This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
November 20, 2000
Privacy Commissioner of Canada
(Check Against Delivery)
I think it's very appropriate that my first major public speech as Privacy Commissioner is here, to this group-because you are some of the most influential people terms of the future of privacy in Canada. It's important for us to get to know each other, especially at this pivotal time in the history of privacy rights in our country.
As I am sure you all know, the Personal Information Protection and Electronic Documents Act comes into effect just a few weeks from now.
The implementation of Bill C-6 presents a challenge and an opportunity for all concerned. I am looking forward to it.
I must say, since I was appointed a few weeks ago, it's been wonderful to hear from so many old friends and colleagues who've called to offer their congratulations.
But what has struck me is the number of otherwise well-informed people who have said "Congratulations, that's great, but ... what exactly does a Privacy Commissioner do? And why do we need one?"
I'm going to try to answer those questions today, talk about the role of the Privacy Commissioner, and how I intend to approach this job. I also want to look ahead to how the Office of the Privacy Commissioner will be working with the private sector after Bill C-6 comes into effect in January.
I believe that privacy will be the defining issue of this new decade.
That's because we have come to a kind of crossroads. Until recently, privacy really was protected mainly by default.
Unless you were very famous, or very important or had committed a crime, your personal information was scattered here and there, and kept in hard copy files. Assembling any kind of dossier on any one of us meant quite a bit of legwork. So someone would have to go to a fair amount of trouble to find out about you.
But today, information that just a few years ago might have taken weeks or months to dig out can be compiled literally in minutes at a computer keyboard.
It used to be someone had to go out of their way to access our private data-now we must go out of our way to ensure our private data stays private.
How we deal with this issue, this new reality, now-over these next few years-will decide how the individual relates to society in Canada for many, many years to come. It will determine the very type of society we leave to our children.
So what exactly is this privacy we are trying to protect?
U.S. Supreme Court Justice Louis Brandeis provided what has become the classic definition of privacy in 1890, when he described privacy as simply "the right to be left alone."
All of us want to be able to go about the business of our lives without having someone looking over our shoulder, demanding to know what we're doing, and why we're doing it.
In that context, privacy might well be defined as the right to say "none of your damn business."
In some respects, that definition still stands, but in the modern era, I believe privacy is much more than just the "right to be left alone." For one thing, we can feel "left alone," in the sense that no one is bothering us, and still be having our privacy invaded from a distance.
Many of us have just had the pleasure of hearing Professor Alan Westin speak.
Perhaps more than anyone, Dr. Westin was responsible for bringing the definition of privacy up-to-date in 1967, when he wrote, "Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others."
If you asked me, I would define privacy as the right to control access to one's person and to information about oneself.
As long as society and other individuals make their judgements about who we are based on the information they have about us-and I suspect that will be the case for a good long time-this idea of ownership and control of our personal information will be at the very heart of our personal privacy.
Critical to that notion of ownership and control is the concept of choice.
If you live as a hermit, on some remote mountainside, chances are your privacy is pretty well intact.
But the moment you choose to come down into a city or village, you are choosing to give up some of your privacy. Just by walking along a street, you are giving up some information. People can make judgments or assumptions about you on the basis of your physical appearance, how you're dressed, how well groomed you are-a whole host of visual clues, whether accurate or inaccurate.
If you choose to pick up some supplies, you give up more of your privacy. The shopkeeper may gain some insight into your dietary habits. The pharmacist is left to contemplate your need for cough medication, and the cashier at the news stand can make note of your reading habits.
You've lost some of your privacy, but you considered it a worthwhile trade. You like steak. The coughing was driving you crazy, and you don't particularly care if people know you like mystery novels.
The point is this: The more we become involved with the collective whole and society at large, the more information we surrender about ourselves. When we apply for a job, open a bank account, explore the Internet, or take part in any of the myriad transactions of daily life, we make another contribution to the gradual erosion of our private selves.
When we begin the process of developing an intimate relationship with another person, we may choose to ultimately give that person all the information about ourselves. We are not forced to do so; it is something we choose to do because we see a benefit to it.
Thus, privacy is not an absolute. It is rarely stripped away in one fell swoop. It is a continuum of choices and trade-offs.
Revealing information about ourselves only when and as we choose is the very essence of privacy.
But that choice is not always available to us. Surveillance has become a matter of routine. Cameras record us at the bank machine and at the corner store.
A computer records what time we pull into the office parking garage, and yet another camera watches us wait for the elevator. A computer notes the time we swipe our plastic key to enter the office.
You send some personal e-mail. Even if you delete it, your employer can still read it from the big hard-drive downstairs. Your bank probably knows where you ate lunch, and what you bought your mother for Christmas.
The issue is not just the relative ease with which access can be gained to our personal information, but the vast array of data that can be accessed.
The destination, date and duration of virtually every telephone call we make.
Have you ever used a debit card to pay for groceries? A credit card at the liquor store?
Here's a list of every movie you've ever rented.
Why were you taking anti-depressants in 1992?
None of your damn business indeed.
Despite this potential for intrusion, people quite rightly want to avail themselves of the advantages that information technology offers.
Quick and efficient access to financial transactions, flight bookings, almost any kind of information about anything, is a great leap forward. But if we pay for these conveniences with a basic and fundamental human right, we must question their value. At the very least, we should attempt to negotiate a better price.
Privacy concerns are perhaps the single most important deterrent to doing business online. Public opinion surveys consistently show the vast majority of Canadians worry about the impact of the Internet and e-commerce on their personal privacy. And so they should.
Identity theft is the fastest growing crime in North America. The Privacy Rights Clearinghouse estimates there are more than 400,000 cases of identity theft a year in the U.S., and that the number is increasing by 50 per cent every 12 months.
With a few mouse clicks and a bit of off-line work, almost anyone can become you, and start spending your money, and using your credit. And then you're left stuck with the time and effort required to correct and restore your credit rating, and the joys of having to prove that you are the real you.
I am very interested, as well, in the debate over electronic medical records.
Who is to decide whether and with whom our medical histories will be shared?
Suppose the records are shared with researchers at a pharmaceutical company. The pharmaceutical company decides it is reasonable to share the information with an insurance company, again, for research purposes. This is not a problem; all the names and numbers have been removed.
Or have they? American computer scientist Latanya Sweeney has shown that simply removing identifying details from patient records does not assure privacy.
With a few patient-specific details, an individual can be identified. The data can also be linked or matched with information from other sources to identify people by so-called "inferential disclosure".
In this case, two plus two equals you.
One day you apply for an insurance policy, but the company sees something it doesn't like in your most recent blood test blood test from your last checkup. It's quite possible the lab put your name on someone else's sample. It's not your mistake, but you still don't get the insurance, and you may never know why.
That same, inaccurate blood test could deny you a job, or dismiss you from the one you have now. You may be one of the 7-million or so Air Miles Cardholders. In theory, every time you use that card, the details of your buying decisions could be shared with as many as 150 corporate participants in the program. In Ontario, that includes liquor stores. And a major bank.
Does your banker know how much you spend at the liquor store?
Suppose you have an elderly, shut-in aunt who likes to go through a bottle of gin a day. Being a kindly soul, you make a habit of stopping at the liquor store for her on your way home. Anyone looking at the record of your purchases might well conclude that you're an alcoholic. Or suppose you have a close friend who happens to live now in Las Vegas, so you fly there four times a year to visit him. On paper, without any chance to explain, you look like a compulsive gambler.
If our privacy is indeed defined by the extent to which we maintain ownership and control of our personal information, we are at a crossroads.
If you have to wonder-every time you click into a web site, every time you make a purchase with your debit card, every time you fill out an application for something-what information you are giving away, to whom you are giving it and for what purpose, you have no privacy.
To feel one is being monitored, to be self-conscious about every move one makes is the essence of life in a totalitarian state.
Even when information about us is collected and stored and shared with the best of intentions, it can diminish our privacy.
The famous Human Resources Development Canada database, for example.
By combining the information in its own files with that of other federal departments, HRDC compiled an extraordinary database. Each of the more than 33-million files held as many as 2000 bits of information: from education and marital status to disabilities and employment history, and everything in between.
In all but name, the data was a centralized profile on each and every one of us.
Ironically, we Canadians tend to look down our noses at countries that do that sort of thing.
The existence of the database was not a secret. All the same, you would have had to go to some effort to discover the record existed, let alone find out what was in it or if the information was accurate.
On top of that, Canadians had no idea whether, to what extent, with whom or for what purpose the information was being shared.
HRDC has since announced it is dismantling the database. This announcement came shortly after the database was brought to light in the most recent annual report of the Privacy Commissioner, tabled by my predecessor, Bruce Phillips.
That is why we have a Privacy Commissioner to monitor how government and private sector organizations respect citizens' right to privacy, and whether those organizations pursue fair information practices.
Which brings us to Bill C-6, the Personal Information Protection and Electronic Documents Act.
C-6 is intended to strike a balance between the information needs of our modern society and the rights of individuals to control how their personal information is collected, used and disclosed by the private sector.
For Canadians, C-6 means a new level of privacy protection when dealing with private sector organizations.
For the private sector, the Act means a clear and consistent standard for the protection of privacy. A standard, I should add,that it must meet.
For the Office of the Privacy Commissioner, C-6 brings greater responsibility, an expanded role, and a new mandate to educate Canadians and organizations about the issues surrounding personal privacy.
At the core of C-6 is a code of fair information principles. I won't list all ten of them, but what they say, basically, is this:
- Anyone collecting personal information in the course of a commercial activity must explain the purpose of collecting it, and obtain the individual's consent.
- They must limit the collection of personal information to what is reasonable under the circumstances, and use it only for the purpose for which it was collected.
- They cannot disclose this information to anyone else without consent, and
- They must allow individuals to have access to their own personal information and correct any inaccuracies.
When it comes to upholding these principles, the Privacy Commissioner functions as an ombudsman, not as an enforcer for the government. The role is to investigate,mediate, audit and educate.
This is not to say the Privacy Commissioner is powerless. When privacy rights have been abused, the Privacy Commissioner can make those abuses public. If need be, the Office of the Privacy Commissioner can seek remedy in the courts.
Like the Privacy Act before it, which sets out privacy rights with respect to the federal government, this new legislation gives the Privacy Commissioner broad investigative powers.
Those powers-to enter premises, subpoena documents, compel testimony-have never been used in the public sector, because there has always been voluntary cooperation. I'd like to keep it that way with the private sector, and I hope we are never put in a position of "last resort".
Of the tens of thousands of complaints filed with the office since 1983, only a handful has gone to court.
These numbers prove that a balanced, non-confrontational approach can work. It is the approach I intend to continue as our mandate expands to the private sector.
The Privacy Commissioner has often been referred to as a watchdog. We all know a dog that barks and fusses at every passing sound soon ceases to have any value as a watchdog.
So this watchdog will focus on making a distinction between real intrusions and those that are insignificant, or a reasonable and unavoidable part of everyday life.
When real intrusions occur, this dog will bark. And, given the power of public opinion, that bark will feel like a bite. Ask HRDC.
The nature of the job requires the incumbent to be tough-minded when necessary. The Privacy Commissioner is an officer of Parliament, charged with the protection of Canadians' right to privacy. I will carry out that mandate.
I also intend the Office of the Privacy Commissioner to exercise with vigour its new mandate to carry out education and communications programs.
In the months ahead, my Office will be embarking on a major public information campaign. We will be informing Canadians of their new, legislated privacy protections, and reminding private sector organizations of their responsibilities under the Act.
Business must respect this legislation, but my office will be as cooperative and informative as possible. Our job is to help, not hinder. I believe the Privacy Commissioner can be a valuable resource to the business community.
The same is true of the legislation itself.
I'll be going to Brussels next week, where I will be explaining Bill C-6 to our trading partners in the European Union. As you know, the EU already has restrictions on the transfer of personal information to countries that do not have laws to adequately protect it.
As more and more nations implement legislation to defend privacy in the information age, C-6 will become an absolute prerequisite to doing business outside Canada's borders.
The better the private sector understands and addresses the issue of privacy, the better it will be able to establish the trust it must develop to succeed in the world of e-commerce.
We have all seen the results of the public opinion surveys. Consumers expect their privacy to be respected and protected. Enterprises that can offer reasonable assurances of privacy will win. Those that do not will lose. So it goes without saying that good privacy is also good business.
The protection of the individual's right to privacy is the cornerstone of a free, democratic society. I look forward in the years ahead to all of us working together to reinforce that cornerstone.
- Date modified: