Establishment of a regulatory framework for next-generation 9-1-1 in Canada

Submission to the Canadian Radio-television and Telecommunication Commission (CRTC)

May 20, 2016

Ms. Danielle May-Cuconato
Secretary General
Canadian Radio-television and Telecommunications Commission
Ottawa, ON
K1A 0N2

Re: Telecom Notice of Consultation CRTC 2016-116 — Call for comments re: Establishment of a regulatory framework for next-generation 9-1-1 in Canada.

Ms. Danielle May-Cuconato:

1. On March 29, 2016, the CRTC issued Telecom Notice of Consultation CRTC 2016-116, which was a call for submissions related to the establishment of a regulatory framework for next-generation 9-1-1 (NG9-1-1) in Canada.
2. The Office of the Privacy Commissioner of Canada (OPC) makes this submission pursuant to its legislative mandate^{Footnote 1} to protect the privacy rights of individuals and promote the privacy protections available to Canadians.
3. As several questions in Telecom Notice of Consultation CRTC 2016-116 are related to matters that are outside of the OPC's jurisdiction, this submission is directed at those issues that are within our mandate. Given the scale and scope of personal information involved with NG9-1-1, this submission also outlines broad-level privacy considerations.
4. Our submission consists of the following sections:
   1. The Complementary Roles and Authorities of the OPC and CRTC
   2. Previous Comments Made by the OPC on Privacy and NG9-1-1
   3. Addressing Policy Challenges
   4. NG9-1-1 and the Need for Robust Privacy Safeguards
   5. Conclusion

I - The Complementary Roles and Authorities of the OPC and CRTC

5. The OPC's mandate is to oversee compliance with the Privacy Act, which applies to the personal information management practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private sector legislation. PIPEDA applies to organizations that collect, use, or disclose individuals' personal information in the course of commercial activity. It does not apply to organizations covered by provincial legislation that has been deemed to be substantially similar to PIPEDA.
6. In all provinces, including provinces with substantially similar laws, PIPEDA continues to apply to companies engaged in interprovincial or international transactions and to all federally regulated organizations (which includes telecommunication companies).
7. In general, PIPEDA would not apply to the personal information handling practices of most public safety answering points (PSAPs) since they are not typically engaged in commercial activity.
8. As well, PSAPs are not usually operated by federal government departments or agencies. Under Canada's constitutional framework, the provincial and territorial governments and local authorities provide the first response to the vast majority of emergencies.
9. Provincial or territorial legislation may apply to PSAPs. For example, we are aware that the Government of Manitoba has passed The Emergency 911 Public Safety Answering Point Act that contains confidentiality provisions and penalties for misusing personal information received by a PSAP.
10. The CRTC derives its authority to regulate the telecommunications industry from the Telecommunications Act. Under section 7 of the Telecommunications Act, the telecommunications policy objectives include the safeguarding and protection of individuals' telecommunications privacy. In particular, paragraphs 7(a) and (i) of the Telecommunications Act state:^{Footnote 2}
    

    7(a) to facilitate the orderly development throughout Canada of a telecommunications system that serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions;…
    
    7(i) to contribute to the protection of the privacy of persons.

11. As my Office has noted in previous submissions to the CRTC, while the OPC and CRTC's roles are complementary, they are not redundant, given the difference in functions and powers.^{Footnote 3} PIPEDA is a statute of general application that applies to diverse industries, while the Telecommunications Act is sector-specific and enables the CRTC to create specific guidelines and regulations to address concerns within the industry.^{Footnote 4}

II - Previous Comments Made by the OPC on Privacy and NG9-1-1

12. Our Office has previously provided comments to the CRTC with respect to NG9-1-1. In 2013 we provided comments on Telecom Notice of Consultation CRTC 2012-686 — Call for comments re: matters related to 9-1-1. In our submission we noted that it is important to detail privacy considerations at the planning and development stages to ensure personal information is protected at the time of operation and implementation. Further to this point, we would like to add that this is incumbent on identifying the full range of operation, implementation, and policy considerations.
13. With respect to the scope and scale of data for NG9-1-1, we noted that in addition to voice and location information, it is envisaged that NG9-1-1 will be able to receive text messages, images, video and even information such as health records, and building schematics. It may also be possible for the NG9-1-1 infrastructure to receive communications from automatically triggered sensors, such as automobile automatic collision notification systems, personal medical alert devices, and intelligent transportation systems.^{Footnote 5}
14. These transmissions can be made via wireline, wireless, or voice over Internet Protocol (VoIP) telephone services.
15. As a result, NG9-1-1 has the potential to receive far more data, and potentially much more sensitive data, than traditional wireline 9-1-1 calls.
16. We appreciate that first responders and other organizations that respond to emergencies often need to have access to personal information. We also appreciate that NG9-1-1 may offer benefits to certain individuals, such as the hearing or visually impaired, to communicate emergency-related information.
17. To highlight our appreciation of these matters our Office, along with our provincial colleagues, have developed a Privacy Emergency Kit^{Footnote 6} which provides guidance on how personal information can be disclosed under Canada's privacy laws in emergency situations.

III - Addressing Policy Challenges

18. We support the Commission's existing 9-1-1 policy that name, location, telephone number, and class of service associated with the telephone number are provided for the sole purpose of responding to the 9-1-1 call.^{Footnote 7} However, we note that NG9-1-1 can involve more than just this information, and as such we support efforts for the existing policy to cover the full range of information associated with a NG9-1-1 transmission.
19. While we recognize this consultation is limited to issues that fall within the Commission's jurisdiction, we are mindful that NG9-1-1 may involve a range of stakeholders, such as telecommunications service providers, provincial and territorial governments, and local authorities.
20. We are also aware of the CRTC's Telecom Notice of Consultation CRTC 2012-686, which announced the appointment of an Inquiry Officer to conduct research on 9-1-1 service in Canada.^{Footnote 8} The Inquiry Officer's report, which also focused on NG9-1-1, highlighted the importance for establishing a multi-stakeholder forum to discuss cross-agency multi-jurisdictional issues.^{Footnote 9}
21. In light of this report, we welcome the Commission's comments in Telecom Regulatory Policy CRTC 2014-342 where it supported greater coordination on 9-1-1 matters, including the possibility for the CRTC Interconnection Steering Committee (CISC) Emergency Services Working Group (ESWG) to bring stakeholders together to develop solutions.^{Footnote 10} Our Office supports these efforts for 9-1-1 and NG9-1-1 services.

Privacy Considerations

22. The consultation outlines a number of issues to be examined, including those related to privacy and the operational and implementation considerations associated with the technology and information that would facilitate NG 9-1-1 communications. We believe that these issues should be examined not as distinct, or as issues that simply intersect, but that they be treated in a cohesive way when planning and implementing policies and procedures.
23. We would recommend that associated policies and procedures take into consideration the role of privacy, and compliance with privacy laws. These should factor into the full range of NG9-1-1 operational requirements and the scope and scale of information involved.
24. From a privacy perspective, it is imperative that there be a focus on issues such as limiting use and disclosure, retention procedures, and safeguards. Roles and responsibilities for all parties should be outlined to ensure accountability and effective governance for personal information management practices. This could be formalized through standards, binding codes of conduct, or other mechanisms to identify the roles and responsibilities of all stakeholders. While we appreciate that the scope of this consultation is limited to those issues that fall within the Commission's jurisdiction, we support that such policies and procedures would be encouraged for all stakeholders involved with NG9-1-1.
25. We also understand that the standard to be used for NG9-1-1 mentions that policy rules enable many functions, including automatically acquiring "additional data when available…".^{Footnote 11} We stress that there should be boundaries to limit the information to that which is required for the purpose of the NG9-1-1 communication. While there may be a legitimate requirement for some information to be used for network management purposes, such information should be limited to what is necessary. Even for this use, there should be limits on how information is accessed by the various stakeholders, including identification/authentication measures and audit controls.
26. We understand that the Inquiry Officer's report also indicated that the information collected may be of assistance for performance measurement or efficiencies, given the range of data potentially associated with NG9-1-1. We caution that the "Big Data" aspect of NG9-1-1 information, including metadata and embedded data, may pose risks and challenges associated with effective de-identification and anonymization. As the NG9-1-1 infrastructure becomes clearer, more issues may arise, for example, it may rely on third party service providers such as "cloud" providers.
27. NG9-1-1 may be developed and implemented in stages. As a result, it is challenging to identify all of the privacy issues that may arise. The assessment of privacy risks should be an ongoing process. As these issues and details arise at the planning stage, discussions with a broad range of stakeholders may help inform policy decisions related to privacy matters.
28. As a result, we would encourage that the full range of NG 9-1-1 purposes be identified in order to identify the full range of privacy considerations. Otherwise, it will be difficult to identify the relevant privacy challenges and mitigating solutions.
29. Further to this, public education should be an essential element before implementation of NG 9-1-1. Individuals need to be made aware of how their personal information will be used, with whom it will be shared, and how it will be protected.

IV - NG9-1-1 and the Need for Robust Privacy Safeguards

30. Given the range of information under the NG9-1-1 information architecture, safeguards will be critically important. Individuals will need to be confident that their information will be adequately protected. If not, there is a risk that a lack of trust could have a chilling effect on the use of the service. Individuals should not have to choose between their safety and well-being and the protection of their personal information.
31. We appreciate that it may be challenging to develop a robust privacy framework given the potentially wide range of entities that may be involved in providing NG9-1-1. This may highlight the importance of a policy forum to address multi-jurisdictional matters.
32. We understand that the CRTC, under Telecom Decision CRTC 2015-531 approved the adoption of the National Emergency Number Association (NENA) i3 architecture standard to implement NG9-1-1.^{Footnote 12} This decision arose from a recommendation from the CRTC Interconnection Steering Committee (CISC) Emergency Services Working Group (ESWG) report to the Commission.^{Footnote 13} The report notes that while other jurisdictions have models that vary, they are all based on the NENA i3 standard.
33. While NENA i3 does contain technical standards related to privacy and security, we recommend these be operationalized in a manner that: i) is reflective of obligations and requirements under Canadian privacy laws; ii) takes into consideration the full range of uses and disclosures of personal information; and iii) takes into consideration the multi-stakeholder and multi-jurisdictional policy considerations.

Conclusion

34. PIPEDA or substantially similar provincial legislation will apply to some of the entities involved with NG9-1-1, for example telecommunications service providers, automobile manufactures and companies that provide home alarm or monitoring systems. However, some entities may fall outside the scope of federal, provincial or territorial privacy legislation.
35. NG9-1-1 raises many important and challenging issues from a privacy perspective. While we make these comments with respect to those organizations covered by the Acts we oversee, we believe that Canadians are likely to expect that their information is protected in the most privacy-sensitive manner throughout the whole NG9-1-1 communication architecture, and by all the parties involved with NG9-1-1.

Sincerely,