada Health Infoway funds to determine how the Canadian Medical Association's Health Information Privacy Code could be implemented. The CMA Code (described as a "Hippocratic Oath for the Information Age") is an excellent model for all players to emulate. Unfortunately, few are willing to consider the substantial privacy opportunities the Code offers.

Although certainly not as comprehensive as the CMA Code, a recent private member's bill by MP Greg Thompson sends the right message. His proposed Patients' Bill of Rights (Bill C-417) would give patients a right to examine and correct their health records and, better yet, the right to have their health records kept confidential unless they provide written and informed consent. The bill calls for a uniform approach by making federal funding for provincial health care contingent upon protecting and promoting patient rights.

We should also note that the Standing Senate Committee on Social Affairs, Science and Technology is currently examining the state of the health care system in Canada and expects to submit its final report by December 2001. The Committee will study

  • The fundamental principles on which the publicly funded health care system is based;
  • The historical development of the health care system;
  • Publicly funded health care systems in foreign jurisdictions;
  • The pressures and constraints on the health care system; and
  • The role of the federal government in the health care system.

We look forward to presenting our views to the Committee.

Public policy makers must ensure that future discussions about health information privacy are as open and as broad as possible if they want to move the debate forward. For a successful model they need only consider the democratic process that went into preparing the 1997 report of the House of Commons Standing Committee on Human Rights and the Status of Persons with Disabilities entitled Privacy: Where Do We Draw the Line? The committee, chaired by the Hon. Sheila Finestone, did not just go through the motions: the process took 10 months and truly advanced knowledge and understanding about privacy issues in this country. It is now almost five years since that committee began its study. Surely some Health Infoway funds could be used to establish a similar consultation process on health information privacy. Achieving consensus on this issue demands involvement of the public, privacy and patient advocates, health professionals, health-related government agencies, labs, pharmacists, and all t he rest. The patients at the heart of this system deserve no less.

Progress on the Canada Health Infoway, but what about protection for patients?

The Advisory Council on Health Infostructure was established in 1997 to provide the Minister of Health with recommendations on the development of a strategy for a national health infostructure. The Council's mandate ended with the release of its Final Report last February. It's fair to say that we were pleased with several of the Council's recommendations. As we reported last year, the Council acknowledged the critical importance of privacy, citing it as one of the four strategic goals to be met when building the networks. The Council also supported specific health privacy legislation and identified the essential components of any such legislation. It also endorsed harmonizing privacy protection across all jurisdictions and specifically cautioned against sinking to the lowest common denominator. We look forward to Health Minister Allan Rock's response to the Council's Final Report.

The Commissioner wrote to the minister and the Advisory Council commenting on the Final Report and the implementation document—the Health Information Roadmap: Responding to Needs —that was released shortly after. The minister replied, "Health Canada gives privacy issues serious consideration" and "a Departmental Committee on Privacy of Health Information is being established to ensure that Health Canada adopts a consistent approach to the protection of health information". He also observed, "privacy is one of the forefront issues in our legislative renewal exercise". All this is good news indeed, if only we could be assured that the level of privacy protection would be consistently high.

Despite Minister Rock's assurances, the Canadian Institute for Health Information (CIHI) and Statistics Canada quietly released a troubling new implementation document entitled Roadmap Initiative.Launching the Process in January, which it will continue updating on the CIHI web site at

CIHI is a federally chartered but independent, not-for-profit organization. It works with Health Canada and Statistics Canada, bringing together programs from the Hospital Medical Records Institute (HMRI), the MIS Group, Health Canada (Health Information Division) and Statistics Canada (Health Statistics Division).

This new Roadmap document envisions CIHI simply monitoring progress in different jurisdictions and revisiting its existing privacy policies and procedures to see if changes are necessary. This hands-off approach seems to conflict directly with the Advisory Council's recommendations on privacy and the Minister of Health's assurances.

Quotation by Beverly Woodward, 1999The latest version of the Roadmap summarizes proposals for—or expansion of—36 projects. Privacy is further watered down from the version accompanying the Advisory Council's Final Report early last year, where it was virtually absent. For example, the new version's concept of "person oriented information" to track individual encounters with the health system and non-health determinants is more detailed and ambitious. Just what is the difference between "person oriented information" and information that identifies particular individuals? It looks like another distinction without a difference.

The latest Roadmap makes several proposals that raise significant privacy concerns, for example,

  • Establishing unique national identifiers for patients, facilities and service providers;
  • Introducing national standards for reporting prescription (and the potential for tracking non-prescription) drug use;
  • Collecting more detailed information in Vital Statistics registries; and
  • Collecting more information through various disease and incident registries.

The Roadmap states that privacy, confidentiality and security issues are going to be dealt with under the Infrastructure component of the "strategic framework" being used to guide the developments.

It is troubling that Health Infoway projects are proceeding without, at the very least, the protection that the minister's own Advisory Council recommended for Canadians. And, as mentioned earlier, no Health Infoway funds have been provided to assess the impact of implementing the Canadian Medical Association's Health Information Privacy Code. And we await details from the various Health Infoway projects to chart the information exchanges. Until everyone understands what databases officials contemplate linking, no one can assess the privacy risks these linkages pose.

The Advisory Committee on Health Infostructure and the Privacy Working Group17 April 2000
In contrast to the "watch and wait" approach to privacy advocated by CIHI and Statistics Canada in the Roadmap, consultations for some action are underway among the federal, provincial and territorial F/P/T health officials.

The Conference of Deputy Ministers of Health is supported by a new F/P/T Advisory Committee on Health Infostructure. (This F/P/T Advisory "Committee" is distinct from the Advisory "Council", which ceased to exist following the release of its Final Report last February.)

The F/P/T Advisory Committee's mandate is to develop national strategies to enhance the use of communications technologies and information in the health sector. It has four working groups—privacy, surveillance, telehealth, and strategic planning. A fifth group may be formed to examine electronic health records.

Apparently, the privacy working group has been negotiating a "harmonization accord" or "resolution" for the Deputy Ministers of Health. The resolution would have each province and territory identify gaps in its own privacy protection, then take any additional action it considered necessary.

More protection is needed—there is cause for alarm. For example, a government-commissioned KPMG study of British Columbia's Pharmanet (the computer network of residents' prescription drug histories) revealed that too many people have access to this confidential and sensitive data. More recently, the fate of Manitoba's SmartHealth projects, such as building the Health Information Network, have been called into question by allegations of mismanagement. In a climate of such uncertainty, citizens can be forgiven for wondering whether governments are giving top priority to protecting their personal health information.

With these examples in mind, the privacy working group would do well to consult privacy advocates before finalizing this resolution. We await the call.

The National Health Surveillance Network
The health surveillance working group—one of the four working groups mentioned above —reports to the Advisory Committee on Health Infostructure.

Quotation by World Medical AssociationAt their June meeting in Charlottetown, federal, provincial and territorial Deputy Ministers of Health formally endorsed a proposal to develop a health surveillance network for Canada.

In our comments to Health Canada officials, we objected to many aspects of the proposal, most of which concern tracking people's lifestyles and specifically "family, economic, cultural and social circumstances". Individuals must retain the right to decide whether to participate in such a health surveillance system. Individual choice is an essential component of privacy protection that must be preserved, particularly when the network's objectives include health promotion and well-being, not simply protecting the public against imminent health risks.

Health Canada is developing a web site for the health surveillance network to inform the public about various surveillance projects. Another source of information on the projects is "", the Network for Health Surveillance in Canada newsletter at or call 1-888-288-2098.

What's in a name? The Alberta Health Information Act

Quotation by JRI Health Law InstituteAlberta's new Health Information Act (previously known as Bill 40) received Royal Assent on December 9th. . The Act gives individuals a right of access to their personal health information, sets rules for the collection, use and disclosure of this information and provides for independent review by the Alberta Information and Privacy Commissioner.

While the Alberta law is less comprehensive than provisions in Saskatchewan's Health Information Protection Act (passed last year), it requires any "custodian" (i.e., any person or organization that controls health information) wanting to disclose an identifiable individual's diagnostic, treatment and care information by electronic means to first obtain the individual's consent. Given the popularity of electronic patient records and development of Alberta's we//net—a system to integrate provincial health information—we hope that provisions that give patients control over having their information put on a network or transmitted electronically will become more important.

Alberta's Information and Privacy Commissioner Robert Clark has reviewed the legislation and, while he does not oppose it, he has identified several problems. In fact, Mr. Clark observed that "Bill 40 is not a privacy act: it is an information act which provides for disclosure of information under controlled conditions". And there was vocal opposition to this bill by several groups, including the Alberta Medical Association. Among other concerns, the AMA objected that Bill 40

  • does not meet the standard in the Canadian Medical Association's Health Information Privacy Code, which the AMA has endorsed;
  • fundamentally changes the doctor/patient relationship;
  • compromises physicians' ability to safeguard patient records in their offices; and
  • redefines patient consent for therapeutic reasons to encompass a broad range of activities not directly related to the medical care of the patient.

The doctors raised important concerns. The act does not require individuals' consent for the collection, use and disclosure of their personal health information in seventeen situations. Examples include avoiding or minimizing an imminent danger to the health or safety of any person and detecting or preventing fraud. The act also does not apply to such private sector organizations as insurance companies, and there is no prohibition or sanction for collecting or using the personal health number for purposes other than health care. As well, the Minister, the Department of Health and Wellness, a Provincial Health Board, a Regional Health Authority, and the Alberta Cancer Board may ask any custodian to provide individually identifying health information. The act then allows these custodians, in turn, to further disclose the information to a number of other custodians.

One of the most troubling aspects of the new Alberta act is that it allows any custodian to develop a family or genetic history for any purpose at all, without asking patients for their consent or even informing them of this practice. The objective appears to be a massive collection and storage of this information until a researcher finds a use for it, with no established limits. This sort of unbridled tracking of personal information is particularly disturbing. What, if any, limits are there to the kind of information that could interest these researchers? Groups of people—entire families and their generations to come—can be stigmatized by health bureaucrats, insurance companies and employers using their personal health information against them.

Perhaps most revealing about the purpose and spirit of the Alberta Health Information Act is the removal of the word "protection" from the title (its 1997 title was Health Information Protection Act). What's in a name indeed?

A lifetime medical identification number for physicians

Medical students, residents and physicians in Canada will soon have a new unique lifetime identification number. According to the organizations developing the system (the Federation for Medical Licensing Authorities for Canada, the Medical Council of Canada and the Association of Canadian Medical Colleges) the nine-digit identifier will only identify the physician. It will not contain any other coded information such as specialty or licence status. These organizations argue that the identifier is needed because there are problems accurately identifying physicians. The process to assign identification numbers will be in place in several provinces starting in April 2000.

Although we asked the federation to reconsider developing this identifier, favoring other administrative fixes, we commend it for seeking our input in the first place. Asking for the privacy community's views on this type of project demonstrates sensitivity to privacy other organizations would do well to emulate. It remains to be seen how much impact our comments had on the original proposal.

We made several suggestions. For example, past experience has shown that personal information in an accessible form is subject to "function creep". Despite protections built into any system, the mere existence of the number will prompt creative and unrelated uses. Once all medical students and physicians are issued a number, there is a real likelihood of unauthorized access to their personal information using this number as the key. And when many organizations use any common identifier, the possibility increases that information from disparate sources will be combined into comprehensive profiles. Unique personal identifiers and powerful technologies may appear to solve immediate administrative problems but they pose long-term threats to individuals' privacy, a fundamental value in a democratic society.

Privacy Act Reform

When the federal Privacy Act was drafted in 1982, government anticipated the need to review the legislation periodically to ensure it remained relevant and effective. This was the rationale for section 75, which required a Parliamentary review three years after the act came into force, and permanently thereafter. Parliament's comprehensive 1986 review of both the Privacy Act and the Access to Information Act produced the seminal document Open and Shut: Enhancing the Right to Know and the Right to Privacy in 1987. Open and Shut made more than 100 recommendations for improving the act, none of which were translated into law. However, several recommendations appeared as policy directives, most notably those on data matching and restricting government uses of the Social Insurance Number.

More than a decade has passed since Parliament turned its mind to the Privacy Act—14 years in which the information environment has been literally transformed by the Internet, DNA testing (and other biotechnologies), data warehousing and government downsizing. Some of these challenge the very foundation of the act. We have not been shy to point out where it has proved to be wanting; throughout the 1990s the Privacy Commissioner has recommended numerous changes to the law. These have not been acted upon and the act creaks on.

The weaknesses are all the more striking now that Parliament has passed the Personal Information Protection and Electronics Documents Act. This act (which regulates personal information handling in the private sector) contains many features that are superior to the Privacy Act, making a comprehensive review of the existing law both urgent and unavoidable.

With this in mind, we began a comprehensive review of the act, aiming to develop a set of concrete recommendations for its modernization and improvement. The review was completed in December 1999 and produced more than 100 recommendations. We highlight the more significant ones here; the complete report will be available by the summer of 2000.

Give the act primacy
Although we argue that the Privacy Act is an overarching statute since it defends a fundamental human right, the act is far from clear on the point. The effect is that government institutions may routinely infringe individuals' privacy rights when another law permits. It is one of the ironies of history that when privacy was protected by the Canadian Human Rights Act, which is a statute of general applicability, it enjoyed a quasi-constitutional status that it arguably does not enjoy now. It is time to rectify the wrong and reassert privacy's rightful place among the fundamental values that underpin our free and democratic society. The Privacy Act should clearly state its primacy over all laws dealing with the collection, use and disclosure of personal information.

Make it a true "privacy" law
The Privacy Act speaks only about privacy of information. But it is increasingly evident that the state infringes on individuals' privacy in ways that do not collect "personal information" as the act defines it. Two examples are real time electronic monitoring of individuals' behaviour, which may not necessarily generate a "record", and collecting biological samples from individuals, which may not yield personal information on its face. Neither practice is regulated under the existing act. These types of privacy infringements should be no less subject to state control than any other form of information collection. We recommend that the Privacy Act 's definition of personal information mirror that of the new Personal Information Protection and Electronics Documents Act which is not restricted to "recorded" information.

Clarify disclosures about public servants
Federal public servants' privacy rights have long been a matter of contention between privacy advocates and those defending the public's "right to know" how government manages the state's affairs. The Privacy Act does not protect information that "relates to the position or functions of" public servants from disclosure. We do not debate the importance of the public's right to obtain information about government operations, including some information about its employees. However, the act could better balance the public's interest in government accountability and its employees' privacy interests by defining more precisely the type of employees' personal information that could be disclosed.

Classify disclosures—with and without notice
The act is inadequate concerning a government institution's duties when it discloses personal information under the lengthy list in section 8(2). Since this section authorizes disclosure without the individual's consent there should be a corresponding duty on the institution to inform the individual about the disclosure. Clearly some disclosures could not be dependent on a duty to inform the individual before disclosure—for example, disclosures to law enforcement bodies for criminal investigations. But the same cannot be said of all the permitted disclosures. What would be the harm in notifying individuals before their information is given to National Archives for historical purposes? Disclosures should be separated into two categories; those in which prior notification is practicable and reasonable, and those that may be made without the individual's knowledge.

What purpose would prior notification serve if the government can still disclose personal information without our consent? Some argue there is little point knowing if we can do nothing to prevent it. However, prior notification would empower individuals to challenge a disclosure before it is made. In his 1991-92 annual report, the Privacy Commissioner remarked "the Access to Information Act provides a mechanism for alerting third parties, such as corporations, whose sensitive commercial information may be shared. Yet, the Privacy Act provides no similar rights to individuals whose sensitive personal information may be disclosed. Does not personal information deserve protection from abuse that is at least the equal of that afforded to corporations?" The question still begs an answer.

Government institutions should be prevented from disclosing personal information when notification is required, until the individual has been given a reasonable opportunity to either consent or object (unless failure to disclose immediately would result in some identifiable harm). The institution could disclose the information over the individual's objections, unless s/he asked the court to review the institution's decision. In that case, as in the federal Access to Information Act, the government institution would again be barred from acting until the court reviewed the matter.

Have Privacy Commissioner investigate all personal information complaints
Section 19 of the Access to Information Act requires government to deny a request for access when the record in question contains "personal information" as defined in the Privacy Act. Thus disclosure is only possible if the Privacy Act permits. However, the Information Commissioner now investigates complaints that government has denied a third party access because the information is "personal", thus determining whether the Privacy Act has been correctly applied. The Privacy Commissioner's role is limited to being notified if there is a public interest in the disclosure, or if the individual complains to the Commissioner about the disclosure. Herein lies the problem; the body whose mandate is to work in favour of making government information accessible, is charged with interpreting the application of the Privacy Act whose mandate is protecting personal information from public access.

The recommendation casts no aspersions on the integrity or competence of the Information Commissioner. Nor does it in any way usurp the Court's role as the ultimate arbiters of the law. Nevertheless, whenever government action discloses personal information in response to an access request, the Privacy Commissioner, not the Information Commissioner, should investigate any complaints involving personal information.

Expand Court review
A long-standing weakness in the existing federal Privacy Act is the individual's limited rights of access to the courts. Individuals may seek a Court review only when a government institution denies them access to their own personal information. The remedies are essentially limited to the Court ordering access to personal information if it determines that access has been improperly denied. This is an unacceptable stricture on citizens' privacy rights. The right of access to one's personal information, while important, is but one of the rights that enable individuals to exert some control over government handling of their information. Restrictions on government collection, use and disclosure are equally—arguably more—important principles that underpin all informational privacy law.

The new Personal Information Protection and Electronics Documents Act gives individuals a right to ask the courts to review the collection, use and disclosure of their information by organizations covered by the act, their access to personal information held by these organizations, as well as a right to seek compensation for any damages caused by breaches of the law. (See the discussion of Bill C-6 above.) The disparity between this act and the narrow appeal of the Privacy Act is clearly untenable; the public would enjoy fewer rights in their dealings with government than they would with the private sector. The Privacy Act needs amending to expand the matters the Court may review and the remedies available tocomplainants.

Incorporate rules for data matching
Quotation by Janna Malamud Smith, 1997The Privacy Act has no specific rules governing data matching. Although Treasury Board established guidelines on data matching in 1989, these are simply a policy directive and do not have the force of law. The guidelines require the matching department to submit a detailed proposal for the Privacy Commissioner's review. Given the few proposals submitted, we have long suspected that most data matching is not being reported and thus is invisible to both Commissioner and—more important—the public. Were the duty to report set out in law, government institutions might be more forthcoming or face the consequences.

Simple delinquency may be the cause for the sporadic reporting. It is also probable that government officials do not recognize a procedure as a data match, raising questions about the clarity of the policy directive. Technically a data match is any comparison of personal information collected from different sources for different purposes. This would include matches to confirm that information contained in one database corresponds to that of another. It is highly likely that bureaucrats do not recognize this kind of data confirmation as a proper data match. While data matches of this kind ("up-front" matches) might be less privacy intrusive when individuals are notified, they are no less a match and should be reported.

Data matching, however, can generate information beyond simply confirming that details are consistent in various databases. It can yield new and previously unknown information about an individual not evident in either database. This form of data matching clearly is more privacy invasive if it collects information indirectly without the individual's knowledge and consent. All of this highlights the critical importance of greater transparency and control over data matching as well as rules to properly assess government matching proposals. These are noticeably absent in the existing data matching policy and should be expressed in law to provide appropriate guidance to government institutions.

Controlling information in public registers
The act's use and disclosure provisions do not apply to personal information that is "publicly available". What information can be considered "publicly available" has been the subject of heated debate since the act's very inception. Gradually two clear circumstances have emerged; the first when the individual gives express or implied consent for disclosure, and the second when information is required by law to be available for public inspection. The latter circumstance prompts the greatest privacy concerns.

The most common example of publicly available personal information is that held in a "government registry" (such as the Bankruptcy Registry or the Lobbyist Registry). Although there is a valid public interest in having the information available for inspection, few if any government registries control what details they disclose, the volume of records, or the uses that others can make of the information once disclosed. This has led to putting public registers on the Internet and bulk disclosures for marketing purposes. Arguably, government did not contemplate either use when they created the registers. Government institutions should never disclose personal information from a government registry for any purpose other than the one for which the registry was established. Nor should they disclose the registry's entire population or even make it available for inspection without specific controls. Manitoba's Freedom of Information and Protection of Privacy Act is an example of the type of control we envisage. That act expressly prohibits the disclosure of personal information held by a government registry on a "volume or bulk basis." These and other rules on government registries should be included in the federal Privacy Act.

Expand mandate of the Privacy Commissioner
The Privacy Commissioner' ability to fulfil the ombudsman role has frequently been frustrated by limitations in the Privacy Act. For example, the Commissioner's role as a privacy advocate has been thwarted by his limited ability to seek Court review. As previously mentioned, the act only authorizes the Privacy Commissioner to ask the Court to review a complaint that access has been improperly denied. The law is silent on Court review of improper government collection, use, disclosure and disposal of Canadians' personal information. The act also does not expressly mandate the Privacy Commissioner to undertake research and prepare reports on privacy issues, nor to evaluate the privacy impact of legislation or new information management systems. And the Commissioner has no legislative mandate to educate the public about their informational privacy rights. While this silence has not prevented the Privacy Commissioner from pushing the limits when the public's privacy rights were at risk, without an express mandate there are no funds. This imposes such tight financial strictures that it hobbles the public's privacy ombudsman; these and other powers should be clearly stated in the legislation.

These are simply some of the principal recommendations we will ask Parliament to consider in amending the existing Privacy Act. Past efforts have been directed at fine-tuning specific provisions. Now nothing short of a major overhaul of the legislation is required. With the passage of the Personal Information Protection and Electronics Documents Act into law, amending the Privacy Act becomes a legislative imperative. The chance to revisit and rework a piece of legislation comes rarely in the life of a statute; it is all the more important to seize the opportunity and do what must be done to protect the privacy interests of future generations.

Counting Canadians—Keeping Promises, Building Trust

2001 Census—enhancing transparency in the census collection process

On May 15, 2001, Statistics Canada will ask some 31 million people in about 12.8 million households to complete and return their census questionnaires. Collecting the data will require 40,000 field staff, working from five regional offices. The total projected cost for the 2001 Census is $400 million.

The census is the federal government's largest collection of personal information and arguably its most detailed for the 20 per cent of Canadians who receive the long form. Naturally, Statistics Canada's conduct of the census interests the Privacy Commissioner.

CartoonAs in previous censuses, 80 per cent of Canadian households receive the short questionnaire. The short form normally contains basic demographic questions, such as date of birth, sex, marital and common-law status and the relationship of persons living in the household. It could also include a question on the language first learned at home.

The remaining 20 per cent of Canadian households receive the long form. In 1996, in addition to the basic demographic data, the long form asked 47 additional questions on physical limitations, language knowledge, education, work and household activities, immigration, ethnicity and aboriginal status, housing, shelter costs and income. Some respondents consider many of these questions very intrusive, sensitive or even offensive.

Although Statistics Canada provides Canadians a good deal of information about the process of completing and returning their census forms, it does not adequately inform Canadians that local census representatives in each community examine their completed questionnaires before sending them to Statistics Canada in Ottawa. Thus, respondents are not warned that someone they know could examine their completed form.

Of all the privacy complaints the Office received following the 1991 and 1996 censuses, those that generated the strongest negative reactions concerned respondents and census takers knowing each other. In most cases, complainants were both shocked and angry to learn that neighbours serving as census representatives reviewed their completed questionnaires; they assumed an unknown bureaucrat in Ottawa reviewed the information.

In summary, complainants felt the process had betrayed the promise of confidentiality and were outraged that friends, neighbours and others whom they know could have access to such financial information as the family members' income, mortgage payments, retirement savings and utility bills.

The great majority of complainants drew little comfort from Statistics Canada swearing census workers to secrecy or the possibility of fines and/or jail terms if they revealed personal information. Neither did much to remedy the resulting embarrassment and invasion of their privacy. Having their completed census forms reviewed by some unknown civil servant in Ottawa mitigated the intrusion to some extent. The Privacy Commissioner observed that allowing collection by neighbours who know the respondents demonstrates a complete lack of understanding of what privacy means.

To resolve the problems, Statistics Canada advised the Commissioner that it was developing a centralized edit methodology to replace the current system. Rather than returning completed questionnaires from an enumeration area to the local enumerator for editing and follow-up, all census questionnaires would be sent to district offices. Local enumerators would deal only with households that had not returned the form or with problems that district office staff could not resolve by telephone. In those cases, Statistics Canada could ensure that the assigned field enumerators were not local.

The "Centralized Edit System" was tested during the 1996 Census and again during the October 1998 "National Census Test" to prepare for the 2001 Census. Unfortunately, Statistics Canada found the tests did not yield the anticipated results. Centralized editing led to increased risks that respondents would not complete the forms, complete them only partially, and not return them. This caused more contacts with respondents than needed in the traditional method, increasing the risk of friction between census staff and respondents. This problem, combined with Statistics Canada's incomplete and sometimes inaccurate household address file, convinced the agency not to use the centralized edit methodology for the 2001 Census.

Statistics Canada continues reviewing options for the 2001 census, such as computer-assisted telephone interviews in two regional offices, and collection over the Internet. Apparently the agency will test the Internet option on two Web sites during the next census. Respondents will be assigned a Personal Information Number (PIN) and their response data will be encrypted, thus eliminating the need to mail back census questionnaires to local census enumerators. Statistics Canada is also considering cutting the number of times census staff have to go back to respondents. In fact, the agency would like to reduce the rejection rate for the long questionnaires from 55 per cent to 35 per cent, significantly reducing the number of contacts with households and thus the friction between respondents and census staff.

Quotation by Janna Malamud Smith, 1997Two tests will be conducted in the 2001 census and the results compared; one using a sample of 125,000 long questionnaires (approximately 5 per cent) for which there will be no edit and no follow-up, and the other using a sample of 325,000 long questionnaires (approximately 14 per cent) involving only telephone follow-up.

Statistics Canada will also assign census takers in urban areas to neighborhoods outside their own, thus reducing the risks of their collecting information about someone they know. This requirement will be considered when the agency hires staff for the next census. However, in rural areas and small towns it is not possible to guarantee that respondents and census representatives will not know one another; the pool of available staff is not large enough to avoid the situation. In addition, Statistics Canada finds that the only way to ensure all households are enumerated in rural areas is by assigning someone thoroughly familiar with the area.

However, Statistics Canada will attempt to alleviate the problem with several steps. It will print on the back of both the questionnaire package and the return envelope an advisory that a "Statistics Canada representative responsible for your area" will review the questionnaires. Respondents who object to providing their completed census form to their local enumerator will be told by the enumerator or the Census Help Line that they can have a census commissioner collect the information or they can mail their completed form to the regional office. The agency will also provide census staff additional training and procedures to emphasize the importance of protecting collected information and heighten census enumerators' awareness of privacy concerns.

Although these steps might address some aspects of the problem, they do not resolve it. The Commissioner is concerned that the process lacks transparency. For example, the proposed message on envelopes advising that an agency official will review their questionnaire, does not alert respondents to the possibility that it might be someone they know—a neighbour or friend.

Since Statistics Canada recognizes that it is not uncommon for residents in a collection area to know the enumerator (and particularly true in rural areas), it must clearly inform respondents about the probability and offer them options for returning the questionnaire. And these measures should apply to both the short and the long questionnaires because the short form will ask a question on sexual orientation (same-sex partner). The Office suggested wording to include in both the census guide and on the front of both census forms that would meet the transparency requirement:

Although Statistics Canada is taking measures to avoid having census enumerators work in areas close to where they live and/or to ensure that enumerators do not know any of the respondents in their collection area, residents in a collection area might know their local enumerator. If you are personally acquainted with the local enumerator and feel uncomfortable giving information to this person, please call our 1(800) Census Help Line to find out about the alternate arrangements for returning your completed questionnaire without having the local enumerator see it.

The Office also believes that part of the problem could be avoided by clearly instructing census representatives to actively offer alternate arrangements when they know the householder. It is best to offer this option at the outset rather than waiting to have the respondent object. Census representatives must also be instructed to turn over the completed questionnaires of anyone they know to the area census commissioner.

Historical census records

Last year we reported on the debate over releasing post-1901 census returns. All censuses in Canada since 1901 have been the subject of a repeated promise—set out first in regulation, then in legislation—that individual returns would not be disclosed to anyone outside Statistics Canada. As a result, Statistics Canada is legally prohibited from releasing the completed census forms to the National Archives. This has angered historians and genealogists seeking access to the information, and they have publicly called for retroactive changes to the law.

Any government promise of confidentiality is serious enough, but the one protecting the census is particularly important. Census questions demand personal information. The information gathered through 20th century censuses became steadily more intrusive, but even early in the 1900s some questions—about, for example, education, religion, nationality, race, occupation, and earnings—were intrusive. And the answers revealed information that people would not necessarily choose to make public. Canadians are required to answer census questionnaires and the maximum penalties for failing to comply are severe: fines and imprisonment. Keeping the information confidential, using the information for statistical purposes only and not releasing it in identifiable form are arguably the trade-offs that bolster public acceptance of censuses, and compliance with the law.

Despite the clear prohibition on release of the material, the Minister of Industry last year asked Statistics Canada to look at ways in which the legislation might be amended to allow access to individual census returns. Statistics Canada proposed two options: amending the Statistics Act to allow access to the 2001 and all subsequent censuses; or amending the act retroactively to override the confidentiality provisions. The Privacy Commissioner opposed both options; the first because the absence of guaranteed confidentiality risked compromising the census process, and the second because it would break the legal promise Parliament made to Canadians.

The Minister's response was to set up an expert panel to examine the issues and make recommendations. The Commissioner appeared before the panel in February 2000.

The Commissioner urged the panel to recognize the important social issues of privacy and governance the debate has raised. He pointed out that the question is not whether a "personal" or "individual" interest in privacy should cede to a "public" or "societal" interest in genealogical and historical research. The historians and genealogists who want access to the census materials do not have an exclusive claim to represent the public interest or express a public right. Privacy is also a public right, upon which rest the freedoms and mutual respect fundamental to Canadian society. What was facing the panel was more than a decision about the privacy of the respondents to the 1906 or 1911 census. Its decision will have implications for their privacy certainly, but it will also have an impact on the privacy of all Canadians.

A number of important privacy issues are at stake. Most critical is the principle, found in all data protection laws and codes, that personal information should not be used for purposes unrelated to those for which it was collected. Any such unrelated use should depend on the consent of the person who gave up the information.

Another issue is the problem of keeping personal information longer than required for its stated and intended use. The very existence of these records, long after their legitimate statistical function has been fulfilled, is an invitation to unrelated uses. This is a typical example of what privacy advocates call "function creep", and highlights the importance of establishing and respecting limits on retention of information.

Finally, there is the question of when an individual's privacy rights can be considered extinguished. Some suggest that the privacy rights of those who completed the 1906 and 1911 census returns have somehow vanished. Even assuming that all are dead (which is not necessarily true), this proposition is not self-evident. As a matter of general principle, society recognizes that some rights continue after death; this is the basis on which people are allowed and even encouraged to dictate in their wills how their property is to be distributed after their death. The Privacy Act itself recognizes that information remains "personal" for 20 years after the death of the person concerned.

The Commissioner stressed that any proposal to amend the law retroactively should be approached with great caution, lest the result diminish confidence in government promises—not just in specific agencies, but also in government that professes to rule with the consent of the governed. Proponents have presented a retroactive amendment as though it were innocuous. The promise of confidentiality has been described as "a legal technicality in an outdated piece of legislation." The Commissioner, however, reminded the panel that the promise of confidentiality was fundamental to the process of obtaining answers to census questions.

Canadians have never been particularly comfortable about the intrusiveness of census questions. The number of inquiries and complaints to the Privacy Commissioner over the years is one indicator of this discomfort. Yet Canada's census response rate is high. Despite the intrusiveness of the questions, the sensitivity of the answers, and their unease with the process, Canadians agree to participate.

Part of the reason is that they are coerced. Intrusive questions were, and are, backed by the threat of fines or imprisonment. But governance in Canada does not rest primarily on coercion. Indeed, as generations of Canadian schoolchildren have been encouraged to appreciate, one of the principal points of pride in Canadian society is responsible government that rules with the consent of the governed. At the heart of the census process was not the threat of force but an agreement between government and governed: that intrusive questions would be answered, but that the answers would be protected. To abrogate the promise retroactively risks trivializing that agreement, and all such agreements.

The Commissioner also recommended that, if the panel chose not to support the government's promises and Canadians' privacy rights, at the very least it should consider a compromise that would mitigate the impact on privacy and governance. Recognizing that the census returns are of particular interest to historians and genealogists because they are one of the few sources of documentation about Canadians in the early 20th century, the Commissioner suggested determining a date after which genealogists' and historians' objectives could be met without having access to the census materials. Census returns dating before the cut-off could be released to the National Archives. All census returns after that date would be destroyed, once they fulfil their legitimate statistical use.

The Commissioner also urged the panel to consider whether "tombstone" data—names, ages, addresses—could be isolated from the more intrusive details, on the principle that government should first try the least intrusive measure that would achieve the objectives and resort to more intrusive measures only when genuinely required.

If Parliament amends the Statistics Act to remove confidentiality, the process must be transparent. Statistics Canada must advise Canadians when it conducts the census that it will eventually release the information. If, as Statistics Canada says, confidentiality is one of its most effective ways of securing willing cooperation, then Parliament must find some other way of convincing Canadians to cooperate. The Commissioner also urged the panel to consider Australia's model, which will allow respondents to the 2001 census to choose (by opting in) to have their returns stored and released after 99 years. (Australia currently destroys its census returns.)

Finally, the Commissioner observed that retroactive change to the agreement between government and governed undoes the conditions under which Canadians participated in the census. Such a change must be the subject of full Parliamentary debate, with every MP required to consider it and be held publicly accountable.

The Commissioner's brief, "The census returns, privacy, and questions of governance," is available from our Office and on our website.

SIN, Again

Quotation by Janna Malamud Smith, 1997Some issues never go away. Looking back on past annual reports, SIN stories have been a recurring feature. This year's edition continues the tradition with two stories. The first deals with Human Resources Development Canada's (HRDC) proposals to improve its management of the number following the Auditor General's critical report. That report, discussed in last year's annual report, raised several concerns, not least of which was the extensive use of the SIN as a widespread identifier. Past efforts to control the SIN have included several private members' bills, one by then-MP Perrin Beatty in 1979. In 1987 a Parliamentary committee recommended rigorous controls following its three-year review of the Privacy Act. Government acted on neither although it did introduce a policy limiting federal government use of the number. Now twenty years after Mr.Beatty first proposed legislative restrictions, government continues studying ways to control private sector use of SIN. To borrow one of the popular marketing slogans of our time, our advice is "Just do it".

The second article deals with a New Brunswick pilot project that was intended to improve HRDC's administration of the SIN, another longstanding issue, by speeding up issuance of SINs and improving the process of verifying the information required to obtain a SIN.

The HRDC Position Paper
One result of the Auditor General's review was Parliament's tasking the Standing Committee on Human Resources Development and the Status of Persons with Disabilities (the Standing Committee) with studying the administration and policy regime governing the SIN. The Standing Committee's report, Beyond the Numbers: The Future of the Social Insurance Number System in Canada, recommended legislation to establish legal uses of SIN and penalties for misuse. The report also recommended that HRDC prepare a position paper assessing various options for addressing long standing administrative problems with the management of the SIN, as well as the privacy concerns.

HRDC tabled its position paper, A Commitment to Improvement: The Government of Canada's Social Insurance Number Policy, before Parliament on December 7, 1999. The paper considered three policy options: 1) transforming the SIN into a national common client identifier supported by biometrics technology; 2) drafting specific legislation to limit who may use SINs and for what purposes, and introducing administrative reforms to improve its management; and 3) amending existing legislation to improve SIN management, complemented by the safeguards in Bill C-6 against private sector abuse of personal data such as the SIN.

The position paper rejected transforming the SIN into a national common client identifier, in part because the costs would be prohibitive. The government estimated the costs for issuing high tech cards supported by biometric technology at $1.1 billion to $3.6 billion. The government also acknowledged that establishing a comprehensive national system of identification would carry with it "severe privacy concerns". But HRDC's paper also rejected legal restrictions on SIN use, thus dismissing one of the Standing Committee's key recommendations. HRDC rejected this option arguing it "would almost certainly lead to increased financial costs to business due to a generally less reliable credit checking system".

HRDC suggests that it can deal largely with its SIN management problems under current legislation, except for certain limited amendments to the Employment Insurance Act. The department is also relying on Bill C-6 to resolve recurring concerns about the private sector's uncontrolled use and abuse of the SIN. It expects to improve its management of the SIN by reducing the number of documents accepted as proof of identity for new SIN applicants, and increasing its access to sources such as provincial vital statistic registries to verify identity (see the New Brunswick project below).

In order to detect and prevent fraudulent use of the SIN, the position paper also describes measures to expand users' access to the Social Insurance Register. This would allow certain provincial authorities, and potentially even private companies, using the SIN to verify a number's authenticity and the identity of its rightful owner. In addition to basic identifying data, users could also obtain information about the status of the SIN; for example, that the individual is dead or the account has been cancelled, has been inactive for 5 years, or is under investigation. Access to this information would alert users to possible problems or irregularities associated with the number.

HRDC also recommends amending the Employment Insurance Act to help detect and deter fraud. Those amendments would both expand the range of SIN-related offences subject to administrative sanctions and increase the severity of those sanctions. Among the offences are 1) illegally using the SIN to claim employment insurance benefits; 2) illegally using the SIN in connection with another federal, provincial or municipal department or agency; and 3) illegally using a SIN in dealings with the private sector. Penalties for these offences would range from $400 to $1,200.

We are immensely relieved that the government rejected the proposal to introduce a national system of citizen identification, an idea that we have long opposed. Nevertheless, we are disappointed that HRDC rejected the Standing Committee's recommendation to set out in law who may use the SIN and for what purposes. Any legislative regime that permits both federal and provincial governments to use SINs for any purpose, coupled with expanded access to the SIN Register for client identification, risks transforming the SIN into the very thing the government said it should not become—a de facto national common client identifier.


We can appreciate in principle HRDC's rationale for collecting and storing certain information about the status of a SIN, and for sharing the information with authorized users. But the initiative poses significant privacy risks if not strictly regulated. The register currently collects and discloses limited information; the government position paper opens the door for expansion.

These risks inherent in the current permissive legislation further justify enacting specific legislation governing the SIN. HRDC rejected this option, however, arguing that it would force the private sector to incur unacceptable financial costs and risks if it were denied the right to collect and use the SIN for its own purposes. It will rely on Bill C-6 to prevent any abuse of the SIN in the private sector.

The claim of undue hardship on the private sector is, frankly, unsubstantiated. HRDC had promised to survey private organizations concerning their use and misuse of the SIN but it did not do so before preparing its position paper. HRDC, in conjunction with Statistics Canada, is now preparing to conduct such a survey.

We hope that this survey will shed some light on the ability of Bill C-6 to deal with all the abuses of the SIN in the private sector. Although the legislation will require private organizations to obtain individuals' consent for any use of their SIN, those are uses the SIN was never intended to serve. Allowing private sector convenience to override legitimate legal protection for Canadians' social program and tax number is putting the cart before the horse.

If many different businesses use the SIN as a common file identifier, the scope for covert data linkages increases dramatically because the SIN, along with other personal account numbers, can be used as a kind of access key whose mere possession can be construed as authorizing a data transfer or linkage. This risk is made all the more serious by the principle of "implied consent" which Bill C-6 expressly recognizes. Other foreign personal data protection laws—notably those of Hong Kong, Australia and New Zealand—expressly limit the right of private organizations to use personal and file identifiers assigned by other organizations. With no such prohibition in Bill C-6, there is a compelling case for legal restrictions on SIN.

We commend HRDC's proposal to expand the list of offences that will incur administrative sanctions; however, we question whether the penalties are a sufficient deterrent. Identity theft is an expanding and increasingly profitable crime; there are substantial gains to be made from misusing the SIN and other identifiers. In our view, the penalties for abuse of the SIN should be proportional to the potential harm that innocent people may suffer from its illegal use. The present proposals fall far short.

New Brunswick SIN Tele-App Pilot Project
The New Brunswick Pilot Project was a partnership between HRDC and New Brunswick's Vital Statistics branch conducted between April and October 1998. During that period, native New Brunswickers could apply for a SIN by telephone using Integrated Voice Response (IVR) technology and an HRDC agent. HRDC would then verify the applicant's identity on-line with the provincial birth, marriage, change-of-name and death registries. Once the information was verified, the HRDC agent could approve the application, create a new record in the Social Insurance Register database and issue the applicant a new SIN over the telephone. A SIN card would follow in five to seven days.

Early in September 1999, HRDC gave the Office its evaluation report on the pilot project for review and comments. We assessed whether using provincial vital statistics data to validate SIN applicants' information complied with the fair information principles of the Privacy Act. These principles essentially define how and when personal information may be collected, kept, used, disclosed to third parties, and finally destroyed.

We concluded that the Employment Insurance Act and the Canada Pension Plan Act gave HRDC the legal authority to collect all the information needed to identify accurately individuals who apply for a SIN, a replacement card, or to amend their social insurance register records. We also determined that the New Brunswick Vital Statistics Act allowed HRDC access to selected personal information to register New Brunswick-born applicants for SINs, and to ensure the information applicants provided was accurate.

HRDC's access to the registries was limited to selected data elements related to births, marriages, deaths and changes of name that it clearly required to verify a telephone applicant's identity. Although collecting this personal information appeared to be directly related to, and necessary for, the operation of lawful HRDC programs, we were concerned about it collecting information from the province's marriage registry. While it is acceptable for HRDC to use marital information to authenticate the applicant's identity, HRDC should not record this information in the SIN Register unless the applicant's name changed as a result of marriage.

HRDC also reported that more than 500 SIN applications were rejected for various reasons during the pilot project. What happened to the information (for example, birth registration or credit card numbers) submitted by applicants who were subsequently rejected, or who changed their minds and discontinued the calls? Did HRDC keep the information?

The Office also looked at the transparency of the process for applicants. We found the system provided callers clear instructions on how to apply for the card. They were informed about the information required, how the information would be used, and who would have access to it. They could exit the system at any point. By staying on the line and entering the requested information on the telephone keypad, applicants were effectively authorizing HRDC to proceed with their application. However, we believe that HRDC should make it clear in its instructions that callers are consenting when they enter the information.

Although vital statistics records can be a valuable source to verify data for the SIN registration system, this use may have privacy implications for provincial vital statistics agencies. Traditionally, birth, marriage and death records are created for civil registration, providing birth, marriage and death certificates, and compiling vital statistics. Any disclosures for administrative purposes beyond those the province gave when it collected the information, could violate provincial fair information codes. These codes, like the Privacy Act, require that personal information be used only for the purpose for which it was obtained. Any departures from the principles need justifying on strong public interest grounds.

Provincial vital statistics agencies will have to answer this question if HRDC seeks to expand its project to other provinces and territories. They will also have to consider whether they have the necessary legal framework in place to allow HRDC on-line access to vital statistics registries for its SIN registration program.

But there are more than privacy and legal implications; sharing or linking vital statistics data between provincial and territorial vital statistics agencies and HRDC raises concerns about confidentiality and security. Organizations that link data must have all the necessary safeguards in place to ensure that only authorized staff have access at the right time for the right purpose. Thus, if HRDC decides to expand its SIN Tele-App project to other provinces, not only will it have to deal with the problem of potentially incompatible operating systems, it will also have to ensure the confidentiality and security of the data. Although we did not receive all the technical details of the New Brunswick system, it did appear to have the requisite controls in place to ensure the confidentiality and the security of all the information being exchanged.

At the end of the pilot project in October 1998, New Brunswick Vital Statistics agreed to store on HRDC servers all of its information required to process a SIN application. This arrangement fails two privacy tests: HRDC is effectively collecting information about everyone on the vital statistics registers, including those who have not yet applied or who may never apply for a SIN. Thus it is collecting far more information than it needs and violating the collection principle of the Privacy Act. Such a blanket collection also fails to respect another fundamental privacy principle—consent. Federal institution are required, wherever possible, to obtain individuals' consent before collecting their information from another source.

We also learned that HRDC has continued access to the New Brunswick registries when processing mailed applications from those born in the province. We do not know whether these applicants were clearly informed at the time that their information would be cross-checked with the provincial vital statistics databases. HRDC is responsible for telling these applicants how their data will be used; failure to do so would contravene the principle that government must inform individuals why information is needed and how it will be used.

Our comments were submitted to the standing committee and HRDC in early December 1999. In late February 2000, we met with HRDC representatives to discuss our comments.

As a result of the meeting, the HRDC representatives agreed to work on a solution to inform the public that any names formerly used, for example a married name, will be maintained in the SIN Register. They also agreed to consider the suggestions that the agreement between HRDC and the Government of New Brunswick to store all the provincial vital statistics information on a HRDC server clearly reflects the fact that the information is used only for the intended purpose of registering individuals for a SIN, and that ownership of the information belongs to the province. HRDC agreed to modify the paper application and the telephone message on the SIN Tele-App system to ensure that the public is informed about the use HRDC makes of the information that is made available by Vital Statistics.

HRDC participants explained that, in the cases where it was necessary to reject a SIN application through the SIN Tele-App process, the information was deleted from the records and no information was retained. In the case of the paper application process the information is maintained in a separate file for a six-month period pending the resubmission of the application from the applicant. HRDC will identify a method that will be used in both the SIN Tele-App and the paper application process to inform the general public that in cases where it is necessary to reject an application, the applicant's information will be retained on file for a period of six months, and will be used to process the application when resubmitted.

Finally, HRDC has assured us that the Office will be kept abreast of any future developments as the department moves ahead with a national roll out of the SIN Tele-App service.

A Citizen Profile in all but Name—HRDC's Longitudinal Labour Force File

Quotation by C.S. LewisThe audit
Two years ago the Office concentrated its meagre compliance resources (four staff) almost entirely on Human Resources Development Canada (HRDC). Why?

The choice was fairly obvious. With federal government reorganization, HRDC became a virtual behemoth—the federal government's largest repository of personal information on its citizens. The department absorbed labour market adjustment programs from the former Labour Canada, social and income security programs from the former Health and Welfare Canada, social development and education programs from Secretary of State, and Unemployment Insurance and labour market programs from Employment and Immigration Canada and the Canada Employment Insurance Commission.

The department is tasked with providing a safe, healthy and stable work environment, administering income security programs, and helping individual Canadians find and keep work. The result is a huge clientele and workload, a budget to match, and a comprehensive collection of personal data on virtually everyone in the country—all of which combine to exert intense pressures on HRDC to ensure its programs are delivering the goods, and to tighten and fine tune the systems to eliminate fraud.

HRDC depends heavily on information technology to deliver, monitor and assess programs and services—indeed, given the workload and staff cuts, the department could likely not function without it. The department is also a natural candidate for devising new applications for technology. But the combination of huge personal databases, powerful computer systems and growing links with provincial social programs and the private sector as the federal government downloads service delivery, makes HRDC a natural focus for privacy concerns.

The audit team concentrated on an informal but systematic review from which it assembled a profile of the department. We identified the information collected and the purpose, followed its flow through HRDC, and identified the subsidiary uses and sharing of the data and its retention standards. From there the team concentrated its resources on those activities that seemed to put clients' privacy most at risk. Two of these stood out; the Common Client Identifier project and the Longitudinal Labour Force File.

The Longitudinal Labour Force File
Successive Privacy Commissioners have assured Canadians that there was no single federal government file, or profile about them. We were wrong—or not right enough for comfort.

Not having a single client file is a good thing—on the principle that the more separate the databases, the lower the risk of indiscriminate collection, unrelated uses and improper disclosures of personal data. Organizing information into "silos"—discrete collections—may be less "efficient" but more protective of individual privacy, as each silo holds only information required for a particular purpose. Only Statistics Canada gathers comprehensive information about individuals but does so only for statistical purposes, not to make decisions about them. And Statistics Canada's data is stringently protected; abusers can be fined and jailed.

HRDC's Strategic Policy Branch developed the Longitudinal Labour Force File for research, evaluation, policy and program analysis to support departmental programs and services.

The Longitudinal Labour Force File is the next thing to a citizen profile. The research database contains records on more than 33.7 million individuals—at last count—drawn from widely separate internal and external government files and time periods. The data is never purged, which explains why there are more records than the entire population of Canada.

The Data Development & Technical Services group in the Strategic Policy Branch extracts data gathered from other federal departments and other levels of government using personal identifiers. The group updates the databases frequently to ensure the information is as current as possible and reflects changes to legislation and operational procedures. The data is drawn from files in several programs, including

  • T1-Income Tax Returns and T4-S and T4-F forms issued for income tax purposes;
  • Child Tax Benefits;
  • Immigration and Visitors files (from EIC - 1993 or earlier);
  • Provincial and municipal welfare files;
  • National Training Program;
  • Canadian Job Strategy;
  • National Employment Services;
  • Employment Insurance Administrative;
  • Record of Employment, and
  • Social Insurance Master file.

And there are proposals to expand the database to include data on social assistance recipients from additional provinces and territories, as well as data from the Canada Student Loan Program, the Canada Pension Plan and the Old Age Security Program.

A de facto citizen profile
Following the audit, the Commissioner wrote to HRDC setting out his profound concerns about what amounts to a comprehensive, permanent and to all intents, invisible citizen profile. A steady exchange of letters and telephone calls ensued.

Gathering some data for research is not necessarily a privacy intrusion. Many government databases may be used for research, and the Privacy Act specifically allows research disclosures. What, then, is the problem with the Longitudinal Labour Force File?

There are several. First, its comprehensiveness; this is an extraordinarily detailed database, which could contain as many as 2000 elements on an individual including education, marital/family status, language, citizenship and landed immigrant status, ethnic origin, mobility, disabilities, income tax data, employment histories, labour market activities, use of social assistance and Employment Insurance. Continually centralizing and integrating so much personal data on almost every person in Canada poses significant risks to our privacy.

Second, the database is relatively invisible. HRDC is not trying to hide its existence. In fact, it describes the database in Info Source and on its Web site. Unfortunately, neither are widely read, nor easily understood, and the description of the database contains few details. Canadians don't know how much information is being collected about them or the extent to which it is being integrated and shared with others. For example, how many taxpayers know their financial information is in an HRDC profile? HRDC can provide the data to private sector research firms under contract for planning, statistics, research and evaluation. It can give the data to non-government organizations (such as academic researchers and universities) to carry out studies on HRDC's behalf under a formal agreement or contractual arrangement. Some of the information may also be used by government organizations (e.g. Statistics Canada, provincial and territorial governments) to conduct research into the labour force, the labour market and other related fields.

Third, its permanence; this database is never purged. The database captures information from the cradle to the grave and beyond. Research databases should have defined parameters that include a limited storage time. Without an end, the temptation is to subject everyone to unrelenting information surveillance. This database needs limits.

Fourth, there is no legal protective framework. The government's pre-eminent statistical agency, Statistics Canada, operates under very strict legislation—complete with penalties—to protect the personal data it gathers for research and statistics. It cannot share, sell, or use this information for operational purposes. No such walls protect the HRDC research databases.

Compiling such comprehensive longitudinal records by record linkage or matching is a hazard to informational privacy because of the temptation for government to use the information for data mining and individual profiling. A so-called "research database" may soon lend itself to other purposes, raising fears that data could be used to make decisions or predictions about individuals, or could be retrieved in unforeseen ways—by disabilities or ethnic origin, for example—to the detriment of individual rights. This fear is not unfounded; about two years ago HRDC launched a pilot project—the Service Outcome Measurement System—to use research data for program administration. The pilot was put on hold while the department focused on Y2K projects.

We first alerted HRDC to our serious concerns about the Longitudinal Labour Force File in September 1998, and repeatedly since. In summary, the Commissioner urged the department to

  • Establish a fixed retention span for data in the Long File;
  • Introduce penalties and sanctions for misuse of the information;
  • Ensure that research data not be used for program administration;
  • Establish strict controls and data protection safeguards on its collection, use and retention of any personal information used for research and evaluation; and
  • Incorporate in its enabling legislation a clear purpose-specific research mandate.

HRDC's response
HRDC conducted its own internal review focussing on the size of the database, its indirect method of collection, notification of individuals about secondary uses and its permanent retention of the data. In September 1999, HRDC provided us a copy of the report.

The size of the database: HRDC considers all the data vital to help it develop policy, manage the effectiveness of its "interventions" and improve programs and service delivery. It rejects the observation that the collection seems speculative but—tellingly—observes, "from a pure business perspective, it would not be effective for HRDC to collect and maintain information that is not useful." The department argues that a credible evaluation of the "labour market and social policy analysis must take account of a daunting array of factors", and this information must be "disaggregated" to identify target specific groups and areas and to assess impacts on groups and individuals. The department also observes that all the information relates to its own operating programs or can be disclosed by other departments under their own legislation and therefore is permissible under the Privacy Act.

Indirect collection: The department argues that it is required to collect the information directly from the individual only when it intends to use it for an administrative purpose; that is, to make a decision directly affecting the person. Since the Long File is not used for that purpose, direct collection is not required. HRDC also maintains that since the Privacy Act only requires direct collection "whenever possible", Parliament has specifically authorized indirect collection in circumstances such as this when, as HRDC maintains, "it would not be possible to obtain the information directly from the individual.". Finally it observes that departments may disclose information under section 8(2) which includes a disclosure for research.

Clear notification: HRDC argues that it does not need to inform individuals about its indirect collection because the Privacy Act requires federal institutions to "inform the person from whom they collect personal information". Since it collects individuals' information from another organization, and since it will make no decisions about the person based on the Long File, HRDC maintains it need not notify the individuals. However, the department undertook to review its description in Info Source of the content and use of the database.

Unlimited retention: The department rejected this concern, arguing it needs to analyse the data through different market cycles and to assess the impact of such variables as free trade, technological change and market globalization. It also observed that the Privacy Act does not speak about retention limits on research databases.

No protective framework: HRDC argues that existing legislation and internal policies provide adequate protection of personal information. Personal data is masked and access to unmasked data is limited. However, it concedes that there are fewer penalties for those who misuse information than in the Statistics Act and the Income Tax Act. Nevertheless, the department believes its staff professionalism and internal policies are sufficient.

HRDC concluded that it "respects all the privacy legislation as well as related legislation and associated rules".

Since then, the department has agreed to limit the retention span of the information to 25 years, tighten access to the data and introduce measures to prevent administrative use of the information. HRDC is also considering amendments to its legislation to provide penalties and sanctions for misusing the information.

The privacy position: The Commissioner commended HRDC for the moves but underlined that most of its actions focus on protecting security, not privacy. He wrote, ".it is very difficult for me to accept, for example, on the basis of your review, that all of the information contained in the Longitudinal Labour Force File is indeed directly relevant and necessary to HRDC's operating program and policy activities." And in a later letter he observed, ".I still view the Longitudinal Labour Force File as something tantamount to a citizen profile."

He also took issue with the department's assertions that it is in compliance with the Privacy Act. ".One does not have to be a privacy expert to see that this assertion rests on a restrictive and literal interpretation of.the fundamental rights that are at the heart of the Privacy Act.I do not find it satisfactory that the federal government's largest department defends the creation, maintenance and expansion of dossiers on vast numbers of Canadians by saying that it meets minimum legal provisions", the Commissioner observed. "Surely a higher duty than that is imposed."

True compliance with the law, and true accountability to citizens, would require complete transparency in HRDC's research operations and decision making. And it demands that Canadians know why their information is being collected, how it will be used, how long it will kept, and to whom it will be disclosed. The department's response is inadequate. HRDC has offered to continue the discussions and we are happy to oblige. This is a difficult time for HRDC and we do not want to be seen as piling on. But it is now more than two years since this discussion began. It is time to open it to include all those whose information the department is systematically mining in the interests of "social policy development".

On the Hill

To better protect Canadians' privacy, the Privacy Commissioner's Office attempts to keep abreast of new legislation, reviewing each bill for privacy implications (which are not always obvious). If a bill could have substantial privacy impacts, the Commissioner makes a written or oral submission to the appropriate committees. In so doing, the Commissioner fulfils his role as Parliament's privacy watchdog, informing elected officials and recommending ways to either avoid or minimize the privacy intrusions.

New bills
Recent government bills with privacy implications include:

  • Bill S-10, amending the National Defence Act, the DNA Identification Act and the Criminal Code. This bill would bring offenders from the Canadian military under the ambit of the national forensic DNA database created by the 1998 DNA Identification Act. The act currently applies only to civilian offenders. The bill contains two welcome proposals: one restricts the use of genetic samples and profiles to law enforcement, the other requires the Royal Canadian Mounted Police Commissioner to report annually to the Solicitor General on its operation of the national DNA database. However, the Privacy Commissioner restated his concerns to the Senate Standing Committee on Legal and Constitutional Affairs over the number of offences for which a judge may order a genetic sample. The Privacy Commissioner continues to believe that genetic samples should be taken from an offender only after s/he is convicted of a violent offence, and only if that offender is likely to re-offend and in so doing leave behind a genetic sample.
  • The Proceeds of Crime (Money Laundering) Act (Bill C-22, formerly Bill C-81) would establish specific measures to detect and deter money laundering and facilitate prosecution of money laundering offences. It would require financial institutions to report suspicious transactions, and it creates a Financial Transactions and Reports Analysis Centre of Canada to filter the reports and alert the appropriate police force or the Canada Customs and Revenue Agency to any suspicious transactions. The Centre would be subject to the provisions of the Privacy Act. In last year's annual report (pp 31-34), the Privacy Commissioner observed that the bill could conflict with both the Canadian Charter of Rights and Freedoms and the Privacy Act. The Commissioner also has concerns about the definition of a "suspicious transaction" and the nature of the centre. This bill is discussed in more detail below.
  • The Youth Criminal Justice Act (Bill C-3, formerly Bill C-68) would modernize the current Young Offenders Act. The provisions of greatest concern to the Office deal with proposed disclosures of young offender information to victims and the public, and forensic analysis of genetic samples from young offenders. These new provisions could decrease the privacy provided young offenders under the current legislation.

Other government bills with privacy implications include:

  • The Canada Elections Act (Bill C-2, formerly Bill C-83). This bill modernizes the Elections Act and contains provisions dealing with the National Register of Electors. Members of the Standing House Committee on Procedure and House Affairs approved an amendment allowing Elections Canada to collect voters' telephone numbers (where not confidential) and include them on electoral lists. The Privacy Commissioner asked committee members to reconsider their decision, and recommended that the Chief Electoral Officer be required to notify voters that political parties use the personal information on voters' lists for fundraising and party membership solicitations.
  • The Canadian Institutes of Health Research Act (Bill C-13) would establish virtual health research "institutes" (i.e., groups of researchers with no shared physical work environment) that would create new knowledge and translate it into improved health and a better health care system for Canadians. The Office is concerned about the real possibility that these researchers will gain access to vast amounts of personal information without individuals' knowledge or consent.
  • The Citizenship of Canada Act (Bill C-16) would modernize the existing Citizenship Act. It would codify the Minister of Citizenship and Immigration's practice of disclosing names and addresses of new citizens to Senators and Members of the House of Commons for congratulatory letters. At present, the Minister must first seek new citizens' permission to do so (by opting in). Bill C-16 makes disclosure the norm, placing the onus on the citizen to opt out. Opting out is both poor privacy practice and reminiscent of such marketing strategies as the cable companies' negative option billing which so offended subscribers. The Privacy Commissioner of Canada wrote to the Minister of Citizenship and immigration explaining this concern.
  • The Nisga'a Final Agreement Act (Bill C-9) would implement the recent self-government agreement between the federal government and the Nisga'a First Nation, and would add aboriginal governments to the list of organizations to which a federal agency may disclose personal information without the prior consent of the individuals concerned.

New Legislation
The following government bills became law over the past year:

  • Bill C-7 (formerly Bill C-69) amended the Criminal Code to allow pardon records of former sex offenders (previously sealed) to be flagged in the Canadian Police Information Centre (CPIC) database. This allows the RCMP to disclose the records if the offender is screened for a position of trust with children or other vulnerable groups. (The CPIC database is shared by most law enforcement agencies in Canada and is maintained by the RCMP.) The Senate passed this bill in December 1999.
  • Bill C-43 replaced Revenue Canada with a new Canada Customs and Revenue Agency. The main privacy implications of this bill dealt with the huge databases of taxpayer's information that have become the responsibility of the new agency. The new agency is subject to the provisions of the Privacy Act. This bill received Royal Assent in April 1999, and came into force in November 1999.
  • Bill C-67, dealing with foreign financial institutions operating in Canada, includes provisions on their use and sharing of customer information and on tied selling practices. This bill received Royal Assent in June 1999.
  • Bill C-71, implementing the 1999 federal budget, included provisions for sharing taxpayers' information for worker's compensation purposes. This bill received Royal Assent in June 1999.
  • Bill S-22 implemented U.S. Customs' officers' pre-clearance of travellers entering the United States of America through Canada. The two main privacy implications of this bill concerned the protection afforded on Canadian soil by such Canadian laws as the Privacy Act, and U.S. officials' collection and use of detailed behavioural profiles of travellers. These concerns were outlined in the Privacy Commissioner's 1998-99 annual report (pages 36-38). The bill received Royal Assent in June 1999.
  • The Civil International Space Station Agreement Implementation Act (Bill C-4, formerly Bill C-85) implements the recent international agreement on developing and operating a civil space station, and contains provisions dealing with the international sharing of information for law enforcement purposes. The bill was given Royal Assent in December 1999.

Private members' bills and motions
Of course, new legislation does not consist solely of government bills tabled by ministers of the Crown. Members of Parliament and Senators may also table their own private bills through a sort of legislative lottery. This past year has seen an unusual flurry of private bills and motions with privacy implications, among them:

  • Bill C-270 (MP Jim Pankiw) would forbid the publication of the identity of a person facing charges before the first finding of guilt or innocence by a court.
  • Bill C-393 (MP Mac Harb) recommends that federally regulated financial institutions, federally incorporated corporations and credit bureaux advise consumers before giving any information on their financial history to a credit grantor or credit bureau. The bill also offers consumers a complaint procedure through the Superintendent of Financial Institutions.
  • Bill C-395 (MP Mac Harb) would restrict the use of social insurance numbers to agencies or organizations lawfully authorized to collect the numbers.
  • Bill C-417 (MP Greg Thompson) would, among other things, give patients a right of access to, correction and control of their health records.
  • Bill C-419 (MP Bill Gilmour) would allow persons not wanting to receive telemarketing calls or faxes to include their telephone number on a list maintained by the Canadian Radio-Television and Telecommunications Commission. Telemarketers who do not respect this list would commit an offence and be liable to substantial fines.

And echoing the Privacy Commissioner's call for long-needed amendments to the Privacy Act (summarized in another section of this annual report), Motion M-19 (MP Mike Scott) called for a House of Commons committee to table a bill remedying the weaknesses of the Privacy Act. The proposed remedies would have included relief or compensation for those who suffer as a result of improper disclosure of their private information, and penalties for those who wilfully violate the act. Unfortunately, the motion was dropped from the Order Paper after a short debate.

Not all private bills tabled this year were so pro-privacy, however, such as those dealing with law enforcement matters. MPs Myron Thompson (Bill C-234) and Chuck Strahl (Bill C-244) both tabled bills that would empower law enforcement officers to demand, respectively, urine samples from persons merely suspected of being reckless drivers, and blood samples from suspected virus carriers. Two other bills, Bill C-262 (MP Peter MacKay) and Bill C-264 (MP Keith Martin), are very similar.

Two other bills tabled this year deal with an issue discussed in this report and the 1998-99 annual report (pages 26-27): census records. Both Senator Lorna Milne and MP Mac Harb tabled bills (S-15 and C-312 respectively) that would have Statistics Canada transfer to the National Archives all census records beginning with the 1906 returns. The National Archives of Canada would then make the records publicly available 92 years after the census. As well, MP Jason Kenney moved Motion M-160, calling for the release of the 1911 census records as soon as they are transferred to the National Archives in 2003. The Privacy Commissioner continues to oppose the disclosure of identifiable census information collected under the legal obligations of confidentiality of the Statistics Act.

One last bill that could have negative privacy impact is MP John Bryden's Bill C-264. This bill would amend the Access to Information Act to require federal institutions to disclose information older than 30 years (including personal information), and personal information that can legally be released to third parties (even if a federal institution considers it should be protected). The first obligation would completely disregard the protections of the Privacy Act, which requires individuals' consent for disclosure of their information unless a law authorizes otherwise, or they have been dead for more than 20 years. The second obligation removes the critical discretion the Privacy Act gives heads of federal institutions to determine whether they should disclose individuals' personal information to third parties. The Privacy Commissioner, while supportive of Mr. Bryden's ultimate goal of a more transparent and accountable federal government, believes that Bill C-264 should be amended to specifically exclude personal information from its scope.

A checklist for privacy implications
The Office considers several elements when reviewing a bill or proposed regulations for possible privacy implications; among them, does the proposed bill

  • specifically mention the Privacy Act or Bill C-6?
  • create or abolish an agency subject to the Privacy Act?
  • create, change or stop a collection of personal information (e.g., the gun registry)?
  • provide for powers of entry, search and/or seizure (e.g., taking DNA samples)?
  • provide for, or result in monitoring or surveillance of individuals?
  • create, change or stop data matching or sharing activities?
  • propose a new use for information already collected?
  • grant an organization the right to access someone's personal information?
  • expand, limit or prohibit disclosure of someone's personal information?
  • require publication of, or make publicly available, personal information?
  • impose fees for, or restrict someone's access to, his or her own personal information?
  • require personal information to be kept for a stated period of time?
  • require personal information to be destroyed?
  • make improper collection, use or disclosure of personal information an offence?
  • propose a new technology that is known to invade or is suspected of invading personal privacy?

Cleaning up money laundering: Update on the Proceeds of Crime Act

In last year's annual report, we discussed the government's plan to strengthen and modernize existing legislation to detect, prosecute and deter illicit money-laundering activities. Those efforts were embodied in the Proceeds of Crime (Money Laundering) Act, now before the House as Bill C-22. We had several reservations about uncertainties in key elements of the bill. While the government expects to clarify some in regulation, others remain outstanding.

One abiding concern is whether persons or organizations subject to the legislation (such as banks and investment brokers) must tell their clients, and obtain their consent, before collecting information authorized under the bill, as well as advise them of disclosures to the Financial Transactions and Reports Analysis Centre (the Centre). Or will they routinely collect and disclose clients' information without notice on the grounds that notification could prejudice the use of the information for investigative purposes, even if no formal police investigation has been launched? Notification of purpose is a key data protection principle, and it is unclear whether Bill C-22 will adequately honour the principle.

The need to collect such details as the amount of the suspicious transaction and the denomination of the bills will be self-evident to the parties, but not the additional information government could require to determine that the transaction is suspicious. For example, the government still needs to clarify what information it may need about the circumstances of the transaction, and about recipient's duty to confirm the accuracy of the individual's claims about the transaction. The government's intention is to address these concerns in the form of guidelines that will be developed on an ad hoc basis by the Centre and commercial enterprises subject to the new reporting requirement.

In last year's annual report we cautioned against persons subject to the draft legislation being called upon to make overly subjective and speculative assessments of a client's character and circumstances. We also cautioned against such persons being called upon to make additional inquiries about the client or the transaction itself in order to validate whether first impressions are well founded, lest citizens be forced to perform a role akin to that of state investigators. For these reasons, we favour an approach that would rely on simple and objective criteria based on the transaction that would be prescribed in regulation, rather than through guidelines.

The bill is unclear on several questions. One of these is the transaction details that would trigger the duty to report it to the Centre. A simple monetary threshold would not necessarily be one of the "prescribed conditions" that engage the reporting duty; in fact a monetary threshold may not apply at all in certain transactions. For example, would a client paying more than the posted exchange rate or transaction fees to facilitate a money order transaction be sufficient to trigger the reporting scheme, regardless of the amount?

CartoonThe draft regulations have established two benchmarks on the amount of money that will trigger reporting: two or more transactions on the same day totalling $10,000 or more in cash, and any transaction involving five or more $1,000 bills. The latter is a dramatic reduction in the financial reporting threshold. Although this low financial threshold might increase the likelihood of capturing petty criminals, it will also likely capture many innocent transactions. (Independent of this legislation, the government has already taken steps to control money laundering by announcing that the Bank of Canada will no longer issue $1,000 bills.)

The simple reporting to the Centre of a transaction deemed suspect, of course, does not in and of itself trigger a formal investigation. To assess whether there are reasonable grounds to suspect that the monies involved constitute "proceeds of crime," the Centre must analyze this information in relation to information gleaned from other sources, including information volunteered to the Centre pertaining to the individual under suspicion, information obtained from law enforcement bodies and information obtained from other government bodies or agencies deemed relevant to money laundering.

If information "relevant to money laundering" may be construed as any information which may be useful in assessing whether a given individual was engaged in some irregular or illicit activity, then the range of information available to the Centre would be very broad indeed. The Centre could, in addition to information pertaining to an individual's criminal history, amass information relating to an individual's employment, financial transaction and travel history, as well as information relating to an individual's income status, business or professional relations, and possibly even personal relations.

In our view, the categories of information, as well as the sources from which the information is derived, should be more clearly defined in the legislation itself, or in regulation. This would limit that information that may be collected by the Centre to only those data elements directly related to and demonstrably necessary for the proper exercise of the Centre's mandate.

Once the Centre has determined that a given transaction likely involves the proceeds of crime, the Centre is authorized to disclose certain "designated information" to specified bodies including the police or RCMP, the Canada Customs and Revenue Agency, the Canadian Security Intelligence Service and the Department of Citizenship and Immigration. At present, "designated information" consists of key identifying information, such as name, date, place where the transaction occurred, the account number, and the value of the transaction.

The danger is that these data elements may be expanded to include other information relating to the transaction. The Office of the Privacy Commissioner maintains that information constituting "designated information" must be kept to a bare minimum. Otherwise, the Centre could become a mere conduit through which forensic evidence is channelled to law enforcement bodies, thereby circumventing the rigorous standards and procedures normally applied to the collection of evidence in respect of criminal investigations.

Although the Centre is expressly subject to the federal Privacy Act, a great unresolved question is precisely what rights an individual may effectively exercise with respect to personal information held by the Centre. For example, will the new legislation honour an individual's rights under the Privacy Act to access and request correction of information held by a federal government institution? Or will such rights be denied on a routine basis because the information was obtained in the course of a lawful investigation? We can only hope that the Privacy Act will prevail.

Clearing customs: Flying the unfriendly skies

Last year's annual report described U.S. customs officials' ability to collect information from airlines about people travelling through Canada en route to the United States. U.S. Customs officers at major Canadian airports could collect details such as where the passengers made their reservations, how they paid, what special meals they ordered and what seats they chose, then use the profiles to deny them entry into the United States. Canadian customs officials are not allowed to use profiling to make decisions about travellers, yet the Preclearance Act was effectively permitting the practice by foreign officials on Canadian soil. We worried that Canada Customs would adopt similar measures.

The concern was well founded. This year we discovered that Citizenship and Immigration Canada (CIC) is cooperating with the Canada Customs and Revenue Agency (CCRA) on a passenger profiling system to expedite customs clearance.

Quotation by Salman Rushdie, 2000The proposed scheme involves commercial airlines collecting travellers' personal and travel information and transferring it to Canadian customs and immigration officials at the destination before the passengers' arrival. From the information, the agencies would create profiles to select "high-risk" travellers for primary or secondary questioning. The original proposal acknowledged that both the Customs Act and the Immigration Act would have to be amended to implement the system.

Staff examined the proposal and found it required a wide range of data elements—32 in total—that customs and immigration considered necessary to effectively identify "suspicious travellers". The information was to include not only name, citizenship, passport number, date of ticket purchase, travel history, and country of departure, but also lifestyle information such as income, class of ticket, number of checked bags, dietary preferences and even whether or not meals were eaten. We questioned how some of this information was relevant to a proper assessment of an individual's right to enter Canada and even the airlines' ability to provide the details.

Extensive consultations with CIC and CCRA led to a significant cull of the most intrusive and irrelevant details; the data elements have been reduced from 32 to 15. We sought clarification of the term "travel history", urging that this information be confined to cancellations and "no-shows".

Given the substantial personal information being gathered, and the dangers inherent in profiling, we urged both organizations to spell out required data in law rather than regulation. We also advised amending the Immigration Act and the Customs Act to provide clear safeguards against government using the information for secondary or unrelated purposes. Finally, we proposed that since pre-clearance is supposed to be a convenience for travellers, the decision to participate should be theirs. Those choosing not to participate would undergo the normal, and potentially slower, customs and immigration checks. The proposed scheme gives the discretion to participate to the airline, not the passenger.

Providing taxpayer/business information to provincial statistical agencies

In May 1999, the Department of Finance and Revenue Canada (now the Canada Customs and Revenue Agency) informed the Privacy Commissioner of proposed amendments to the Income Tax Act and Excise Tax Act, that would allow tax filer information to be shared with provincial statistical agencies.

The government initially proposed making an addition to section 241(4) of the Income Tax Act (and section 295(5) of the Excise Tax Act), that would read

An official may provide taxpayer information to an official, solely for the purpose of enabling a statistical agency of a province to obtain statistical data for research and analysis and, notwithstanding paragraph 17(2)(a) of the Statistics Act, in the case of taxpayer information provided by the Chief Statistician, irrespective of when the information was collected.

We were concerned at the amendment's potential scope for disclosing individual tax filer's information. Our further inquiries revealed

  • The amendment is intended to permit Statistics Canada to provide provincial statistical agencies financial information on incorporated and unincorporated businesses that it obtains from the Canada Customs and Revenue Agency.
  • Statistics Canada has always been a key source of Canadian business data for provincial statistical agencies. Statistics Canada relies on sharing agreements to provide provinces the information they need to research and analyze social and economic activities.
  • Provinces have a growing need for detailed financial information from small and medium businesses to improve their economic statistics. Statistics Canada is gradually making more extensive use of income tax records instead of surveying businesses directly, thus reducing the response burden.
  • Statistics Canada would share the data with provincial agencies that are governed by provincial statistics acts and so subject to strict terms and conditions on their use of the data.
  • Government has no intention whatsoever of sharing tax information about individuals unless they have submitted information about operating a business in their income tax return.
  • Provinces would have access to the business tax data through a Discretionary Disclosure Order signed by the Chief Statistician under section 17(2)(a) of the Statistics Act. Statistics Canada's Policy on Discretionary Disclosure requires that the party obtaining any such information provide an undertaking of confidentiality and agree to use the information solely for statistical and research purposes. The undertaking would prevent any further release of data without the express authorization of the Chief Statistician, and any subsequent release would also be constrained by the provisions of the Income Tax Act.

The Privacy Commissioner made four recommendations to the Department of Finance, Statistics Canada and the Canada Customs and Revenue Agency:

  • Contrary to the proposed wording, the amendment should clearly state that the information to be disclosed concerns businesses or individuals who have submitted information in their income tax return about the operation of a business;
  • Ideally, Statistics Canada should provide the information only after the amendment comes into force—there should be no retroactive effect, or at the very least the amendment should specify a year;
  • Tax filers, especially small and medium businesses, should be told through brochures or pamphlets who has access to their income tax information and for what purpose; and
  • Arrangements between Statistics Canada and each provincial statistical agency should clearly state that the statistical information would be used solely for research and analysis purposes, regardless of whether provincial legislation permits other administrative uses.

After much discussion, all parties accepted the recommendations. Statistics Canada and Canada Customs and Revenue Agency officials are currently devising the best and most cost-efficient means of informing Canadians of this intended further use of their business tax data. Notification will happen once the legislative amendment has received Royal Assent. Although the government has recently decided not to amend the Excise Tax Act, it has changed the wording of the amendment to section 241(4) of the Income Tax Act. It will closely resemble the following

An official may provide taxpayer information in respect of the 1997 or following taxation years to an official solely for the purpose of enabling the Chief Statistician to provide to a statistical agency of a province statistical data to be used for research and analysis, if the information relates to:

(i) a corporation, or

(ii) the computation of the income from business of an individual who, according to a return of income filed by the individual or a notice of assessment or reassessment in respect of the individual, carried on a business at any time in the 1997 or following taxation years, and notwithstanding paragraph 17(2)(a) of the Statistics Act, despite when the information was collected.

These amendments are an excellent example of how government can improve privacy and administration by consulting the Privacy Commissioner's Office when considering new data sharing arrangements affecting Canadians. The proposed amendment to the Income Tax Act is now more specific and prevents any misinterpretation of its intended scope and purpose. The proposed amendment will be included in this fall's Budget Bill.

Filling the gaps: A charter of privacy rights

One of the Privacy Commissioner's goals over the last decade has been to fill some of the gaps in Canada's patchwork of privacy protection. Passage of Bill C-6 has filled one major hole; the Personal Information Protection and Electronics Documents Act gives Canadians important new rights concerning the private sector's collection, use and disclosure of their personal information.

While passage of C-6 is a major milestone in the evolution of privacy protection, the battle is not yet over; Canadians still do not have a constitutionally protected right to privacy. We hope that this will change with Senator Sheila Finestone's proposed Charter of Privacy Rights.

Quotation by Justice La Forest, 1988Senator Finestone's proposed charter would give every individual a right to privacy. Any interference with an individual's privacy would be considered to infringe on that right unless it is reasonably justified and the individual's consent has been obtained (except when it is impossible or inappropriate to do so). The onus lies with the organization or individual proposing the measure to demonstrate that the interference is reasonably justified—the charter includes a reasonable justification test. The charter requires the Minister of Justice to review all government bills and regulations to ensure that they comply with the charter. Any inconsistencies are to be reported to Parliament and the Privacy Commissioner—a measure the Privacy Commissioner has long advocated.

According to Senator Finestone, the charter would serve "as an overarching privacy rights framework for Canada". We take this to mean that the charter would act as a set of "first principles" that would support both the federal Privacy Act and the new private sector legislation. At present, for example, a government institution can effectively override the protection in the Privacy Act if legislation is passed specifically authorizing it to disclose personal information, thus complying with section 8(2)(b) of the act. The proposed charter would require the institution to demonstrate the justification for the privacy infringement. As well, the charter would provide a possible remedy for someone whose privacy is threatened by the legislation, for example, by allowing the individual to challenge the law. This would go some way towards meeting our objective of establishing the primacy of the Privacy Act over all other federal legislation dealing with the collection, use and disclosure of personal information.

The charter would also go a long way towards meeting another of our goals, a constitutional right to privacy. In 1991, the Privacy Commissioner appeared before the Special Joint Committee on a renewed Canada to advocate amending the Canadian Charter of Rights and Freedoms to give Canadians clear constitutional privacy protection. Given the likely reluctance of any government to reopen the Charter of Rights and Freedoms in the near future, the proposed privacy charter is an alternative we can enthusiastically support.

Senator Finestone has been one of privacy's best friends in Ottawa. Among her many accomplishments one stands out, her role as the chair of the House Standing Committee on Human Rights and the Status of Persons with Disabilities. The committee's 1997 Report, Privacy: Where do we Draw the Line? makes a thoughtful and compelling case for recognizing privacy's fundamental value to Canadian society by, among other things, introducing a privacy charter. We are happy to see that her commitment to privacy protection has carried over to her new position as a Senator.

Issues Management and Assessment Branch

The Issues Management and Assessment Branch monitors government programs and legislation, researches emerging issues, and provides the Commissioner policy advice and communications support.

A few portfolio leaders provide the Office a contact point with federal agencies to resolve issues before they lead to complaints. As well, portfolio leaders conduct formal audits and follow-ups.

The branch depends on a handful of researchers to keep the Office current on other developments that concern privacy. This includes examining proposed legislation and government programs, researching trends in Canada and abroad, responding to organizations' requests for the Office's review of proposals with privacy implications, and providing background for the Commissioner's public appearances.

The branch's responsibility for both communications and Parliamentary liaison enhances the Commissioner's public communications. Briefing the Commissioner for appearances before Parliamentary Committees, writing speeches and much of the annual report content, and developing material for the Office's web site are among the branch's key functions.

As well, branch staff handle more complicated questions and inquiries that fall outside the Commissioner's mandate. They act as a contact point for international data protection commissioners on privacy protection in Canada and support the Investigations Branch, providing background and obtaining any needed expert advice.

Assessing Privacy Impacts

Canadian society has undergone many changes over the last few decades: rapid population growth, increased demands on state resources, privatization of governments activities, and exponential development and availability of information and communication technologies.

New programs, products, services and technologies can alter Canadians' privacy or change our privacy expectations. Given their potential effect on Canadian society, it makes good political, business and social sense to evaluate these initiatives before they are implemented. Environmental impact assessments are a regular feature of new proposals and have proven their worth. New technological developments make privacy protection as important an issue at the beginning of this century as environmental protection was at the end of the last. Privacy impact assessments have come of age.

These assessments serve a number of purposes

1. They act as an early warning and planning tool;

2. They avoid pitfalls in new developments, preventing adverse publicity, loss of credibility and public confidence—not to mention possible legal costs, remedies and sanctions;

3. They forecast and/or confirm the privacy impact of proposals on individuals and groups;

4. They assess a proposal's compliance with privacy protection legislation and principles;

5. They determine the corrective actions and strategies required to avoid or overcome the negative impact; and

6. They increase Canadians' privacy awareness, informing them of the details of the proposal and involving them in its design, acceptance and implementation.

The assessment process
Who: The best party to conduct an assessment should be the public or private sector organization making the proposal. While data protection and privacy commissioners have expertise, no one knows the detailed proposal better than those designing the product or service. They are best suited to answer the questions an assessment raises. However, to guarantee the assessment's objectivity, the organization should consult affected Canadians, subject the completed assessment to an independent privacy expert for review, and make the completed assessment available to the public.

When: Logically, an assessment should be part of the proposal's design phase and be undertaken as soon as the organization decides to examine its feasibility. While some assessments may be finished before implementing the proposal, some could continue during implementation. And others may never end, becoming an integral part of ongoing quality control.

What: While each assessment will vary with the circumstances and nature of each proposal, all should be assessed against internationally accepted information privacy principles, applicable privacy protection laws, as well as the privacy expectations of affected Canadians.

How: Each assessment should address and document the following elements

  • Proposal: The organization should thoroughly describe the proposal, detailing its components and timetable, providing background information, and outlining the scope of the proposal (who and what it will affect);
  • Impacts: The organization should then describe the positive and negative impacts (both known and suspected) of the proposal on Canadians' privacy. The organization should describe the cumulative nature of each impact, as well as its duration, frequency, intensity, probability and scope, then grade each impact (low, moderate or high);
  • Necessity: The organization should justify the necessity (other than commercial gain) for the proposal itself, its timing, and its negative impact;
  • Compliance: The organization should assess its proposal against internationally accepted privacy principles, applicable privacy protection laws, and the privacy expectations of affected Canadians; and
  • Alternatives and solutions: The organization should identify both alternatives that would avoid the impacts and compliance issues identified above, and solutions that would eliminate or mitigate a given impact or compliance issue.

The Office conducts assessments of some government or private sector proposals, some on its own initiative (to better understand the details and impact of a given project or technology), and others at the specific request of the organization. For more information on privacy impact assessments, a list of information privacy principles or of applicable privacy legislation, please contact us or visit our Web site.

Data sharing at the Canada Customs and Revenue Agency

Early in 1995, the Office surveyed all the federal institutions that were subject to the Privacy Act to determine how much formal and informal sharing and data matching of personal information was taking place. Of the institutions that reported sharing personal data, Revenue Canada (now the Canada Customs and Revenue Agency) indicated that it was sharing a variety of client information with other federal, provincial and foreign government institutions to help them administer their programs more effectively and economically. The main rationale for data sharing is it avoids collecting data that has already been collected by another institution or government from the same persons, businesses or organizations. The information shared ranged from computer tapes of the entire tax filing population to small quantities of information in paper format.

With its survey response, Revenue Canada attached a list of the more than 200 written agreements that it had with other government institutions, along with a general description of the purpose and the legal authority for the data sharing. The department reported that all of these exchanges of information were being done in accordance with the legislation it administers (i.e., the Income Tax Act, the Excise Tax Act, the Customs Act, etc.) and with the provisions of the Privacy Act, and were referenced in the Info Source publication.

The number of sharing agreements at Revenue Canada has increased significantly since 1995. According to the Revenue Agency, it now has more than 300 written agreements for the exchange of information with outside organizations. Apparently, this number is growing rapidly due to increased pressure to deliver services more efficiently and effectively as well as the Agency's emerging role administering benefits for outside partners.

Given the large number of these agreements, the breadth of their purposes and the partners that are involved, the Office advised the Revenue Agency last December of its intent to conduct an informal review of its sharing agreements. The purpose of our review will be to determine the degree to which these exchanges of information are in compliance with the provisions of the Privacy Act. Particular attention will be given to those sharing agreements that started before the Privacy Act was put in place. The review will also determine whether any of these sharing agreements are technically speaking data matching activities as defined in the Treasury Board Policy on Data Matching about which the Privacy Commissioner should have been notified.

The Canada Customs and Revenue Agency has assured the Office of its entire cooperation during the review.

Conducting client survey research

Last year, the Office received several inquiries from federal institutions considering using private polling firms to conduct client satisfaction surveys. All wanted to know whether disclosing clients' personal information to the polling firm to conduct the survey would violate the Privacy Act.

In each case, we were satisfied that the department's sole purpose for conducting the survey was to assess its clients' satisfaction with the services and determine how to improve its service. We recognize that it is reasonable for public bodies to have some contact with their clients to improve client service but no matter how valid the need, three important requirements must be met before an institution discloses its clients' personal information to an outside survey firm. These are

Authority to collect: The institution must first ensure that it is legally authorized to collect the information the survey will gather. This means that the survey must relate directly to the institution's operating programs or activities.

Authority to disclose: A government institution's authority to collect client information does not necessarily mean that it is authorized to disclose the information to an outside organization to conduct a survey. Some statutes expressly define and limit the circumstances in which personal information may be disclosed; the institution should ensure there is nothing in its enabling legislation that could prevent any such disclosure to a private survey firm.

Compliance with the Privacy Act: Assuming the institution's own legislation does not prohibit disclosure, the institution must then ensure that disclosure conforms with the Privacy Act. Under the act, clients' personal information cannot be disclosed to an outside organization for a survey unless: (a) the clients were told when the information was collected that it could be used or disclosed for surveys; (b) the clients have consented to that use or disclosure or (c) the disclosure is permitted by one of the disclosure provisions in section 8(2).

In certain circumstances, departments could justify disclosures to a survey firm as a "consistent use" of the information (section 8(2)(a)) but only if using client information for any survey is sufficiently related to the program to qualify as a "consistent use" under section 7(a).

The act does not define a "consistent use" for the purpose of these sections. However, Treasury Board guidelines on administering the Privacy Act state that "a consistent use must have a reasonable and direct connection to the original purpose for which the information was originally obtained or compiled." The guidelines go on to say that the connection must be "so closely related that the individual would expect that the information would be used for the consistent purpose, even if the use is not spelled out." The test has both an objective element—the reasonable and direct connection with the original purpose for which the information was collected—and a subjective element—a reasonable individual would foresee the institution using the information in that way.

Given the difficulty of assessing clients' reasonable expectations, departments should employ the "consistent use" provision for disclosing information to survey firms only under exceptional circumstances. This is, however, the least desirable method of disclosing information about clients or customers whose cooperation the government is seeking. It is invisible at the outset and often prompts angry reaction when the survey company calls. A more privacy-sensitive approach would be to obtain the clients' consent.

We encourage institutions to make every reasonable effort to advise clients at the earliest opportunity that a survey firm could contact them in the future. Departments should also describe for clients the statutory authority for the survey, the purpose, how the results will be used and why they have been selected. Clients should also be told that their participation is voluntary, they may refuse to have their personal information disclosed, and they may "opt-out" of any future client surveys.

CartoonIf the survey is to be conducted regularly, then the institution must tell clients when it first collects the information, and seek their consent (by opting in rather than opting out). The institution must also report the survey in the appropriate Personal Information Bank description in Info Source.

Although using an outside agency to conduct a survey does not itself contravene the Privacy Act, the institution is responsible for taking all necessary measures to minimize any loss of privacy such a decision would entail. For example, the institution should disclose only those client details the survey firm must have to construct a sample of respondents and to contact the selected individuals. Whenever possible, the institution should minimize the intrusion on its clients by drawing the survey sample itself, thus eliminating disclosures of those not selected.

Should this option not be practical or feasible, the institution could consider providing the survey firm with a master list of clients (with personal identifiers masked) from which the firm can choose the required number of respondents. Only when the firm has chosen the required number, would the institution disclose the matching personal identifiers.

Government institutions are responsible for ensuring that their clients' personal information is protected during the survey. They should specify in the contract that all the personal information the survey firm is provided or collects during the contract is deemed to be under the institution's control and consequently is subject to the Privacy Act. The contract should also contain explicit clauses concerning the use, collection, disclosure, security, retention and disposal of the personalinformation the firm obtains as a result of the contract. Among other things, the contract should also require that

  • The contractor inform respondents (prior to collection) that the information is being collected on behalf of the contracting institution; the purpose of the collection and how the results will be used; that individual replies will not be made available to the contracting institution in an identifiable form without the respondent's informed consent; that response is voluntary and refusal to reply will in no way affect their entitlement to services and/or benefits;
  • The contractor will destroy the key permitting it to link the statistical data to individual respondents once the data has been compiled; and
  • Once the survey is completed, the contractor will, in accordance with the Privacy Act, dispose of all information provided by the contracting institution, and return to the contracting institution all information collected during the survey in a non-identifiable format, unless specified by the respondents.

Before deciding whether to survey their clients, federal institutions must determine the impact such a survey could have on individuals' privacy. A survey may not necessarily be the best instrument for measuring service quality or planning policies and programs. Institutions should first consider alternate sources of information, eliminating any need to disclose personal information to a third party.

Review of Firearms Registry/Canadian Firearms Centre

Previous annual reports have raised the privacy issues inherent in the government's creation of the national Firearms Registry and Office staff have spent considerable time examining the program and its privacy implications. Despite some progress, problems remain among different jurisdictions concerning individuals' rights (and means) of access to personal information in the registry. In addition, the many partners involved, operational inconsistencies from one province to another, and the complex physical and technological interconnectivity of this program have raised questions about the amount of highly detailed sensitive personal information Firearms Officers need to meet their obligations under the Firearms Act.

In January 2000, the Privacy Commissioner began a review of the Firearms Registry to thoroughly assess its personal information handling practices. This review includes on-site visits to the Central Processing Site in Miramichi, NB, to the federally-and provincially-administered Chief Firearms Offices in some provinces, as well as the Canadian Firearms Centre and Registry in the National Capital Region. At a minimum, the Privacy Commissioner expects this review to deal with all the questions and complaints he has received to date. The Deputy Minister of Justice has welcomed the review and awaits any observations and recommendations that would help the Canadian Firearms Centre meet its requirements under the Privacy Act.

Data matching proposals—births and deaths with Canada Child Tax Benefit database

The proposed matches:
In August 1998, the Canada Customs and Revenue Agency (CCRA) told the Privacy Commissioner it intended to match the list of families receiving the Canada Child Tax Benefit (CCTB) with all deaths registered by provincial vital statistics agencies. Then, in October 1998, the Commissioner was alerted to a second match of the same list, this time with all new registered births. The matches were intended to identify families who are claiming CCTB but should not, and those who are not but should.

These two proposals were prompted by the Auditor General's 1996 report, which found that the CCTB program lacks fundamental checks and balances. The Auditor General observed that CCRA should find better ways to serve low income families using innovative technology, and by forging partnerships with provinces.

The CCTB is a tax-free monthly payment to help eligible families meet the cost of raising children under the age of 18. Included with the CCTB payment is the National Child Benefit Supplement, a joint federal-provincial-territorial benefit for low-income families. CCRA uses the information collected on CCTB application forms to administer both these programs, as well as several provincial and territorial child benefit and tax credit programs.

CCRA automatically recalculates benefits each July for the period from July to June, once it receives parents' income tax returns showing total net income. Parents must provide proof of birth if the child was born outside of Canada, or if the child was born in Canada and is at least one year old. To recalculate eligibility, CCRA needs to be advised of any changes of custody (including death of child), marital status, tax reassessments, citizenship/immigration status, and address (unless benefits are deposited directly).

While the Privacy Commissioner does not argue that collecting provincial vital statistics may help CCRA administer the tax benefit program, several issues need to be addressed before the Commissioner can endorse the sharing. The problem with data matching very simply is that it involves using an individual's personal information without knowledge or consent for purposes for which it was not collected. This violates the spirit of the Privacy Act's fair information code. The sharing of information between provincial vital statistical agencies and CCRA also raises concerns about the confidentiality and security of the information.

Although matching death registry information reveals an apparent revenue loss because as many as 25 per cent of parents do not advise CCRA of a death, this data match raises significant privacy concerns and it may also result in serious allegations that parents are fraudulently benefiting from the death of a child. With respect to the use of birth information, the Privacy Commissioner is not convinced that the five per cent of parents who do not apply for the benefit deserve such an intrusive invasion of privacy, particularly when the institution already has an extensive public awareness process in place.

Early in December 1999, the Office sent its preliminary review of the proposals to CCRA; we await the Agency's response.

Incident investigation—loss of laptop in Halifax —Correctional Service Canada

In January 1999 someone broke into Correctional Service Canada's Halifax Area Parole Office and stole a laptop computer, jacket and set of keys belonging to a contract employee. CSC convened a Board of Investigation to inquire into the theft because the laptop contained psychological information about 130 offenders (all of whom were advised). The Board's report found the following

  • The data on the laptop consisted of 130 offenders' self-administered psychological test results, as well as individual summaries including their names, ages, Federal Penitentiary Service numbers, most recent convictions, list of tests completed, and interpretation of the test results.
  • The offenders had used the laptop extensively and knew its location.
  • The office has access to a fire exit door leading to a common area, an elevator and stairwell, and anyone could have noted that the unlocked door provided a quick exit from the office.
  • Any offender or employee could access the contents of the laptop, which had a modem for communicating with the Internet.
  • The laptop containing sensitive personal information was routinely left unattended. At times offenders were also left unattended.
  • CSC had not updated the security office procedures and policies for some time. Employees were unclear about the security requirements, and there were serious deficiencies in overall physical and information technology security.

The Board of Investigation report led to a thorough review of security procedures. CSC has taken several other measures, including

  • Making security policies a standing agenda item at district meetings;
  • Including a security awareness component in its in-service skills training sessions;
  • Using only one laptop (which belongs to CSC, not a contractor) for offender self-administered psychological tests. Staff will use a different computer to prepare summary reports;
  • Transferring the information to diskette to prepare a report, and clearing the laptop's hard drive each time an offender completes the test;
  • Accompanying offenders at all times, even during the tests. All visitors and offenders must check in with reception on arrival and cannot enter the work area directly;
  • Removing the modem from the laptop, thus preventing offenders from having access to the Offender Management System, CSC e-mail or the Internet; and
  • Installing a lock on the fire exit door to prevent entry from the outside.

Unfortunately, the laptop was never recovered and there is no way of knowing what use (if any) the thief made of the information, or whether the thief had any interest in the contents. We can only hope that, if the laptop was sold, its contents were purged. Obviously the Halifax Area Parole Office's handling and protection of sensitive personal information was seriously deficient but the Commissioner was satisfied with CSC's corrective measures.

Public interest disclosure—medical information about a deceased member of the Canadian Armed Forces

In order to help the widow of a former Armed Forces member settle a life insurance claim, National Defence proposed releasing a copy of the last two years of the member's medical records to the insurance company.

The Privacy Commissioner's staff questioned the need to release the medical file; most pages had no relevance to the specific medical condition of interest. Also, given that the medical records had to be severed from other sensitive information, the insurance company was unlikely to be satisfied with the severed package and question what had been removed from the file. There was a risk the claim would remain unsubstantiated.

Following discussions with the Privacy Commissioner's staff, National Defence agreed to provide the insurance company with only the relevant information. National Defence's Director of Medical Policy wrote to the insurance company confirming that the member had not suffered from the specific medical condition of interest to the claim.

The Privacy Commissioner was satisfied. Although the letter to the insurance company disclosed personal information, the invasion of privacy was greatly diminished. National Defence released no specific records from the military medical file yet it was able to meet the insurance company's requirements. The public interest disclosure was made on compassionate grounds.

Reporting on the administration of the Privacy Act—minimal compliance is not enough

An issue of increasing concern to the Privacy Commissioner is the way in which government institutions report on the administration of the Privacy Act. These reports are submitted annually to Parliament, as required by section 72 of the act, with copies submitted to the Commissioner. The Commissioner has dutifully read them, year after year, but with a growing sensation that something fundamental is being missed. This is not a problem of formal compliance with the Privacy Act. The reports meet the requirements of the statute. But those requirements are minimal. Given the importance of privacy issues, and the audience for the reports—Parliament—the Commissioner has for some time suspected that government institutions covered by the Privacy Act can and should do better.

With some notable exceptions, the reports do not give the reader a broad look at privacy in the institution. A typical report is made up of a statistical report and a narrative statement. The statistical report is a one-page table, setting out things like the number of requests, the disposition of requests, the number of complaints to the Commissioner, the results of complaints, and the costs incurred. The narrative usually begins with a description of the institution and what it does, and how it organizes functions under the Privacy Act—who is responsible for what, who reports to whom. Typically, neither of these changes much from year to year. And the rest of the narrative is rarely much more than sometimes nothing more than) the statistical report restated in full sentences.

The audience for these reports is Parliament. Parliamentarians, particularly when they are looking at programs and estimates, do not need to know about, or only about, the minutiae of administration of the act. They need to know about broad issues with privacy implications. They need to be told about departments' data sharing agreements, and about the impacts on privacy of legislation sponsored by the departments. They need information about the privacy implications of new technology, and of new policies and practices, in a rapidly changing federal workforce and service environment.

In order to report on these things, government institutions need to address their minds to them. Reporting to Parliament—real reporting, not just formal—would encourage them to do so. If institutions know that they have to report seriously on privacy issues, they may begin doing what we have long urged: privacy impact assessments of their program and policy initiatives. In looking at these broader issues, they are welcome to consult with our Office, as did, for example, the Chief Electoral Officer on the issue of the permanent voters' register, or Human Resources Development Canada on the question of a common client identifier.

That we have concerns about the current state of these annual reports should not be taken as criticism of the people who labour to produce them. The professionals responsible for the administration of the Privacy Act in government institutions are the backbone of the act and its protections in everyday life. Better, more substantial reports, covering real privacy issues and commanding the attention of Members of Parliament, would only give them the organizational visibility and importance that they deserve.

The Commissioner encourages the Treasury Board, as the agency responsible for the administration of the Privacy Act, to look at ways that this annual reporting requirement can be made more useful and meaningful.


After the remarkable surges of the three preceding years, this year's number of incoming complaints dropped to a level not seen since mid-decade. The Office received 1584 complaints in 1999/2000, down significantly from the all-time high of 3105 in 1998/99.

Received Investigations by Fiscal YearOne big reason for the drop was the drastic decline in complaints regarding the government's matching of travellers' customs declarations with employment insurance claims, pending court decisions on the matter. This year, the Office received only 27 such complaints, compared with 1327 in 1998/99 and 963 in 1997/98.

Another significant factor in last year's soaring total was the receipt of 225 time-limit complaints from Correctional Services Canada staff during a contract dispute in 1998. Similarly, in 1996/97, three persons lodged more than half of the 1065 time-limit complaints received. This year, the Office received no such unusual number of complaints from within a single organization or from only a few individuals.

Unlike the numbers for the two preceding fiscal years, the total complaints received in 1999/2000, as well their breakdown by type, conformed to trends previously projected on the basis of initiatives undertaken by the Office of the Privacy Commissioner and federal departments. Specifically, this Office's efforts to deal with those departments most frequently named in time-limit complaints appear finally to have borne fruit. This year's total of time-limit complaints received is down by almost half.

Privacy staff completed 1399 complaint investigations, of which 582 were well-founded, 347 were not well-founded, 82 were well-founded/resolved, 34 were resolved, and 282 were settled during the course of the investigation. The remaining 72 were discontinued for various reasons. (These terms are explained below.)

Completed Investigations by Grounds and Results
for the year ended March 31, 2000

Not Well-
Resolved Settled Total
Access 15 68 172 33 31 184 503
Access 14 67 170 32 29 177 489
Correction/Notation 1 1 2 1 2 6 13
Language 0 0 0 0 0 1 1
Privacy 73 13 113 28 3 81 311
Collection 0 2 34 7 1 19 63
Retention & Disposal 5 0 4 2 0 7 18
Use & Disclosure 68 11 75 19 2 55 230
Time Limits 494 1 61 11 0 17 584
Correction/Time 25 0 3 0 0 0 28
Time Limits 466 1 33 11 0 11 522
Extension Notice 3 0 25 0 0 6 34
Other 0 0 1 0 0 0 1
Other 0 0 1 0 0 0 1
Total 582 82 347 72 34 282 1399

During the Commissioner's term

Commissioner Phillips saw the annual number of complaints received increase from 1239 in 1990/91 to a high of 3105 in 1998/99. Excluding this year's unusually low total, received complaints increased by an average of more 10 per cent annually over the Commissioner's term of office, for a grand total of 15,526 complaints.

Closed InvestigationsThe table opposite shows total complaints received and investigated in each of the Commissioner's 10 years in office.

Over the years, the Commissioner has also seen a significant change in the types of complaints received. On average, time-limit complaints have decreased, and privacy-related complaints have increased, as proportions of the total. The significance of this trend derives from a difference in complexity.

Time-limit complaints are usually the quickest and easiest to investigate, since for the most part they require intervention only by telephone or by post. Investigations of privacy complaints, on the other hand, tend to be much more difficult and time-consuming, requiring on-site visits (often to distant regional offices), numerous interviews with departmental staff, thorough examinations of files, and detailed reporting of findings. The relative increase in privacy complaints has therefore tended to increase overall case time and workload for investigative staff.

The Commissioner has also noticed a big change in the nature of access complaints over time. Investigations of such complaints used to consist mainly of straightforward reviews of exempted materials. Nowadays, however, many access cases involve efforts to account for documents that are missing altogether. Moreover, shadow files are increasingly involved, and cases are often complicated by the institution's refusal to admit the existence of such files.

As both complainants and departmental Access to Information and Privacy coordinators have generally become more knowledgeable and sophisticated about the application of exemptions, discussions between the parties over the validity of exemptions have become more involved. This has resulted in increases in case time and workload for investigators.

All in all, during his 10 years in office, the Commissioner has observed a trend toward more demanding complaints and more difficult investigations.

Definitions of Complaint Findings and Dispositions

To conclude the investigation of a complaint, the Privacy Commissioner uses one of six terms designating a finding or a disposition:

(1) Not well-founded;

(2) Well-founded;

(3) Well-founded/Resolved;

(4) Resolved;

(5) Settled during the course of the investigation; or

(6) Discontinued.

To assist in distinguishing among the types of findings and dispositions, these terms are defined as follows:

Not Well-Founded
A finding of not well-founded acknowledges that the investigation uncovered no evidence to lead the Privacy Commissioner to conclude that the government institution violated the Privacy Act rights of the complainant. For example, such a finding would be made when

  • In the case of a denial of access complaint, all information relevant to the access request had been processed or the exemptions cited by the government institution to refuse access were justified; or
  • In the case of a complaint of improper disclosure, the Privacy Commissioner was satisfied based on the evidence gathered during investigation, along with representations by the government institution, that the disclosure of personal information met the requirements of section 8(2) of the Privacy Act.

A finding of well-founded recognizes that the government institution failed to respect the Privacy Act rights of an individual, and that no corrective measures could mitigate the loss of privacy. In other words, while the government institution is at fault, the incident has already occurred and nothing can be done to correct the situation. This category of finding is usually rendered in situations where the institution improperly used or disclosed personal information or it failed to respond to an access request within the legislated time limits. It could also be used in a situation where the government institution refuses to grant access to personal information, despite the Commissioner's recommendation that it be released. The next step would be to seek a review by the Federal Court of Canada.

A finding of well-founded/resolved is rendered in situations where the allegations raised in the complaint were substantiated by the investigation, but the government institution readily agreed to take corrective measures to rectify the problem. Such a finding would be made when, for example a department

  • Agrees to release to the complainant information that had been originally exempted; or
  • Undertakes to improve a policy or practice to ensure compliance with the Privacy Act.

The resolved category recognizes the need for a finding that is consistent with an ombudsman's role to provide flexibility in complaint resolution. Prior to 1994, the Office struggled with complaints where "well-founded" appeared too harsh to fit what essentially had been miscommunication or misunderstanding.

Examples of resolved complaints:

  • A misunderstanding or miscommunication has occurred between the complainant and the government institution about what information was sought. Both parties agree to a mutually satisfactory solution.
  • The individual has claimed that specific information is missing. The government institution maintains that it has disclosed the records in question, but readily agrees to send the information again.
  • The government institution has the right to exempt specific information, but is persuaded by the investigator to exercise the discretion to release it.
  • The investigation has identified inconsistent processing of large volumes of information for an applicant, and the government institution is persuaded to release more information to make the disclosure consistent.

In all instances, the Privacy Commissioner's Office assists in negotiating a solution that satisfies all parties. A full and thorough investigation is conducted, and a formal finding is provided to complainants. With a resolved finding, the complainant still maintains the right to pursue the matter in Federal Court.

Settled During the Course of the Investigation
This category is not a formal finding, but rather an acceptable means to dispose of a complaint when the investigation is completed and the complainant is satisfied with the efforts of the Office of the Privacy Commissioner and does not wish to pursue the issue further. For example, the investigator's explanation that the information the complainant believed should have been in the government institution's files cannot be found, either because it was already destroyed in accordance with established retention and disposal standards, or it never existed in the first instance. However, in Settled cases, the complainant may subsequently request a formal finding. In such cases, the case is re-opened so that the investigator can submit a formal report, and the Commissioner reports his finding in a letter to the complainant.

This category applies to complaint investigations that are terminated before all the allegations have been fully investigated. A case may be discontinued for any number of reasons, for example when the complainant is no longer interested in pursuing the matter, or can no longer be located to provide additional information that is critical to reaching a conclusion. For example, a complainant may move, and not provide this office with a forwarding address or phone number. No formal finding is issued.

Advice for all interviewers: Never assume the person sitting across from you can't read upside-down

A woman informed on her ex-husband in confidence, and the ex-husband found out about it. Had an improper disclosure occurred? For many reasons, this was a tough one to call.

The woman complained to the Privacy Commissioner that Human Resources Development Canada (HRDC) had deliberately and improperly disclosed personal information about her. Specifically, she alleged that an HRDC investigator had revealed to her former husband her identity as a confidential source of information about him. She had previously telephoned HRDC to report her suspicion of a fraudulent employment insurance claim on her ex-husband's part.

It is HRDC policy to protect the identity of informants. In fact, informants need not even identify themselves to HRDC in order to make declarations. This informant, however, had insisted on giving her name and telephone number in case HRDC needed to contact her in future.

Acting on the woman's information, an HRDC investigator called the ex-husband in for an interview, at which he was accompanied by his new wife. The ex-wife's tip proved to be valid, and the upshot of the investigation was that the man's employment insurance benefits were cut off, entirely and retroactively.

Here's where the tale takes a turn. On the basis of his reduced revenues, the ex-husband subsequently filed for a reduction in his child support payments. In the provincial court hearing that followed, the man testified that, during his interview with the HRDC investigator, both he and his new wife had seen a document showing that his ex-wife had made the declaration against him.

After hearing the evidence, the judge granted him a substantial reduction in child support payments. In effect, the ex-wife was thus deprived of a significant amount of much-needed financial assistance for her child. And although the judge made a point of denying that the ex-wife's role as informer had in any way influenced the court's decision, the woman herself remained unconvinced.

Given that the complainant was to some extent dependent on payments from her ex-husband, why had she informed on him in the first place? As often happens in the course of an investigation, many such puzzling questions occurred to our investigating officer about the lives, the relationships, and the motives of the individuals concerned. But, as usual, such questions were beside the point. For a Privacy officer, the only question that really mattered was this: Was it true that personal and confidential information about the complainant had been disclosed to the ex-husband and his new wife during the interview with the HRDC official?

Here are some of the circumstances our officer had to take into consideration:

  • From long experience, the HRDC investigator had come to appreciate the value of information sources and the need to protect the identity of informants. In this case, he knew beforehand that the couple to be interviewed would strongly suspect the ex-wife of being the informant (in fact, during the interview they told him so). He knew, too, that the couple would likely be intent on getting from him, in any way possible, some corroboration of their suspicion. With that in mind, he went to the interview room even more than usually determined not to reveal the informant's identity by any means.
  • Even so, for purposes of reference, the HRDC investigator took the case file with him into the interview room, as is customary. The file contained, among other things, the two forms on which the ex-wife's information had been originally been recorded. At the bottom of both forms, the ex-wife's name and telephone number were clearly visible.
  • The HRDC investigator believed that he had exercised all due caution in using the case file during the interview. Although the interview room was small and its occupants in relatively close quarters, he had not left the file open or unattended, and he had taken particular care not to allow the couple to see the informant's identity on the forms. He could not deny it categorically, but he strongly doubted whether the couple had been able to catch any glimpse of confidential information.
  • Nevertheless, the ex-husband told our investigating officer that both he and his new wife had done that very thing. He said that he had seen his ex-wife's telephone number and what appeared to be her name at the bottom of one of the forms in the investigator's file. His wife, too, he said, had been able to discern some detail on the form—enough that between the two of them they were able to make a positive identification of the ex-wife as the informant.
  • Through a Privacy Act request, the ex-husband gained access to his HRDC file, which contained the two forms in question. At the bottom of the forms, for purposes of confidentiality, the informant's name and telephone number had been blacked out.

Largely from the convincing manner in which the ex-husband described the blacked-out portions of the forms he had accessed, our investigating officer tended to believe that a disclosure had indeed been made during the interview. But he had to be sure. How likely was it, after all, that the ex-husband could have read one of the forms upside-down? The officer decided to run a test.

Simulating the interview situation, he placed the form on a desk five feet away from himself. Though looking upside-down at the form across a desk at that distance, he found that he was able to read the informant's telephone number quite easily. With only a little more difficulty, he also discerned her name.

This was enough to convince him. He recommended that the Commissioner render a finding of "well-founded" for the ex-wife's complaint. The Commissioner did so, but with one important proviso. The disclosure of confidential information had been improper, but obviously far from deliberate. The Commissioner took pains to point out that HRDC investigator's error had been inadvertent.

A well-founded complaint about a serious matter—disclosure of personal income tax information

In a much-publicized case, the complainant alleged that Revenue Canada had disclosed his personal income tax information to the Manitoba Public Insurance Corporation (MPIC) in contravention of the Privacy Act.

In due course, the Privacy Commissioner concluded that the complaint was well-founded. More importantly, he took measures to eliminate what he considered to be a serious privacy violation that had become common practice in Manitoba.

The complainant had been involved in a serious automobile accident. He subsequently filed a claim with the MPIC and, at the same time, signed a consent form. Essentially, the signed form gave permission for the MPIC to conduct its investigation and collect medical and employment records about the applicant.

Among other things, the MPIC needed to confirm the applicant's income. The normal procedure was to have the employer verify the applicant's statement of earnings. In this case, as in many others, a discrepancy arose. Given conflicting information, MPIC officials decided that the only way to get a true picture of the applicant's earnings would be to obtain his tax records from Revenue Canada.

More easily said than done, one might well have thought. After all, a person's tax information is supposed to be confidential. Revenue Canada has a consent form of its own, called a Revenue Canada Authorization. Before any specified tax information may be released to a third party, that form is meant to be filled out with a clear and unambiguous information request and signed by the taxpayer in question. For the MPIC, though, no such trouble was necessary.

An official simply took the MPIC's general consent form, which the applicant had signed, and attached it to a Revenue Canada Authorization, which the applicant had neither signed nor even seen. Then the official wrote, on the unsigned Revenue Canada form, "See attached authorization". Moreover, the official did not even bother to limit the request to the very specific information the MPIC needed for its investigation. On the face of it at least, the authorization permitted Revenue Canada to disclose not just the applicant's current income, but any and all of his personal tax information over the last five years.

And that is just what the MPIC received—five years' worth of the applicant's tax records in detail. Ask and ye shall receive.

As our investigation revealed, that is what the MPIC always asked and received from Revenue Canada. Several MPIC requests for tax information came every week to the local Revenue Canada office. Revenue Canada staff always processed the requests as a matter of routine, never once questioning whether the MPIC's general consent form was sufficient authorization for the release of tax information. And more often than not they were extremely generous in their responses, giving the MPIC far more information than it required for its purposes.

Nor had MPIC officials ever doubted their own authority to access such information. They believed that their general consent form entitled them to the full range of an applicant's tax records, even when they only needed one piece of information.

The Privacy Commissioner could not agree. On the contrary, he could only conclude that Revenue Canada, in releasing the complainant's tax records without his explicit consent, had seriously violated the complainant's rights under the Privacy Act. Though regrettably the violation to the complainant could not be undone, the Commissioner took steps to ensure at least that no one's rights would ever be violated in the same way again.

He made sure, first of all, that the complainant's tax records were removed from the MPIC premises. He then underscored, for the benefit of all concerned, the continuing requirement for a clear, unambiguous, and signed consent form for the release of tax information. Finally, he recommended that Revenue Canada terminate the practice of releasing tax information to the MPIC, while the two organizations work out a strict agreement on disclosure of information.

Revenue Canada stopped releasing tax information to the MPIC as of April 27, 1999. The Privacy Commissioner will follow up to ensure that the eventual information-sharing agreement between the two organisations is appropriate and in full accordance with the Privacy Act.

Meanwhile, if the MPIC needs verification of claimants' income, it will be up to the claimants themselves to obtain it from Revenue Canada.

"Smith" the good citizen or "Smythe" the criminal? It's all the same to some computer databases

Three friends went into a store. Two came out with purchases. The third left empty-handed and embarrassed, feeling suspected of being a criminal.

What these friends had set out to buy were firearms, in full compliance with the strict registry procedures currently in place. The three duly filled out the application forms, and the store clerk phoned in for the required computer checks against the database known as FIP—"Firearms of Interest to Police." Two applications went through with no problem, but the third was automatically refused. As a reason why, the computer offered only the phrase "New events against the buyer".

Once refused, the application was referred electronically to Ontario's Chief Firearms Officer (CFO) for his review. Within 48 hours, the CFO overturned the refusal and approved the application.

But questions remained unanswered. Why had it been refused initially? Why had a previous application by the same buyer been approved without a hitch only a month before? What sort of "new events" had the computer check turned up?

The applicant approached the Department of Justice for an explanation. Officials told him that the FIP search had matched his name to an individual having a similar name and date of birth and known to police. For a short while, the applicant was satisfied with this explanation—that is, until the same thing happened to him again.

The second refusal occurred only a month after the first. Once again the firearms application was rejected because of "New events against the buyer." Once again, the applicant was deeply embarrassed to have been thus centred out under the suspicious gaze of store clerks and other customers. And once again, within a day or two, the CFO discovered the mistake, overturned the refusal, and permitted the applicant to make his purchase. The FIP search had, for the second time, matched his particulars to another person, who was ineligible to buy firearms.

This time, however, the applicant did not accept the department's spoken explanation. One case of mistaken identity, he thought, was understandable, but not two. And he certainly did not relish the prospect of suffering the same humiliation any time he made application for firearms in future, as the officials had warned him was quite likely to keep happening. He decided to delve into the matter by submitting information requests under the Privacy Act to both the Department of Justice and the RCMP.

In response to his request for a detailed written explanation, Justice simply sent him copies of the three firearm applications he had submitted. The two applications that had initially been refused yielded no details beyond the original notation, "New events against buyer." The covering response letter said that it was not within the department's mandate to explain, but only to identify and review records requested.

The man subsequently filed complaints under the Privacy Act, to the effect that he had not received any written information explaining why he had been temporarily denied approvals to purchase firearms.

The FIP system itself was of no use in providing an explanation. Justice officials pointed out to our investigator that FIP transactions are paperless, lacking even the capability to "print-screen" reasons for refusals. But in investigating the corresponding complaint with the RCMP, our officer gained access to other databases that did prove useful.

She was eventually able to identify the person whose name and date of birth had twice been matched to the complainant's. As it turned out, the birth dates were five months apart, and the surnames were about as much alike as "Smith" and "Smythe". That's close enough, apparently, for a phonetically oriented computer.

Our investigator also managed to make some headway in the matter of future applications. In this, she had abundant help from the complainant himself, through numerous telephone calls and letters on his own behalf.

In the end, Justice officials were persuaded to modify FIP so as to dissociate the complainant from the other individual, at least in the present context. They did so by switching off the event code that had been assigned to the latter's latest run-in with police. The department made it clear, however, that if the other person—or, for that matter, any other person with similar name, birth date, or address—ever had further trouble with the law, a new event code would be entered and would probably produce another match with the complainant. If so, he would have to contact the department and have the code switched off yet again.

Even though the name of the other person could not be divulged, and despite the potential inconvenience of further mismatches in future, the complainant was quite satisfied with the progress of the case. It was not inconvenience or delay that he had objected to in the first place. He knew that many other innocent parties—notably, the real Smiths and Tremblays of this country—often had to put up with even greater inconvenience and delay in the process of FIP searches. But neither did the complainant object to the FIP process itself, or even to firearms registry in principle.

All he had ever really wanted was an explanation in writing. He just wanted something he could carry with him, to show friends and clerks and fellow customers that he was not a criminal.

Once assured that our written report to him would include such an explanation, he readily agreed to consider his complaint against the Department of Justice "settled in the course of the investigation."

The Office is currently reviewing the personal information handling practices of the Canadian Firearms Program as discussed above.

Appeal board witness grilled—about irrelevant private matters

After a federal job competition, it is not unusual for an unsuccessful candidate to appeal. It is unusual, however, for an appellant's witness to be humiliated through improper disclosure of personal information. Unusual, but not unheard of, as this case goes to show.

The Privacy Commissioner does not want to hear of it again.

An employee of a government institution lost a job competition within the organization. When she proceeded to file a formal appeal with the Public Service Commission Appeals Board, her union asked one of her co-workers to testify in her behalf. The management side immediately objected to the co-worker's appearing as a witness. In a formal submission to the Appeals Board, institution management explained its objection and concluded with a warning: if this co-worker and a certain other were allowed to testify, the institution would attempt to discredit not only their testimony, but also their "credibility as witnesses."

Ironically, this co-worker had never even wanted to appear as a witness. In fact, he had initially declined the request. Nor was he known to be particularly sympathetic to the appellant. Nevertheless, the union believed that he had information about the job competition that might support her case, so the Appeals Board issued him a summons, which he duly obeyed.

During the proceedings, institution management followed up on its earlier warning. In cross-examination, the management representative persistently attacked not only the co-worker's testimony, but also his credibility. Soon, however, the questioning began to stray more and more into areas whose relevance the Chairperson of the Appeals Board called into doubt.

At last it strayed into one highly irrelevant and sensitive area—the witness's recent extended sick leave and the medical reasons for it. The questions asked in this regard were pointed, intimate, and informed, betraying much more than a passing acquaintance with the witness's medical history. Indeed, such questions could only have been conceived by someone who had previously accessed and read the witness's personal and confidential attendance records.

The Chairperson soon put an end to the line of questioning, but the damage was already done. Sensitive and confidential information was now out before the Appeals Board, and the witness felt publicly humiliated. A few weeks later, still reeling from the cross-examination, he filed a complaint with the Office of the Privacy Commissioner.

How had the management representative gained access to the witness's attendance records? Quite easily, as our investigation showed. The representative happened to be a personnel manager with the institution. In the normal course of duties, this person had routine access to employees' attendance records, including medical certifications. Management's representative had thereby learned beforehand all about the witness's extended leave, the medical reasons for it, and the subsequent medical treatment. The witness had thus been cross-examined by someone who not only knew his medical history, but also had come to the proceedings with every intention of disclosing it to discredit him.

The management representative knew the history, and as a personal manager was entitled to know. But as a cross-examiner this person was in no way entitled to disclose. Sections 7 and 8 of the Privacy Act prohibit federal institutions from using or disclosing personal information about an individual without the individual's consent except for the purpose for which the information was obtained or for a use consistent with that purpose.

The Privacy Commissioner concluded that the information relating to the witness's sick leave, the nature of his illness, and the subsequent medical treatment had no relevance to the issues before the Appeal Board's hearing. He pronounced the complaint well-founded, and the disclosure a serious matter.

The Commissioner became especially concerned when he learned that this was not the first improper disclosure the personnel manager had ever made. Indeed, from the mounting evidence, it seemed this person was under the misapprehension that the position of personnel manager entitled one to use and disclose employees' personal information however and whenever one pleased.

The Commissioner has advised the institution involved to clarify for that manager and for all its other managers and employees, their obligations regarding disclosure of personal information under the Privacy Act. He intends to closely monitor the institution's efforts to that end.

RCMP officer vs. seatbelt violators: Next, he was going to tell their mothers on them

Overall, the RCMP has a remarkably good record at respecting privacy rights. It is perhaps all the more remarkable given the amount and type of personal information the organization collects, and the vast potential for abuse. Yet, as far as the Privacy Act is concerned, the Commissioner has usually found the RCMP to be not only among the most law-abiding of federal institutions, but also among the most willing and co-operative in redressing any violations that occur.

But, regrettably, violations do sometimes occur. On occasion, for example, some keen and well-meaning RCMP officer takes an initiative that simply oversteps the bounds.

Last year one such officer, frustrated in trying to enforce the seatbelt law in Alberta, decided that mere enforcement was not enough. He took it upon himself to reinforce the law, in his own special way.

An Alberta motorist later complained to the Privacy Commissioner that the RCMP had improperly disclosed personal information about him. Specifically, he alleged that a copy of a violation ticket he had received for failing to wear a seatbelt had been sent to his insurance company by the issuing officer.

Alas, the allegation proved all too true. Our investigation revealed that the RCMP officer in question had done that very thing—not just once, but several times. The officer himself admitted that over three or four months he had contacted the insurance companies of between 10 and 20 individuals who had previously been ticketed for seatbelt violations.

He explained it as a "pilot project" that he had undertaken on his own initiative. The RCMP was in fact conducting a campaign to increase seatbelt use in the area, but only this one officer had been inspired to take it to such lengths. His reasoning was that, if seatbelt use violators were subjected to increased insurance payments as well as fines, they would soon start to buckle up.

It did not seem to have occurred to him that, in taking such action against one kind of violator, he was turning himself into another kind—a violator against Canadian citizens' rights under the Privacy Act. Section 8 of the act prohibits disclosure of personal information about an individual without the individual's consent, except under special circumstances as listed in section 8(2) of the act.

The Privacy Commissioner found no such special circumstances applicable in this case. He concluded that the complaint was well-founded, the officer having failed to consider the confidentiality provisions of the Privacy Act when the pilot project was initiated. The Commissioner also made a point of informing the RCMP that he considered such inappropriate disclosure a serious breach of individuals' Privacy Act rights.

To the RCMP's continuing credit, its officials put an end to the officer's pilot project as soon as they found out about it. At the suggestion of our Office, they also canvassed all Alberta detachments to make sure that no other officer of theirs had been acting upon similar inspiration. The response came back negative. It had been truly a one-man operation.

All in all, then, the officer did not find much favour for his initiative. But what about the insurance companies? With the prospect of charging higher premiums, did they, at least, see some merit in his pilot project?

Some may have, perhaps, but we know for a fact that not all did. It was initially the complainant's own insurance company that brought this matter to the Privacy Commissioner's attention.

The mystery of the missing missive: Canada Post finds after agreeing to seek

This story involves three complaints by one person about two different organizations, and its rather convoluted plot is not entirely resolved even now. But one of our officers was able to get more or less to the bottom of things by persuading Canada Post to look beneath the surface.

Two months after putting in an information request under the Privacy Act, the person in question put in his first complaint, to the effect that Revenue Canada was late in responding. While our office was investigating this time-limit complaint, Revenue Canada informed us that it had just responded to the information request by means of a package delivered to the complainant's post office box.

Our office therefore closed the time-limit complaint, designating it well-founded but resolved. The package, however, did not show up.

What soon come to light was that the package had been addressed to the right person but the wrong post office box—wrong by one digit. Revenue Canada and Canada Post began efforts to trace the package. They could find only a receipt indicating that it had indeed been delivered to the correct retail postal outlet, but had been accepted and signed for by a person other than the addressee.

This prompted a second complaint under the Privacy Act, to the effect that Canada Post had improperly disclosed the complainant's personal information by permitting another person to accept delivery and sign for the package. Moreover, despite the signed receipt, the package itself was still missing and unaccounted for.

The complainant had himself made inquiries at the retail outlet. Employees had told him that they had searched, but had found nothing. Wherever the package had ended up, they said, it was definitely not there.

Our investigator informed Canada Post that she intended to visit the site anyway. She also managed to persuade the officials to conduct another search of the premises in the meantime and, if the package happened to be found, to hold onto it until she arrived. Before even setting out, she received a call from Canada Post headquarters, advising her that regional staff had reported the package found at the retail outlet.

When our investigator arrived at the site, Canada Post officials were there to greet her with the good news. The search that she had requested had been successful. The package had been discovered at last, lying on the floor, buried beneath several Christmas parcels and other pieces of mail.

How it had come to be there, the officials could only conjecture. One suggestion was that the carrier under contract to Canada Post may have made the delivery to the retail outlet, but that, when no post office box as numbered on the envelope could be found, the package may simply have been laid aside and forgotten.

But how would that explain the receipt and signature by a person other than the addressee? Canada Post suggested that, on the other hand, the contract carrier may have delivered the package not to the retail outlet, but rather by mistake to some third party, who automatically accepted it and signed for it. Then, presumably on emerging from his trance and noticing that the package was not actually addressed to him, that party may have taken it to the retail outlet indicated in the address. There some employee, not knowing what to do with a package for which there was no corresponding box number, may have simply laid it aside and forgotten it.

One objection to that theory is that none of the employees at the store recalls any package delivered under such circumstances. Another is that, although the retail outlet did have a client whose surname matched the one on the receipt, that person denied ever having received or signed for any package addressed to the complainant. Besides, the first initials were different, and the signatures did not match.

This mystery may never be solved, but at least the complainant was appeased. In the end, our investigator made the delivery to him by hand. Though understandably frustrated by the delay, he was satisfied that the package had been retrieved unopened, its contents intact. He agreed to consider his second complaint settled.

And his third? That came a little later, after he opened the package and took issue with certain exemptions that had been applied to the information. The investigation of the third complaint is still open as we go to press.

Meanwhile, Canada Post assures us that "Lay it aside and forget it" is not official policy for mis-addressed packages.

Young Offenders Act: Not all matters of privacy are matters for the federal Privacy Commissioner 

It was the first time the Office ever investigated a complaint concerning a young offender's records. It may well be the last. In the end, what our investigation confirmed was that such records are beyond the scope of the Privacy Act.

An individual filed a complaint under the federal Privacy Act against the Department of Justice. He alleged that the department had denied him access to the Crown's brief relating to the criminal prosecution of a certain youth under the Young Offenders Act. The complainant claimed that the youth in question was his "client" (more about that later).

As our investigator discovered, the Department of Justice had only "denied" access in the sense that it had no such information to disclose. The Young Offenders Act is indeed a federal law, but it is administered by the provinces. Information of the kind the complainant sought is held not by the federal government, but rather by the respective provincial governments—in this case, Ontario.

On being so informed, the complainant took his information request to the Ontario government, under that province's Freedom of Information and Protection of Privacy Act. But the Ontario Attorney General's office responded that the information sought was outside the scope of that act. It further stated, in wording that unfortunately proved misleading to the complainant, that such information was subject to federal legislation superseding the provincial act.

What federal legislation did the Attorney General's office mean? The Young Offenders Act. What legislation did the complainant take it to mean? The Privacy Act. Why hadn't the Attorney General's office been more specific? Because specifying the legislation as the Young Offenders Act would in effect have identified the youth as a young offender—identification that the Young Offenders Act itself expressly prohibits.

Hence, the complainant pressed the issue under the federal Privacy Act, which he mistook for the superseding federal legislation. But the Privacy Commissioner could not help him. As our investigator and several provincial and federal officials eventually agreed, the federal Privacy Act does not supersede theYoung Offenders Act, which has its own provisions for disclosure of information. Specifically, section 44(1) of that act does grant disclosure of a young offender's information, but does not give access to parents or representatives once the criminal prosecution has ended. Furthermore, since the provinces administer the Young Offenders Act, it is provincial Crown attorneys who determine matters of disclosure under that act.

On the subject of representatives, there is an interesting sideline to this case. Our investigator eventually learned that the complainant had previously followed the proper channel. He had already made an information request under the appropriate legislation, section 44(1) of the Young Offenders Act. The local Crown Attorney had denied him access, on grounds that he was not a competent adult to represent the youth.

From the beginning, our investigator herself had entertained strong doubts whether the complainant was a bona fide representative of the young offender. Had the case proceeded otherwise, she would have taken steps to confirm the relationship.

As it turned out, representation was beside the point, as far as the Privacy Commissioner was concerned. Given that access to young offenders' information is limited to the Young Offenders Act and that such information in any case is not maintained by the federal government, the Commissioner was unable to conclude that any rights had been violated under the Privacy Act. The complaint was not well-founded.

Personal information gets trashed-or so Elections Canada hopes

In January of last year, Elections Canada lost a computer tape.

The loss was very troubling to many, for it was not just any old computer tape. This one was full of personal information about most adult residents of Manitoba. More troubling still, it has never been found.

In particular, the tape listed names, addresses, birth dates, and driver's licence numbers of some 675,000 Manitoba motorists. The province's Motor Vehicles Branch had sent the tape by courier for Elections Canada to use in updating voters' lists. In the wrong hands, however, it could be put to any number of inappropriate uses.

The Canada Elections Act permits Elections Canada to enter into agreements with various federal, provincial, and territorial agencies for the purpose of obtaining information to update the National Register of Electors. In fact, Elections Canada receives protected data from 27 such sources four times a year. Transferring personal data via computer tape was entirely in keeping with the existing agreement between the Province of Manitoba and the Chief Electoral Officer of Canada.

The loss of the confidential information, of course, was not. The Manitoba agreement, like all others, had been based on the clear understanding that Elections Canada would take every appropriate security and safeguarding measure to protect the confidentiality of the personal information entrusted to it. On learning of Election Canada's failure in this regard, Manitoba's Ministry of Highways and Transportation suspended the information-sharing agreement, pending review of the incident and implementation of satisfactory remedial measures.

Nor could Elections Canada afford to treat its failure lightly. The department greatly depends on information received from outside sources, and both staff and management alike were acutely aware of how severely the incident could affect future dealings with suppliers. From the outset, therefore, Elections Canada spared no effort to restore confidence in its ability to handle and protect personal information.

When five separate, thorough searches of the office complex failed to turn up the missing tape, Elections Canada notified Manitoba officials of the loss and immediately commissioned an independent audit of its own security and data-handling procedures. The department subsequently implemented several recommendations of that audit to improve both the human and technical elements of what had already been a highly sophisticated, albeit obviously flawed, system.

One thing that Elections Canada did not do, however, was inform the federal Privacy Commissioner. It was the Ombudsman for the Province of Manitoba who eventually did that— more than two months after the incident had occurred.

Despite the independent audit that had already been carried out, the Commissioner launched his own investigation into the incident. Through on-site inspections and extensive interviews with all employees concerned, Privacy staff confirmed what both Elections Canada and the independent audit had previously concluded about the missing tape:

  • It had definitely been received at the offices of Election Canada and been retrieved from the mailroom, as attested by mailroom personnel and others, including the employee who had picked it up.
  • It had probably not been stolen. The investigation revealed no evidence of theft, by either an employee or an outsider. All employees interviewed proved open, co-operative, and highly credible. Nor was it likely, given the sophisticated security system already in place, that any outsider could have intruded, stolen the tape, and got away undetected.
  • In all probability, the tape had been thrown into the trash by mistake. On the day of the incident, the employee who had gone to the mailroom to pick up the tape had other things on his mind. He was worried about his sick infant daughter and, having obtained approval to leave work early, was anxious to go home to attend to her. When he brought the newly arrived tape, in its envelope, to his office, there were five other courier envelopes on his desk. These five had already been emptied of their contents and were awaiting disposal. In his haste and distraction, the employee may well have thrown the new envelope, unopened, into the trash along with the empty ones.
  • It was not until three working days later, during a routine audit, that the employee realized the Manitoba tape was missing. By that time, the trash cans of the day in question had long been emptied and their contents removed far from the premises. Because of their wax coating, the courier envelopes would not have been separated for recycling, but rather would have been taken to a landfill site along with other non-recyclable refuse.
  • Whatever had become of the tape, it was unlikely that the confidential information could be accessed for improper purposes. There was nothing on the tape cartridge to identify its contents, its origin, or its destination. Moreover, the tape was written in a code unique to IBM mainframe computers and could not be read without special decoding software.

All things considered, the Privacy Commissioner himself concluded that the tape had been lost through simple human error. He found the independent audit report to be very thorough and credible and was satisfied with the remedial measures that Elections Canada had implemented to prevent further breaches of security and confidentiality.

To both the Ombudsman for Manitoba and the Chief Electoral Officer for Canada, the Commissioner conveyed his belief that the tape had ended up buried in a garbage bag at a landfill site.

In other words, it is out of harm's reach—with any luck.

Lax information technology procedures in prison cause a dangerous breach of privacy

When some inmates of a federal prison acquired confidential information on all the others, the consequences, fortunately, were not as dire as they might have been. Since then, Correctional Services Canada (CSC) has made a point of reducing its need to rely so much on good fortune in future.

One of the first steps that CSC took was to report the incident to the Privacy Commissioner. Not all our investigations arise from complaints by private citizens. Sometimes, as in this case, federal departments themselves report incidents warranting the Commissioner's attention.

What CSC reported was that Kingston Penitentiary officials had found, on the hard drive of a computer in an inmate's cell, two spreadsheet files containing information on more than 300 inmates of the penitentiary. The information included not only names and vital dates, but also details of crimes and sentencing, confidential fingerprint sheet numbers, and notations on mental health problems, prison behaviour, and escape risk.

The incident, along with a leaked copy of the spreadsheet files, soon came to the attention of the press. Journalists raised concerns that dissemination of such information could pose danger for some inmates—notably, those identified as sex offenders.

On the day of the incident, penitentiary staff removed the computer and all diskettes from the inmate's cell. The inmate admitted to having received the files on diskette from another inmate several months before and copied them to the computer's hard drive. He also indicated that he knew of other inmates who had the same files.

The next day, staff conducted an "exceptional search" of the institution, seizing all computers and diskettes in the possession of, or otherwise available to, the inmates. This search turned up only one other copy of the files in question.

The next step was to contact all the individuals whose privacy had been breached. After providing the Office of the Privacy Commissioner with a copy of the template, CSC sent appropriate letters of notification to the 333 inmates concerned, informing them of, among other things, their right to complain under the Privacy Act. Notifying the inmates was a clear indication of CSC's acceptance of responsibility for the incident and willingness to take remedial action on a serious matter.

Promising to keep us informed of all developments, the Ontario regional office of the CSC then launched its own investigation into the incident. The following facts emerged:

  • The spreadsheets had originally been designed by a penitentiary official.
  • More than one staff member had since been involved in updating the information on the files.
  • The files were known to have been stored on two computers used by staff: (1) a laptop computer that several staff members had frequently taken home, and (2) a desktop computer that was subsequently loaned out for inmate use. Either or both of these computers could have been the source of the improper information disclosure.
  • The laptop computer had gone missing one year before. No monitoring or tracking system for its use had been in place. Therefore, no document trail had been available to assist in finding it.
  • When the laptop went missing, CSC had failed to notify the Privacy Commissioner of the personal information on the hard drive.
  • Before being loaned out to an inmate, the desktop computer may not have been "sanitized" (i.e., its hard drive expunged of inappropriate files). Although the informatics department usually followed sanitation procedures, the procedure for verification was informal and lax. In this case, there was no documented verification that the computer had been sanitised.

The CSC investigation report concluded that the disclosure of personal information had been caused by procedural breakdown, not by inmates. The report made three strong recommendations towards strict procedural control over equipment loans, computer sanitation, and data storage and security.

We are satisfied with CSC's investigation and believes that, if well implemented, the recommended measures will reduce the likelihood of recurrence. Moreover, the Office considers the actions taken in response to the incident to be positive demonstrations of CSC's continuing commitment to the principles of the Privacy Act.

A case about a case, not properly secured

Federal employees who take their work out of the office have no special immunity from thievery. In fact, now that the laptop computer has become a container of choice for transporting office files, employees have to be especially on their guard. A laptop's compact size and high market value make it a very tempting target for thieves.

Last year, when someone stole a small carrying case from an employee's car, the Farm Credit Corporation (FCC) did the right thing by notifying the Privacy Commissioner. The case, which had been locked in the trunk, contained a laptop computer. In the side pocket was a file of papers, disclosing personal loan information on FCC clients.

The FCC conducted a thorough search of the area. The computer was soon found undamaged near a garbage bin not far from where the employee's car was parked. The paper file, however, was not recovered.

The FCC wrote letters to the clients concerned, notifying them of the loss of their personal information. The clients have since acknowledged the loss and seem not to have taken permanent offence. At least, they have agreed to keep doing business with the FCC.

The FCC also sent a memo to all staff, reminding them of the importance of securing personal information. In particular, the memo instructed that

  • Client files to be transported should be kept in a locked briefcase in the employee's possession;
  • Such files should be returned to the office wherever possible;
  • In instances where taking files home is unavoidable, they should be stored in a secured area, preferably in a locked filing cabinet; and
  • Any laptop computer taken home should remain with the employee at all times and should not be stored in vehicles or luggage.

In this instance, FCC officials were unable to ascertain whether any personal information had been stored on the computer. In any event, they doubted whether the thieves had either the time or the ability to access any information on the hard drive, particularly since the computer's operating system was protected by a password. From the circumstances of the computer's recovery, the officials thought it likely that the thieves had been foiled in the act.

While generally approving of the FCC's efforts in response to the improper disclosure of information, the Privacy Commissioner felt compelled to raise a concern about security of personal information on portable computers. He stressed that, even though a computer may be stolen for its hardware value, there is always a possibility for information stored on the computer to be used to the disadvantage of individuals to whom the information relates.

As to the FCC's reliance on a mere password to prevent access to a computer's operating system, it is well known that this is not a secure enough measure in itself. Password or no password, a thief could get access to a hard drive simply by using a boot disk.

The FCC's manager of network services operations has acknowledged the need for greater security. In addition to issuing the above-noted instructions to employees, he has informed the Office of the Privacy Commissioner of FCC's plan to equip all of its computers, including laptops, with appropriate software that will protect all data stored on the hard disk.

The Privacy Commissioner urges federal institutions to take every possible precaution for protecting data on portable computers. If you can't prevent a determined thief from stealing the hardware, you can at least make sure he won't get a big bonus in the form of confidential and useful information.

Improper destruction of records: A reprehensible act

When the Privacy Commissioner takes the unusual step of conveying his findings directly to a Deputy Minister, it signifies a matter of great concern to the Commissioner. In this case, unfortunately, the Deputy Minister did not seem to see the matter in quite the same light.

In investigating a complaint against Revenue Canada, our officer made arrangements to visit a regional tax services office. He intended to interview several staff members there and examine all pertinent files and documents. His mission was to determine whether Revenue Canada had granted the complainant all the personal information she had previously requested under the Privacy Act. The requested information related mainly to an investigation of a harassment allegation by the complainant.

Before making the visit, our officer spoke with the regional human resources co-ordinator at the site. She told the officer that among the files she had gathered for his review were some hand-written notes of unknown authorship (the author was later identified as the investigator of the above-mentioned harassment allegation). In the same conversation, the human resources co-ordinator also mentioned her intention to "clean up" the files, mainly by eliminating the many duplicate copies of documents they contained. However, when our officer asked her not to remove duplicates or any other documents before he saw the files, she agreed.

During the on-site visit, our officer could not find the hand-written notes that he had been told to expect. In an effort to find out what had happened to them, he proceeded to interview several of the managers at the tax services office. These interviews revealed that the following events had occurred:

  • After speaking with our officer, the human resources co-ordinator had passed the harassment investigation file on to two managers for the purpose of "pulling it together" and making a chronology of events.
  • One of these two managers, by his own admission, had subsequently destroyed the hand-written notes of the harassment investigator, in full knowledge that a Privacy Act complaint was in progress and that the notes were relevant to an earlier Privacy Act complaint.
  • The other manager to whom the file had been passed had removed another set of hand-written notes. Without retaining a copy for the file, she had sent this second set of notes to their author, who had been the investigator of a previous harassment allegation by the complainant.

As our investigation later revealed, both sets of hand-written notes referred to certain matters that might reflect badly on local staff in the context of an earlier investigation.

As it happened, neither missing set of notes remained missing for long. For one thing, our officer managed to persuade the author of the second set of notes to return them. For another, and probably unbeknownst to the officials at the tax service office, a copy of the first set of notes was on file at Revenue Canada headquarters in Ottawa. Eventually, Revenue Canada agreed to put both sets back into the harassment investigation file so that they would be duly available to the complainant in future.

Problem resolved? Not quite. There was still the matter of the deliberate removal and destruction of records by officials who should have known better. This was a matter that seriously troubled the Commissioner—so much so in fact that he decided to bring his finding directly to the attention of Revenue Canada's Deputy Minister at that time.

Specifically, the Commissioner raised concerns about the "inappropriate" and "reprehensible" behaviour of Revenue Canada officials, who had contravened both Privacy Act retention requirements and their own department's retention and disposal standards. From the evidence, the Commissioner could only conclude that the officials had so acted in an attempt to thwart his Office's investigation.

In response, the Deputy Minister agreed that the improper destruction of personal information was a very serious matter. But he could not agree that his officials' behaviour in this case was reprehensible, since he was satisfied that the "unfortunate incident was neither wilful nor intended to thwart" the Privacy Commissioner's investigation. On what evidence he had become so satisfied, the DM did not venture to say.

He did say, however, that he would remind his officials of the powers and duties of the Privacy Commissioner and of the requirement to fully respect the provisions of the Privacy Act.

There is new offence under the Access to Information Act (section 67.1) to prevent destruction of records where the destruction is for the purpose of frustrating access to information. Unfortunately, the Privacy Act does not contain a similar provision.

Information access: A matter of give and take

When a department is late in responding to an information request, it is not always the department's fault. Sometimes the request itself is unclear, and it takes time for the departmental officials to determine what exactly the requester wants. And sometimes, a requester can save weeks of delay just by picking up the phone.

In one recent case, for example, a man complained that a certain federal department had failed to provide a timely response to his request for information under the Privacy Act. He had requested access to all records placed on file since his "last request".

To the departmental ATIP officer who received it, this new request seemed ambiguous. It was her understanding that the requester wanted access to records concerning an internal investigation into harassment allegations he had made against certain departmental officials. However, his new request named some officials who were not parties to that investigation and who were therefore unlikely sources for such records. Furthermore, the man had made several requests for information in the past, and the last one, chronologically speaking, had nothing to do with the investigation in question.

In short, the ATIP officer was genuinely uncertain how she should respond to the new request. She was more than willing to begin responding immediately, but simply did not have clear enough information on which to proceed. After several unsuccessful attempts to reach the man by telephone, she wrote him a letter asking him to clarify what he had meant by his "last request." Specifically, she asked him to quote the file number for it.

On receiving this petition, instead of just telephoning or otherwise dealing with the officer directly, the man for some reason decided to turn the matter over to his legal representative. A full two weeks later, the lawyer wrote to the department, expressing the desire to complain formally about the "excessive delays" in processing his client's information request. This letter was duly forwarded to the Privacy Commissioner and received as a formal complaint under the Privacy Act.

But the lawyer's letter also had the effect of adding to the confusion. For the "last request", the letter quoted the file number that the ATIP officer still had good reason to doubt was the right one. In her mind, it was still unclear what records she ought to retrieve.

Section 13(2) of the Privacy Act requires that those who request personal records under the Act provide information of sufficient detail to enable the department to make the requested records retrievable. In other words, the onus is on the requester to make sure that his or her request is not ambiguous.

In a lengthy conversation with the lawyer, our investigating officer confirmed what the ATIP officer had suspected: that the records sought were indeed those related to the harassment investigation. Our officer pointed out that the file number the lawyer himself had quoted in his letter of complaint was unrelated to that investigation. In sum, there had been legitimate confusion over what information the complainant was interested in obtaining.

The lawyer finally agreed to close out the matter by forwarding a letter of clarification to the department.

The Commissioner concluded that the department's request for clarification had been valid and that the time-limit complaint was not well-founded.

The SINs of our fathers: At least some of them will not be visited upon us

Hats off to the countless senior citizens who know and cherish their privacy rights.

This is the case of one Quebec woman who grew increasingly annoyed at seeing her confidential Social Insurance Number displayed for anyone to see through the envelope window for her Old Age Security cheques. Deciding finally to do something about it, she complained to the Privacy Commissioner. The final result—we are delighted to report at last—is that neither this senior citizen nor any other will ever again have to suffer that particular violation of privacy rights.

In investigating this complaint, our office could not have been more sympathetic. Why indeed was a Canadian citizen's personal, and supposedly confidential, Social Insurance Number clearly visible through the window of envelopes mailed to her by a federal department? This was not a question we were posing for the first time—far from it. Time and time again we had posed it, in the course of investigating many a similar well-founded complaint, dating as far back as 1986.

By now the question had become more pointed: After many years of being repeatedly shown the error of its ways, repeatedly acknowledging the error, and repeatedly making promises to eliminate it, why was Human Resources Development Canada still disclosing confidential information by public post in outright contravention of the Privacy Act?

To give the department its due, this time the response was different—no more empty promises, no more "next year for sure", no more tyranny of "systems", no more halfway measures. The department not only said it would remove, but actually did remove, SIN from its Old Age Security cheques, as of November 1, 1999.

Small victory though it may seem, it could not have happened without the persistent indignation of senior citizens such as the complainant from Quebec. Perhaps because it understands best the integral relation between liberty and privacy, the older generation tends not to suffer quietly even the smallest violations of either. The big question arises: will younger generations be willing to take up the torch?

Partial remission of SIN: a fair compromise, albeit another dubious pun

Even if it doesn't show through its envelope window, a Social Insurance Number (SIN) printed on a government-issued cheque does not stay hidden forever. Sooner or later the envelope gets opened, and the SIN becomes visible to people who really have no right to see it—notably, the people who cash the cheque.

Down through the years, the Commissioner has received many complaints to that effect. When he received one recently from a northern counterpart of his, the special circumstances of the North made all the difference.

The Information and Privacy Commissioner for the Northwest Territories complained that Human Resources Development Canada (HRDC) was making improper disclosures of SINs by printing them on cheques for employment insurance benefits. Her contention was that recipients therefore cannot cash their cheques without revealing personal information to a financial institution or other cheque-cashing establishment.

HRDC still prints the SIN on several kinds of cheques it issues. Of these, employment insurance cheques are the case for which the department offers perhaps its best argument. In this instance, as often in the past, HRDC explained its position as follows:

  • Given that the SIN was designed for employment insurance purposes in the first place, its use on employment insurance cheques is entirely appropriate and legitimate. Furthermore, the SIN is the official file number for the employment insurance program, and as such is an important element in establishing the identity of cheque recipients. Since many persons may have the same name, an employment insurance payment is actually issued not to a name, but rather to a SIN.
  • In cases where a cheque was lost or stolen, tracing it would be expensive and laborious without the SIN.
  • As far as confidentiality is concerned, financial institutions already have responsibility for recording the confidential SIN for certain other transactions. Establishments other than financial institutions may not have similar SIN responsibilities, but on the other hand people who have their cheques cashed at such alternative establishments do so by their own choice.
  • Another good option available to recipients is having their cheques deposited directly into their bank accounts. Direct deposit obviates the need for any others to cast their eyes upon the confidential SIN.

The Office sees some merit in the HRDC argument, particularly as it relates to the options generally available to cheque recipients. Financial institutions do indeed already have routine access to SIN, notably for transactions such as reporting income to Revenue Canada. Presumably, they also have safeguards in place for the protection of this personal information. Likewise, it is true that direct deposit may bring a greater measure of privacy.

However, when the Northwest Territories come into the picture, the HRDC position weakens. In the many sparsely populated areas of Canada's North, financial institutions may be few and far between. Direct deposit or no direct deposit, it's hard enough just to get to the bank. Many northerners have to rely on whatever alternative cheque-cashing facilities may be available—the local general store, for example.

Such establishments may have attractions of their own, of course, but they are not known for the kind of anonymity that one often seeks in a financial institution. After all, it is one thing to have your SIN scanned by an unknown and indifferent bank teller, but quite another to be obliged to disclose personal information to a friend, relative, neighbour, or local acquaintance.

The Office is pleased to announce that, as a result of discussions arising directly from this northern complaint, HRDC has softened its line. It has agreed to examine its use of social insurance numbers on the cheques it issues—not just for employment insurance, but for all of its programs. More concretely, the department has already proposed to change its procedures so as to print not the whole SIN but rather only the last six digits on each cheque it issues.

Would six digits be enough for HRDC? Yes. The department has conceded that six digits are all it really needs for most purposes of identification.

But would merely eliminating three digits of the SIN be enough to address the privacy issue? In good part, it would. For one thing, the six remaining digits would not be identified as part of a SIN, nor would they be recognisable as such. For another, no one, not even HRDC, could guess or recreate the complete SIN from the last six digits.

In short, both the federal commissioner and the territorial commissioner regard this proposal as a reasonable compromise. While acknowledging that the change may not be accomplished overnight, the Privacy Commissioner has assured his northern counterpart that he will monitor the progress of HRDC's undertaking.


After the brief levelling-off period last reported, inquiries went over the top again this year. Our two-person inquiries unit processed some 11,256 calls and letters in 1999/2000. This exceeds last year's total by 953 and the previous high in 1997/98 by 925.

The table below shows received inquiries broken down into broad categories.

Inquiries by Type
for the year ended March 31, 2000

Adoption, genealogy, missing persons 83
Criminal records, pardons, U.S. waivers 130
Financial institutions, insurance, credit bureaus 367
Medical 121
No jurisdiction, private sector 780
No jurisdiction, federal 805
Other 698
Privacy Act, interpretation & process 4364
Public Affairs (media, publications) 1036
Redirect to provincial commissioner 794
Redirect to other federal agency 686
Redirect to other 135
Social Insurance Numbers 1099
Telecommunications 75
Telemarketing, direct mail 83
Total 11256

Of special interest
Public Information: More callers than ever reported difficulties in finding Personal Information Request Forms and copies of Info Source, the catalogue of the federal government's information holdings. Under the Privacy Act, the Treasury Board Secretariat is responsible for producing these materials and making them available at post offices, libraries, and other public places. But Treasury Board appears to have become less and less diligent about carrying out this responsibility—at least as far as distribution is concerned. According to our callers, not only do many post offices not have these materials on hand, but also some postal employees, particularly at the smaller retail outlets, are not even aware that such things exist.

Furthermore, even when people do find copies of Info Source, they seldom like what they see. The document itself provokes many calls of dissatisfaction to our inquiries unit. Frustrated callers say that Info Source is too big and unwieldy, too dauntingly technical, too difficult to read and find one's way around in—in short, not nearly as helpful and user-friendly as it should be for the ordinary Canadian citizen. Frankly, from our own almost daily experience with the document, we can only agree. The directory of the federal government's information sources should be less a compendium and more a guide for the average user.

The Office would like to assist in improving Info Source and in fact has already initiated discussions with Treasury Board to that end.

Social Insurance Numbers: Once again, the SIN was on the mind of many inquirers. This year's SIN-related inquiries exceeded even last year's total, which had burgeoned as a result of commentary by the Auditor General. In fact, more than 40 per cent of telephone inquiries in 1999/2000 related to the use of the SIN.

Electronic Surveillance: Many callers asked about the legalities of various forms of electronic surveillance, notably hidden cameras and monitoring of telephone calls and computer use. Callers included both employees under surveillance and employers contemplating possibilities for their workplaces.

Post-1911 Census Information: Inquiries continued to be made about the release of census results of 1911 and subsequent years. In large part, these inquiries have been prompted by the Privacy Commissioner's expressed opposition to releasing information that the government originally promised to keep confidential.

Statistics Canada: The Labour Force Survey prompted numerous complaints about Statistics Canada. Many complained of harassment by StatsCan agents. It is expected that the next big survey of 2001 will bring a new flurry of inquiries relating to the behaviour of canvassers and to the question of citizens' obligation to participate.

Private Sector: Every year, our staff fields large numbers of inquiries concerning private-sector companies and institutions. This year, for example, many continued to report dissatisfaction with the complaint process at financial institutions. Others alleged that credit reporting agencies were providing false or inaccurate information about them, or that collection agencies were harassing them and disclosing personal information to third parties. Several calls came from private-sector employees who were trying to gain access to their personnel files. These callers were invariably dismayed to learn that there is not yet any legislation in place that permits such access.

To date, with only the Privacy Act to guide us, we have been limited in what we could do for such inquirers. With the passage of Bill C-6, we hope to be much more helpful in the future.

During the Commissioner's Term
In 10 years since taking office, Commissioner Phillips saw the number of annual inquiries increase between two- and threefold, from 4,032 in 1990/1991 to 11,256 in 1999/2000. The average annual increase was just under 10 per cent, for a grand total of 82,422.

The table below shows totals for each of the Commissioner's 10 years in office.

Inquiries Received for the past 10 years

Top Ten Departments by Complaints Received
for the year ended March 31, 2000

  Total Access Time Privacy Other
Correctional Service Canada 316 109 136 71  
Revenue Canada (Now Canada Customs and Revenue Agency) 231 103 81 47  
National Defence 189 53 91 45  
Royal Canadian Mounted Police 130 67 37 26  
Human Resources Development Canada 120 35 16 69  
Immigration and Refugee Board 108 8 92 8  
Citizenship and Immigration Canada 72 32 29 11  
Justice Canada 64 52 3 9  
Canadian Security Intelligence Service 58 53 3 2  
Canada Post Corporation 38 10 3 25  
Other 260 124 66 69 1
Total 1586 646 557 382 1

Closed Investigations by Grounds

Completed Investigations by Department and Result
for the year ended March 31, 2000

Department Well-
Resolved Settled Total
Agriculture and Agri-Food Canada 4 0 0 0 0 1 5
Atlantic Canada Opportunities Agency 0 0 1 1 0 0 2
Business Development Bank of Canada 0 0 0 0 0 1 1
Canada Ports Corporation 1 1 0 0 0 1 3
Canada Post Corporation 6 1 7 6 1 15 36
Canadian Heritage 2 0 2 0 1 1 6
Canadian Human Rights Commission 0 0 0 0 0 1 1
Canadian Museum of Civilization 0 0 0 0 0 1 1
Canadian Radio-television & Telecom. Commission 0 0 1 0 0 0 1
Canadian Security Intelligence Service 3 0 15 0 0 18 36
Canadian Space Agency 0 1 3 0 0 0 4
Citizenship and Immigration Canada 41 8 10 4 1 11 75
Correctional Service 149 13 71 15 7 45 300
Environment Canada 0 0 2 0 0 0 2
Farm Credit Corporation 0 0 0 1 0 0 1
Fisheries and Oceans 0 0 1 0 0 0 1
Foreign Affairs and Int. Trade Canada 4 0 4 0 0 2 10
Health Canada 4 1 6 4 1 2 18
Human Resources Dev. 14 3 21 9 2 50 99
Immigration and Refugee 90 15 11 1 0 0 117
Indian and Northern Affairs Canada 2 1 1 0 0 1 5
Subtotal 318 43 155 41 13 149 719
Industry Canada 1 0 0 0 0 0 1
Inspector General of the CSIS 0 0 0 0 2 0 2
Justice Canada, 1 3 15 2 1 14 36
National Archives of Canada 3 3 4 0 0 7 17
National Defence 107 10 43 5 3 28 196
National Parole Board 1 4 10 1 4 3 23
National Research Council Canada 0 0 1 0 0 0 1
Natural Resources Canada 2 0 3 2 0 1 8
Office of the Chief Electoral Officer 0 0 0 0 1 0 1
Pension Appeals Board 0 0 0 0 0 1 1
Privy Council Office 0 0 3 0 1 1 5
Public Service Commission of Canada 12 1 0 1 0 4 18
Public Service Staff Relations Board 0 0 1 0 0 0 1
Public Works and Govt. Services 11 2 6 0 0 5 24
RCMP Public Complaints Commission 0 0 0 0 0 3 3
Revenue Canada (Now Canada Customs and Revenue Agency) 93 8 41 6 4 28 180
Royal Canadian Mounted Police 19 3 42 8 3 31 106
Solicitor General Canada 0 1 13 0 0 1 15
Statistics Canada 0 0 0 3 0 0 3
Transport Canada 7 1 2 2 0 1 13
Treasury Board of Canada 0 0 3 0 0 0 3
Veterans Affairs Canada 5 1 5 1 1 5 18
Total 582 81 348 72 33 283 1399

Origin of Completed Investigations
for the year ended March 31, 2000

Newfoundland 3
Prince Edward Island 6
Nova Scotia 43
New Brunswick 45
Quebec 337
National Capital Region - Quebec 9
National Capital Region - Ontario 192
Ontario 327
Manitoba 72
Saskatchewan 40
Alberta 85
British Columbia 229
Northwest Territories 1
Yukon 2
Outside Canada 8
Total 1399

Completed Investigations by Type
for the last 10 years

Clompleted Access Investigation

Clompleted Privacy Investigation

Clompleted Time Limits Investigation

In the Courts

Ten years of significant court decisions

After 10 years in office, it seems appropriate to consider some of the lessons learned from the Courts over the past 10 years. The following interpretations are based on those court decisions listed at the end of this section.

Access to personal information

  • Heads of a federal government institution who receive requests for disclosure of personal information under the public interest provisions of the Privacy Act, must consider the matter, by weighing the public interest in disclosure against any invasion of privacy that could result from the disclosure. If the head has exercised discretion properly, the Court will not overturn the decision (C).
  • Information about government positions (e.g., security classification, occupational group and level or language requirements) is not "personal" even if it incidentally reveals something about employees in these positions (C & I). However, information particular to these employees (vacation credits, health or performance appraisals) is "personal" (C & J).
  • An individual's right to access his/her information is not absolute when it is so intertwined with another's information that disclosure would reveal personal information about someone else (D).
  • All parties involved in administrative investigations (grievances or harassment complaints) should have access to all the information used to reach a finding. This is a compatible use disclosure under the Privacy Act and meets the requirements of natural justice (F).

Control over personal information

  • All information in the hands of a federal government institution is subject to the Privacy Act (except that which is expressly excluded from it). The act does not indicate that this control can be diminished or abandoned by contracting with a third party (G).

Relationship between the Privacy Act and the Access to Information Act

  • The Privacy Act has equal status with the Access to Information Act and must be given equal attention when dealing with government information. However, if this information is "personal" as defined in section 3 of the Privacy Act, privacy protection becomes paramount over access to the information (C).

Solicitor-client privilege

  • The right to waive the protection of confidential communications between lawyer and client—solicitor-client privilege—belongs to the client, not the lawyer (A).
  • Waiving the solicitor-client privilege over part of a document does not automatically require disclosing the rest of the document. However, the entire document could lose its protection if a selective disclosure misleads the person receiving it (B).
  • A detailed breakdown of a lawyer's bill is protected by solicitor-client privilege because it can reveal the nature of the work the lawyer performed (B).
  • As the Privacy Act does not define "solicitor-client privilege", the common law serves as the guide (H).
  • When heads of federal institutions refuse to disclose information because it is protected by solicitor-client privilege, they must demonstrate that each document was prepared either as legal advice or predominantly for litigation (H).
  • In order for the head of a federal institution to refuse to disclose confidential communications between lawyer and client, the head must confirm that the communications are indeed protected and that the client is not willing to give up this protection (E).

Court decisions referred to above:

A. R. v. Campbell [1999] S C.R. 565;

B. Stevens v. Canada (Privy Council) [1997] 144 D.L.R. (4th) 553;

C. Michael A. Dagg v. The Minister of Finance [ 1997] 2 S.C.R.403;

D. Mislan v. The Minister of Revenue Canada, T-2790-96, decision dated May 22, 1998, F.C.T.D., not reported;

E. Canadian Jewish Congress v. Canada (Minister of Employment and Immigration) [1996] 1 F.C. 268;

F. Puccini v. Canada (Director General, Corporate Administrative Services, Agriculture Canada), [1993] 3 F.C. 557 (T.D);

G. Canada Post Corp. v. Canada (Minister of Public Works), [ 1993] 3 F.C. 320 (T.D.)-Affirmed in (1993), 64 F.T.R. 62 (F.C.A.);

H. Weiler v. Canada (Minister of Justice) [1991] 3 F.C. 617 (T.D);

I. Information Commissioner v. Secretary of State for External Affairs [1990] 1 F.C. 395;

J. Information Commissioner of Canada v. Solicitor General of Canada [1988] 3 F.C.551.

Ongoing cases

1. Privacy Commissioner v. Attorney General (Court file: A-121-99)

2. The E-311 form (Court file: A-401-99)

Both these cases challenged Human Resources Development Canada's (HRDC) collection of returning travellers' customs declarations to police the unemployment insurance program. In the first case, HRDC appealed the decision of Justice Tremblay-Lamer on the interpretation of section 108(1)(b) of the Customs Act which delegates to the Minister the right to approve the release of information, and interpretation of section 8(2) of the Privacy Act. The Court of Appeal's decisions were delivered on February 9, 2000.

Justice Tremblay-Lamer found that the Minister of National Revenue's blanket authorization for disclosure of the customs declarations on July 26, 1991, was an invalid exercise of discretion and an unlawful obstacle on the future exercise of discretion, and was based on irrelevant considerations. However, according to the Court of Appeal "[t]he issue before [the judge] was not however with respect to that blanket authorization, but to 'the Ancillary Memorandum of Understanding for data capture and release of customs information on travellers' entered into on April 26, 1997 by National Revenue, on one hand, and the Canada Employment Insurance Commission, on the other hand." The Court of Appeal concluded that the 1997 Ancillary Memorandum was an authorization of its own, independent from that given in 1991.

The appeal court considered that section 8(2)(b) of the Privacy Act (which allows personal information to be disclosed in accordance with another act of Parliament or regulations) is to be interpreted largely: "In this context, paragraph 8(2)(b) cannot but be interpreted as being a provision that enables Parliament to confer on any Minister (for example) through a given statute a wide discretion, both as to form and substance, with respect to the disclosure of information his department has collected, such discretion, of course, to be exercised in conformity with the purpose of the Privacy Act."

The government met its privacy obligations, the appeal court concluded, because "the Minister satisfied herself that the disclosure sought by the Commission was for a permissible use and that no more information than that needed by the Commission would be disclosed." As well, the April 1997 Ancillary Memorandum of Understanding restricted the use of the information and its disclosure to third parties, established an audit trail and provided for destruction of that information.

The second case examined whether UI claimants and other Canadians have a reasonable expectation of privacy in their information on customs form (E-311) that would trigger section 8 of the Canadian Charter of Rights and Freedoms. It also considered whether section 32(b) of the Unemployment Insurance Act offended the freedom of movement guarantee under section 6(1) of the Charter. The Court rejected both arguments.

The Privacy Commissioner will ask the Supreme Court of Canada for permission to appeal both these decisions. If the Court of Appeal's interpretation of section 8(2)(b) is correct, then this provision of the Privacy Act offers Canadians no protection against government institutions' sharing their personal information when a statute provides ministers blanket authority to disclose information. No matter how broad or imprecise section 108 of the Customs Act may be, it, and similar provisions in other laws, will supersede the Privacy Act.

The Commissioner believes that electronic rummaging through government files makes a mockery of Charter protection against unreasonable search or seizure, and of the presumption of innocence—particularly when the search is based on no reasonable grounds for suspicion, and subject to no independent review. Should these data matches become routine, government will no longer protect any of its citizens' personal information against access (except in specific circumstances set out in the law), no matter whether the information was freely given or compelled by law. If section 8(2)(b) is merely a sieve for passage of any government disclosures, and the Charter provides no protection against this type of data matching, then nothing prevents government assembling and circulating huge databases of personal information among federal agencies—and possibly beyond.

Like most privacy laws around the world, the Privacy Act includes fair information practices that limit the collection of personal information and restrict the use and disclosure of that information to those purposes stated at the time of collection. Exceptions to such limits (such as section 8(2) of the Privacy Act) must be as few in number and as narrow in scope as possible. In the Privacy Commissioner's opinion, the above decision broadens the scope of section 8(2) of the act to the point where the protections afforded by the act are rendered meaningless.

  • Privacy Commissioner of Canada (Appellant) v. CLRB (Respondent) (Court file: A-685-96)

As reported in our 1996-97 annual report (page 40), the Privacy Commissioner has appealed the decision. May 9, 2000 has been set for the Court of Appeal hearing.

  • The Office of the Commissioner of Official Languages (Appellant) and Robert Lavigne (Respondent) and the Office of the Privacy Commissioner of Canada (Intervenor). (Court file: A-678-98)

As reported in last year's annual report (page 84), the OCOL has appealed the decision but the Court of Appeal is heavily booked. A hearing date is not expected until at least September 2000.

Complementing C-6: Private Sector Initiatives

Reclaiming your internet privacy: technology to the rescue!

Readers of previous annual reports may remember our lamenting the erosion of privacy over the Internet: insecure electronic mail, pervasive cookies, old postings coming back to haunt us—the list was long and getting longer every year. The Internet is no longer the academic information exchange forum it once was; it has now resolutely entered the commercial mainstream. Almost every site owner on the World Wide Web is intent on making that presence profitable, and this means new and more inventive strategies to attract, retain, track, study, target, and sometimes discard or reject surfers.

CartoonUntil recently, cyber-visitors knew little—if anything— about the ways Web sites and advertisers could track and monitor their on-line movements. But growing media interest in "e-commerce" and hacker pranks, have made both experienced and potential Web surfers more cautious about providing personal information over the Internet. (See the results of the EKOS survey discussed earlier in this report.) This has also led some companies to develop and exploit a promising market for privacy-enhancing products for the Internet. Some are computer-based, meaning they must be installed on your computer. Others are Web-based, and can be downloaded from the Internet. Some of these technologies are discussed below.

We have long argued that when it comes to controlling the collection and use of personal information, there is no substitute for effective privacy protection laws, which Bill C-6 will provide. But just as people supplement the protection of law with locks to protect their property and self-defence courses to protect themselves, people can use technology to provide an additional layer of privacy protection on the Internet. Of course, these products cannot replace user vigilance, but they can certainly reassure privacy-conscious surfers.

Surfing, chat and news groups
One of these privacy products is Zero Knowledge's Freedom commercial computer-based software, released recently. Freedom enables any Internet aficionado to surf the Web under a variety of assumed names (a nom de 'Net, if you like)—for example, one for real estate sites, another for cancer research sites, and a third for horseracing sites. While a Web site can still track the assumed name and even send it a cookie, the site owners will never know who is behind the name MadMom or BigBang. And Freedom subscribers can also use assumed names when participating in chat or news groups. SiegeSoft has just released a similar but Web-based product.

But anonymizing software is not new: the well-known commercial site of The Anonymizer has been offering users the possibility to surf the Web and subscribe to news groups anonymously for several years. Privada Inc also offers commercial anonymous Web surfing but, unlike Zero Knowledge and The Anonymizer, the company can link an alias to someone's real identity if asked—for example, by a law enforcement agency. PrivacyX launched its competing anonymous surfing and e-mail service in September 1999 but cancelled the surfing feature a few days later because of a software flaw.

In October 1999, Eponymous began offering Web surfers a free utility that segregates information about surfers' identities from other personal data such as age, gender, interests and appetites. The company also warns surfers about a site's data handling practices. When a site presents a registration form, the utility will only release non-identifying personal information. Lucent Technologies also released its free Proxymate utility in October, letting users block information that typically gets sent to Web sites, and creates aliases for site registration.

Anonymous remailers forward your e-mail to its destination after removing any information that could trace it back to you. But remailers can be forced to turn over identities of some of their clients. There have been allegations that government or law enforcement agencies actually run some remailers. The best alternative to remailers is encryption—the more bits in the encryption keys, the better—and slower.

Phil Zimmerman's Pretty Good Privacy software, now distributed by Network Associates, is a well known computer-based e-mail encryption software, although some may find it too complex. Zero Knowledge's computer-based Freedom allows its subscribers to send and receive untraceable, encrypted e-mail (using 2048-bit keys) through a series of computers located around the world.

Despite the untimely cancellation of its anonymous Web surfing product, PrivacyX still offers its anonymous e-mail service to subscribers. ZipLip provides Web-based encrypted e-mail (using 128-bit keys) that covers your tracks by automatically "shredding" messages after they have been read. More flexible but on the same principle, Global Market's 1 on 1 software offers encrypted email (using 2048-bit keys) and allows users to specify the date on which a message should be deleted. (The message is never actually deleted: the decryption password attached to the message ceases to be valid.) For even greater flexibility, QVtech's Interosa service allows someone to send an encrypted e-mail message and control several aspects of its use, including to whom it can be forwarded and whether it can be printed, edited or copied. The message can also be erased from the Interosa server after a specified date.

Rounding off the list of Internet privacy-enhancing technologies, HushMail is a free, fully encrypted Web-based e-mail service (using 1024-bit keys). Lastly, Tumbleweed Communications Inc.'s product enables an e-mail recipient to go to a sender's site to view or retrieve an encrypted message or document through a secure Web page to which only the recipient has access.

Marketing to children: The Canadian Marketing Association's guidelines

The Office of the Privacy Commissioner has, for several years, advocated legislation to protect Canadians' privacy rights when dealing with the private sector. As much as we welcome Bill C-6, we recognize the value of other complementary measures. Just as we see a place for consumer vigilance and privacy-enhancing technologies (see the previous article) we also see an important role for industry-led efforts to promote and protect privacy.

The Canadian Marketing Association (CMA) has an enviable record of voluntarily safeguarding consumer privacy. The CMA was one of the first major industry associations in Canada to require its members to adhere to a privacy code. And it was the first to call on the federal government to legislate consumer privacy protection in the private sector. Last year marked another CMA first—guidelines on marketing to children. The guidelines can be found in the CMA's Code of Ethics and Standards of Practice (the CMA Code) under "Special Considerations in Marketing to Children."

When marketing to children (anyone under the age of 13) marketers are required to observe the following principles

  • Marketers must use "marketing techniques that are appropriate to children." This includes using language a child would readily understand. It also implies refraining from using any practice that could be construed as exploiting "children's credulity, lack of experience or sense of loyalty";
  • Marketers must obtain the "express consent" of a child's parent or guardian before collecting, retaining or transferring a child's personal information; and
  • Marketers shall not accept an order from a child without a parent or guardian's express consent.

CMA's guidelines are particularly welcome and timely as children go on-line. Children are particularly receptive to marketing techniques, and hence vulnerable to exploitation for commercial ends. Stories abound of children unwittingly disclosing information about themselves and other family members to irresponsible and unethical marketers.

The CMA guidelines do not specify how these principles are to be applied in the "virtual marketplace". It is not clear how a marketer will determine the age of an individual responding to its solicitation, or confirm a young person's age. It will be equally difficult to verify the authenticity of the person claiming to be the child's parent or guardian. These are some of the problems that American e-mail services and websites are wrestling with in attempting to comply with the U.S. Children's Online Privacy Protection Act, which requires marketers to obtain parental consent before collecting, using or disclosing personal information from a child.

The CMA Code provides that, when marketers collect personal information that will be linked with "clickstream" data from a visit to a website, they must advise consumers what information is being collected and how it will be used. Marketers must also give consumers a "meaningful opportunity" to decline to have this information collected, or disclosed for marketing purposes. The CMA Code puts the onus on consumers to exercise their right to suppress identifying information. This is unreasonable, particularly when dealing with children.

Ultimately the CMA sees education as the best defence against abuse of children on the Internet. Parents and care-givers may want to review the CMA's publication, Protecting Children's Privacy: Tips for Parents at and Media Awareness Network's Privacy Playground at

Privacy Update

The provinces and territories

In 1999, the provincial Freedom of Information and Protection of Privacy Act was extended to municipalities and police commissions. The provincial legislature also passed a new Health Information Act (reviewed in another section of this annual report), which is not yet in force.

In May 1999, provincial Information and Privacy Commissioner Robert Clark ruled that Statistics Canada's Survey of Financial Security was an unreasonable invasion of an individual's privacy. This led to Statistics Canada changing its approach for a subsequent Household Spending Survey, seeking prior guidance from the Commissioner's office and clearly advising respondents that the survey was voluntary. The Commissioner is also actively pursuing an outreach program in schools and colleges to educate young Albertans on their privacy rights.

British Columbia
Mr. David Loukidelis was appointed the new provincial Information and Privacy Commissioner, succeeding Dr. David Flaherty at the end of his term. Mr. Loukidelis, a lawyer, was a founding member of the British Columbia Freedom of Information and Privacy Association and the main author of its law reform report that played a key role in enacting the provincial Freedom of Information and Protection of Privacy Act.

The provincial legislature, acting on the recommendation of its special legislative committee that reviewed the act, has struck a special committee to explore options for privacy protection in British Columbia's private sector. The committee is currently holding public hearings and accepting submissions to determine how the province can best meet its citizens' privacy needs.

The public sector issue of greatest concern to the B.C. Commissioner's Office is the proliferation of video surveillance systems, such as those proposed for law enforcement in Kelowna and Vancouver. The Office considers that video surveillance should be adopted only if there is a compelling and overwhelming case in each proposed location, and if surveillance is the only viable and effective means of deterring and detecting illegal activity. The Office plans to monitor the Kelowna and Vancouver systems if they are built, both to ensure their compliance with the provincial Freedom of Information and Protection of Privacy Act and to prevent the unauthorized collection of personal information.

The Manitoba Ombudsman's Office has seen a steady increase in the number of complaints received since the proclamation of the Personal Health Information Act (December 1997) and the Freedom of Information and Protection of Privacy Act (May 1998). The Office issued its first special report under the acts, A Privacy Snapshot. Taken September 1999, to contribute to a greater public awareness and discussion of the privacy issues that confront Manitobans. The Office also began working on two performance-based analytical tools to help it review compliance with the legislation: a privacy impact assessment, and an access practices assessment. Beta tests of these tools should be completed in 2000. The Office will launch its Web site in the spring of 2000 as part of its statutory duty to inform the public about the provincial access and privacy legislation.

Beginning in April 2000, Manitoba's local public bodies (educational, health care and municipal government organisations) will be covered by the Freedom of Information and Protection of Privacy Act, bringing this statute into full force.

The provincial Ministry of Health's long proposed, and long delayed, Personal Health Information Protection legislation appears to be undergoing further revisions. It may yet be further postponed if the government considers integrating it into new provincial private sector legislation, in response to the federal government's private sector privacy bill.

Another initiative with significant privacy implications is a new multi-purpose government smart card, announced in the fall 1999 Throne Speech. Ontario's Information and Privacy Commissioner immediately contacted the provincial government, which has committed to full and open consultations with the Commissioner throughout the project.

On another front, the Commissioner has participated in work groups led by the Ministry of Transportation to help build privacy safeguards into the province's Red Light Camera initiative (meant to deter people from driving through red lights). Also on the justice theme, the Commissioner has been working with the Ministry of the Attorney General on access and privacy issues relating to the provincial Integrated Justice project (aiming at linking law enforcement and court data). The Commissioner has also begun work with the U.S. Department of Justice to develop privacy design principles for integrated justice systems.

The Commissioner was also consulted and offered comment on the provincial Management Board Secretariat's new Privacy Impact Assessment Guidelines.

The provincial Access to Information Commission has published a teaching tool titled Infoway - Caution: School Zone. This guide targets Québec primary and secondary school children that use Internet, advising them on how to surf the Web safely. The guide also gives safe surfing parameters to teachers and school principals, who are urged to design procedures and sites that will protect the children. Lastly, the guide helps parents better understand the privacy impact of new technologies.

The Commission has analyzed an information sharing agreement between the provincial Revenue Ministry and a private polling firm tasked with assessing the effectiveness of its alimony enforcement program. The Commission ruled that the Ministry breached both its enabling legislation and the provincial public sector privacy protection statute. The Ministry was then ordered to retrieve and destroy all of its information from the private polling firm, as well as information collected by the firm during the assessment. Following this intervention, the Commission published minimal requirements for all provincial government agencies conducting polls either directly or through private companies.

Lastly, the Commission has implemented its new hearing process for complaints that cannot be mediated. As of January 31, 2000, the Commission had heard more than 25 such complaints.

Mr. Gerry Gerrand has been named the new provincial Information and Privacy Commissioner at the end of Mr. Derrill McLeod's term. Mr. Gerrand is with the law firm of Gerrand, Roth, Johnson and is also the provincial Conflict of Interest Commissioner.

Privacy around the world

Australia: is the phoenix rising again?
Australia seemed poised to enact a federal private sector privacy law in the mid 1990s. However, that project died in 1997 after the then-Prime Minister failed to follow through on a campaign promise, overruling his Attorney General's recommendation to pass such a statute. The government then encouraged businesses to self-regulate, a move denounced by consumer and privacy advocates who managed to keep the issue alive.

To help businesses regulate themselves, the Australian Privacy Commissioner developed eight privacy protection principles based on the 1980 Guidelines of the Organisation for Economic Co-operation and Development. Some Australian states, however, continued to push their own private sector privacy protection agenda. Australian businesses began to fear the patchwork of standards that could emerge if the federal government refused to act. They were also concerned that without a law Australia could suffer once the European Union implemented its Directive on data protection.

Once again the Australian government has promised to introduce a federal private sector privacy protection law. That law, however, would be based on the Privacy Commissioner's eight principles which the Australian Senate's Legal and Constitutional References Committee described as "weak and piecemeal" and having "serious deficiencies". The Australian law would recognize self-regulatory privacy codes, backed by the above principles, and approved and overseen by the Privacy Commissioner. If a company or industry failed to develop a code, the law's complaint-handling regime administered by the Privacy Commissioner would apply.

On November 30, 1999, the Australian Attorney General announced his intention to seek further public comments over the next few months, and to table the draft law in 2000.

European Directive: a thorn in the American side
The European Union's Directive on data protection came into force in October 1998, meaning member countries could no longer give their citizens' personal information to non-member countries that do not adequately protect the information. This includes Canada and the United States of America—although Canada will probably meet the EU test now that Parliament has passed Bill C-6. The USA have had a Privacy Act in force since 1974 but it applies only to federal government agencies (much like the current Canadian Privacy Act). The American private sector is currently unregulated and insists on keeping it that way; fearing state interference and believing that privacy regulation would be an unnecessary burden that would stifle free enterprise. In an attempt to avert a transatlantic trade war with one of Europe's major trading partners, EU officials agreed to negotiate with their American counterparts to reach a mutually agreeable solution.

Last year's annual report described the American proposal to establish "safe harbours". If accepted, the EU would consider American companies (rather than the country) as providing "adequate" protection if they comply with a set of voluntary data protection principles. These principles would require the company to describe for clients how it handles and shares their personal information. EU officials did not reject the American proposal but sought two additional guarantees: their citizens should be able to access whatever information an American company has about them, and there should be adequate and accessible mechanisms for EU citizens to enforce compliance. Of course, the American enforcement route is through the courts (a long and costly process). EU countries enforce data protection rules with independent Commissioners who are empowered to order remedial action at no cost to the citizens.

Talks between the two sides broke down in December 1998. A first deadline of April 30, 1999, came and went without agreement, perhaps caused in part by American companies' lack of support for their government's Department of Commerce "safe harbour" proposal. These companies are worried that the proposal could lead eventually to the USA adopting national privacy legislation, a move they oppose. A second deadline of June 21, 1999 fared no better, the two main sticking points being EU customers' access to their data, and enforcement issues. The EU's new executive team had suggested a compromise under which American courts would enforce the "safe harbour" principles for aggrieved Europeans. A third deadline of October 1999 (the Directive's anniversary) was postponed to December 1999 in light of the negotiation's slight progress. No agreement was reached and yet another deadline was set—March 2000.

As we go to print, the two parties appear to have reached a tentative agreement; the EU will accept the "safe harbour" proposal but exclude financial services pending the coming into force of new American legislation on this sector. The agreement remains to be ratified by governments on both sides of the Atlantic and should come into force this summer. However, consumer and privacy advocates continue to disagree with the notion of "safe harbours", favouring the more prescriptive, restrictive and consumer-friendly Directive. EU officials have promised that they would cancel the agreement if Americans do not properly enforce it.

Other developments
A new data protection law came into force in Austria in January 2000. The new statute replaces the country's 1980 law and incorporates changes that reflect the more stringent requirements of the 1998 EU Directive. The Czech Republic has just passed a privacy protection bill making it illegal to collect personal data on people without their consent. The Senate is expected to approve the bill, which also creates a new Office for the Protection of Personal Data, somewhat akin to other national privacy or data protection commissions. South Africa has also just passed its Promotion of Access to Information Bill, which gives individuals access to government information (including their own data). This law is one of four statutes to implement the country's new Bill of Rights and to deal the final blow to the apartheid regime. South Korea's new Act on the Promotion and Protection of the Information Infrastructure took effect on January 1st, 2000 and controls the collection, use and disclosure of personal information in telecommunications and electronic commerce.

The big picture
With passage of Bill C-6, Canada will join the swelling ranks of countries that protect their citizens' privacy in the public sector and, in most cases, the private sector as well. They do so in one of two ways.

First are those countries that recognise privacy —in some form— as a fundamental right either in their constitution or some other overarching law. This group includes Argentina, Belgium, Brazil, Bulgaria, Chile, the Czech Republic, Denmark, Estonia, Finland, Greece, Hungary, Iceland, Israel, Italy, Japan, South Korea, Latvia, Lithuania, Luxembourg, Mexico, the Netherlands, New Zealand, Peru, the Philippines, Poland, Portugal, Russia, the Slovak Republic, Slovenia, South Africa, Spain, Sweden, Switzerland, Thailand, Turkey and some states of the United States of America. In Canada, Québec is the only province to recognise the privacy of its citizen as a fundamental right in its Civil Code.

Secondly, there are those countries that have enacted specific data or privacy protection statutes (some which may already be listed above). This second group includes Australia (including some of its states like New South Wales), Austria, Belgium, Brazil, China's Special Administrative Region of Hong Kong, the Czech Republic, Denmark (including the self-governing Kalaalit Nunaat, formerly Greenland), Estonia, Finland, Germany (and all of its Länder), Greece, Hungary, Iceland, Ireland, Israel, Italy, Japan (including some of its prefectures like Tokyo), South Korea, Lithuania, Luxembourg, Monaco, the Netherlands, New Zealand, Norway, Poland, Portugal, Russia, San Marino, the Slovak Republic, Slovenia, Spain, Sweden, Switzerland (and all of its Cantons), Taiwan, Thailand, the United Kingdom (including the self-governing islands of Guernsey, Jersey and Man) and the United States of America (including some states like Hawaii or New York). In Canada, all provinces (except Prince Edward Island) and territories have specific privacy legislation.

For more information on the above countries or on Bill C-6, please contact us or visit our Web site.

Stories we read in the news

GE Investments, the insurance and investments division of the General Electric Company, secretly recorded the identity of thousands of investors who responded to a 1998 mail survey of their personal financial information. The survey did not ask respondents to provide their name and address.

DoubleClick Inc., the Internet's largest advertising company, has put on hold its plan to link personal information to the anonymous data that it collects about consumers on the Internet.

A large working group of companies, ranging from Compaq and Oracle to Net Perceptions and Andromedia, is working on a new standard, Customer Profile Exchange, designed to integrate online and off-line customer data for use by companies wanting to gather information about consumers.

Online gift registries allow a business to collate information on both the buyer and the recipient.

A Parisian computer programmer is facing counterfeiting and fraud charges after developing a homemade "smart card" that he says gave him the ability to fraudulently purchase goods and services throughout France.

Cartoon by Cathy Guisewite

The U.S. Customs Service has been using the BodySearch device at several major airports to search for contraband. The machine uses low doses of X-rays to scan a traveller, displaying the outline of the person's naked body.

A new identity card access system at Ohio State University records the date and time of each transaction and the student's name in a database, whether the card is used for entering a residence hall or buying lunch.

RealNetworks stopped capturing and tracking data about the music files its customers downloaded from the Web—without telling consumers that they were being identified and monitored—following media attention and being served with a class action lawsuit over the privacy flaw. Even though TRUSTe (an online privacy seal of approval program) had certified the privacy statements on the company's site, it declined to take further action because the violation involved a piece of software, which falls outside TRUSTe's charter to police Web privacy practices.

A company called American Student Lists of New York obtains data on students from drivers licences, student directories, magazine subscriptions, yearbook publishers, school ring vendors, formal wear companies, fast food and book clubs. The trade in student data from this collection has led to several scholarship scams targeting immigrant, minority and rural students.

The security of Microsoft's free Hotmail email service—of which there are 2.5 million users in Canada—was compromised in August. The breach would have allowed an unauthorized user to read, delete and forward a Hotmail user's email by knowing only an easily guessed user name.

Cartoon by Cathy Guisewite

At a recent trade show, General Electric Co. demonstrated a concept for an Internet-connected refrigerator that is able to read bar codes as you put the groceries away and reorder by the time you need to shop. At the same trade show, Whirlpool Corp. showed a command-centre refrigerator, complete with food-tracking capability and a wireless pad to let consumers download recipes from the Net.

For the last four years, Mobiltrak of Birmingham, Alabama, has been marketing a device that finds out what radio stations people listen to in their cars. The company's clients pay to install the shoebox-size monitoring devices at the entrances to their businesses, which work by picking up signals from a car radio's oscillator, the part of the radio that tunes in to the station. The data is recorded and sent to Moblitrak, which provides its clients with reports to help them determine whether the money they spend on radio advertising is being spent in the right places.

Maryland and Virginia will begin measuring highway congestion early next year by tracking motorists talking on cellular telephones as they drive the Capital Beltway. U.S. Wireless will install computer equipment on existing cellular towers to register the changing location of cell phone users and map the signals.

An Arkansas company, Acxiom Corp., that provides information to marketers has amassed 135 million consumer telephone numbers—including about 20 million that are unlisted—to help identify and profile people who call toll-free lines to shop or make an inquiry.

Cartoon by Cathy Guisewite

Police in Scotland are taking DNA from people stopped for any crime, even traffic offences. As well, the International Association of Police Chiefs has asked the U.S. Congress to require DNA samples from anyone arrested, and New York City mayor Rudolph Giuliani has requested that the state legislature require DNA samples from every newborn baby. A Louisiana law that took effect on 1 September 1999 requires DNA to be taken from people arrested—but not necessarily convicted—of a violent crime.

In December, the U.S. Food and Drug Administration ordered Virginia Commonwealth University to suspend most of its medical research projects until it demonstrates that it has improved its procedures for protecting research subjects' privacy and safety.

A ground-breaking class action lawsuit against CVS Pharmacy Inc., and certain major pharmaceutical manufacturers was announced in November alleging that CVS used private customer information in its central database to target people for a direct mail marketing program that was funded and directed by the defendant pharmaceutical manufacturers.

A security breach at St. Joseph's Mercy Hospital in Pontiac, Michigan, left certain confidential patient records accessible to the public because the system did not require users to input a password or any other security roadblock. The hospital system uses an internal digital dictating service that allows doctors to record and access notes concerning recent patient examinations and consultations. The notes include information about patients, ranging from admitting and discharge data, to cardiac and mental health records.

Researchers at the University of California at Berkeley are building a minuscule robot in the size and shape of a fly for surveillance.

Cartoon by Cathy Guisewite

As part of a program of random drug testing on motorists this past August, police officers in Quebec pulled over randomly selected motorists at various checkpoints. Nursing students then asked the drivers whether they would care to volunteer a saliva or urine sample to detect drugs or—- although not the study's prime focus—alcohol. If the motorists declined, they were free to drive away. If they complied, and test results later show them to be under the influence of drugs or alcohol, they faced no penalties.

Online marketing company Be Free has been granted a second patent covering certain methods of profiling consumer purchasing preferences, extending the coverage of the company's existing patent by including anonymous profiling.

Applied Digital Solutions, Inc. has acquired the patent rights to a technology that the company calls Digital Angel. Digital Angel is a transceiver that can be implanted in the human body. The transceiver is powered electromechanically through the movement of muscles and can remain implanted and functional for years. It can be activated either by the "wearer" or by a remote monitoring facility. It can monitor certain biological functions of the human body—such as heart rate—and send a distress signal to a monitoring facility when it detects a medical emergency. The location of the device can be continuously tracked by Global Positioning Satellite technology.

A new security system being developed in Britain can identify individuals by the unique way in which they walk.

Cartoon by Cathy Guisewite

A new Levi's store in San Francisco is undertaking a large-scale voluntary collection of biometric marketing data by encouraging customers to give their fingerprints as well as personal data. Levi's enhances the customer's profile by adding his or her musical tastes. When the customer uses a CD listening station in the store, the system records which songs were switched off, and after how long. Customers can also use a private booth that scans their body in three dimensions to suggest an appropriate fit of jeans—called Levi's Original Spin. The dimensions are added to the customer's profile.

Corporate Management

The Privacy and Information Commissioners share premises and corporate services while operating independently under their separate statutory authorities. These shared services—finance, personnel, information technology and general administration—are centralized in Corporate Management Branch to avoid duplication of effort and to save money for both government and the programs. The Branch is a frugal operation with a staff of 15 (who perform many different tasks) and a budget representing 14 per cent of total program expenditures.

Resource Information
Managers continually pursue innovative approaches to deliver their programs without adversely affecting the quality level of service to the public. Treasury Board Ministers at their April 1998 meeting recommended an A-base review of the Offices' resource base, information technology needs and accommodation requirements. The Offices employed these additional resources to combat workload increases and carry-out their mandate while maintaining essential services.

The Offices' combined budget for the 1999-2000 fiscal year was $9,869,000. Actual expenditures for 1999-2000 were $9,760,574 of which personnel costs of $6,675,947 and professional and special services expenditures of $1,136,597 accounted for more that 80 per cent of all expenditures. The remaining $1,948,030 covered all other expenditures including postage, telecommunication, office and information technology equipment and office supplies.

Expenditure details are reflected in Figure 1 (resources by organization/activity) and Figure 2, (details by object of expenditure).

Figure 1: 1999-2000 Resources by Organization / Activity

Human Resources
(Full-Time Equivalents)

Privacy 43(46%)
Information 35(37%)
Administration 16(17%)

Financial Resources

Privacy 4 572(47%)
Information 3 842(39%)
Administration 1 347(14%)

Figure 2: Details by Object of Expenditure
for the year ended March 31, 2000

  Information Privacy Corporate Total
Salaries 2,200,135 2,750,322 751,490 5,701,947
Employee Benefit Plan Contrib. 388,000 453,000 133,000 974,000
Transport & Communication 84,030 106,430 105,952 296,412
Information 66,329 27,999 1,735 96,063
Professional & Special Services 383,442 574,001 179,154 1,136,597
Rentals 4,210 28,634 19,778 52,622
Purchased Repair & Maintenance 8,460 72,204 8,883 89,547
Utilities, Materials & Supplies 29,883 32,729 45,692 108,304
Machinery & Equipment 676,808 526,512 100,746 1,304,066
Other Payments 900 116 0 1,016
Total 3,842,197 4,571,947 1,346,430 9,760,574

* Expenditure Figures do not incorporate final year-end adjustments reflected in the Offices' 1999-2000 Public Accounts.

Organization Chart

Organization Chart

A Tip of the Hat

My tenure as Privacy Commissioner, in addition to being an honour and privilege, has brought me a great many satisfactions. Not least has been the opportunity to work with a first-rate professional staff. I want to take this opportunity to thank all those who have showed so much dedication and enthusiasm over the last ten years. At the risk of inadvertently omitting someone (which would be truly an error, and no reflection on their work), they are:

* indicates members of staff as of March 31, 2000

** indicates members of staff out on secondment as of March 31, 2000

Ackroyd, Jeanette
Anderson, Colleen
Aubry, Benoit
Baggaley, Carman *
Baker, Barry
Barbaro, Tony *
Bastedo-Boileau, Catherine
Beaulé, Claude *
Bedley, Robert *
Bell, John
Bergeron, Michelle *
Blais, Anne *
Bloomfield, Stuart *
Boileau, Louise
Brault, Anne-Marie
Brault, Raymond
Brown, Grace *
Brunet, Josée
Carnegie, Doug **
Cliche, Nicole
Coolen, Gary *
Delisle, Julien *
Doré, Richard **
Doyle, Kathryn *
Dubuc, Philip
Dubuc, Thérèse *
Eadie, Kim
Evans, Jocelyne *
Fagan, Mike *
Fanjoy, Monique *
Farley, Francine
Fitzpatrick, Tom *
Fong, Marcus
Foran, Brian *
Gauthier, Yvon
Goldsmith, Ann *
Gow, Glenn
Gravelle, Robert
Hamilton, Joanne *
Harris, Holly *
Hébert, Raymond *
Henry, Gary
Imbeault, Marie-Andrée *
Jackson, Sally
Khosla, Jay *
Kirkby, Hedy
Labelle, Louise *
Lacroix, Ginette
Lafleur, Ann-Marie *
Lapierre, Don
Lavoie, Chantal *
Lavoie, Roxanne
Leblanc-McCulloch, Monique *
Lévis, Jacques *
Lystiuk, Fred *
Mann, Don
Martelock, Cathy *
Maurel, Richard-Philippe *
Maynard, Peter
McAuliffe, Ann
McLean, Joyce *
Ménard, Nicole *
Millar, Melanie *
Montigny, Gerry
Mullen, Dennis
Nantel, Martine *
Neary, Gerald *
Netterfield, Carolyn
Oscapella, Eugene
Pavlis-Gougeon, Virginia *
Perreault, Renée
Peszat, Jan *
Richard, Paul *
Richer, Michel
Rodrigue, Jocelyne *
Rooke, Anne *
Roy, Rachelle
Roy, Jocelyn
Savas, Eric
Schwartz, Virginia *
Scott, Pat
Sérafin, Nicole *
Sicotte, Nicole *
St-Pierre, Chantal *
Stewart, Brian *
Tessier, Isabelle
Thériault, Natalie *
Thibaudeau, Monique *
Trottier, Ghislaine
Van Berkel, Gerry
Welke, Ron
Wheeler, Susan *
Wolchuk, Ron

Date modified: