This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
December 5, 2000
Privacy Commissioner of Canada
(Check Against Delivery)
We are on the threshold of a new era of privacy protection in Canada that will bring significant changes for all of us.
The Personal Information Protection and Electronic Documents Act comes into effect just a few weeks from now.
This expansion of the privacy rights of Canadians means a new set of obligations and responsibilities for private sector organizations.
It also means a new set of responsibilities for the Office of the Privacy Commissioner.
In addition to the duty to oversee these new rights, the Act gives the Office of the Privacy Commissioner a new mandate to carry out research and public education on privacy issues.
I am looking forward to these new responsibilities with anticipation. For some of you, I realize the emotion may be closer to trepidation.
I hope what I have to say today will ease some of your concerns, and add to your understanding of the need for this kind of legislation.
I'm going to address some of the specific questions that have come up in consultations with the business community, but before I get into that, I want to talk a little bit about privacy in general, and why we should protect it. I'll also try to give you some insight into the role of the Privacy Commissioner in all this, and what you can expect from me and my office as this legislation is implemented.
Let me begin by saying I believe privacy will be the defining issue of this new decade.
I say this because, in terms of privacy, we really have come to a kind of crossroads.
Until recently, our privacy was protected pretty much by default.
Unless you were very famous, or very important or had committed a crime, your personal information was scattered here and there, and kept in hard copy files.
Assembling any kind of dossier on any one of us meant quite a bit of legwork: Someone would have to go to a fair amount of trouble to find out about you.
To say "times have changed" is a bit of an understatement. Today, information that even a few years ago might have taken weeks or months to dig out can be compiled literally in minutes at a computer keyboard.
It is exactly this ease of access that has prompted the Administrative Office of the United States Courts to consider whether it should limit the traditional openness of court records. The move to electronic record-keeping is chipping away at the wall of paper that once guarded our privacy from all but the most determined of snoops.
It used to be someone had to go out of their way to access our private data - now we must go out of our way to ensure our private data stays private.
How we deal with this issue, this new reality, now - over these next few years - will decide how the individual relates to society in Canada for many, many years to come. It will determine the very type of society we leave to our children.
So what exactly is this privacy we are trying to protect?
U.S. Supreme Court Justice Louis Brandeis provided what has become the classic definition of privacy in 1890, when he described privacy as simply "the right to be let alone."
All of us want to be able to go about the business of our lives without having someone looking over our shoulder, demanding to know what we're doing, and why we're doing it.
In that context, privacy might well be defined as the right to say "none of your damn business".
In some respects, that definition still stands, but in the modern era, I believe privacy is much more than just the "right to be let alone." For one thing, we can feel "left alone," in the sense that no one is bothering us, and still be having our privacy invaded from a distance.
If you asked me, I would define privacy as the right to control access to one's person and to information about oneself.
As long as society and other individuals make their judgments about who we are based on the information they have about us - and I suspect that will be the case for a good long time - this idea of control over our personal information will be at the very heart of our personal privacy.
Critical to that notion of control is the concept of choice, or consent.
If you live as a hermit, on some remote mountainside, chances are your privacy is pretty well intact.
But the moment you choose to come down into a city or village, you are choosing to give up some of your privacy. Just by walking along a street, you are giving up some information.
People can make judgments or assumptions about you on the basis of your physical appearance, how you're dressed, how well groomed you are - a whole host of visual clues, whether accurate or inaccurate.
If you choose to pick up some supplies, you give up more of your privacy. The shopkeeper may gain some insight into your dietary habits. The pharmacist is left to contemplate your need for cough medication, and the cashier at the newsstand can make note of your reading habits.
You've lost some of your privacy, but you considered it a worthwhile trade. You like steak. The coughing was driving you crazy, and you don't particularly care if people know you like mystery novels.
The point is this: the more we become involved with the collective whole and society at large, the more information we surrender about ourselves. When we apply for a job, open a bank account, explore the Internet, or take part in any of the myriad transactions of daily life, we make another contribution to the gradual erosion of our private selves.
Thus, privacy is not an absolute. It is rarely stripped away in one fell swoop. It is a continuum of choices and trade-offs.
Revealing information about ourselves only when and as we choose is the very essence of privacy.
But that choice is not always available to us. Surveillance has become a matter of routine. Cameras record us at the bank machine and at the corner store.
A computer records what time we pull into the office parking garage, and yet another camera watches us wait for the elevator. A computer notes the time we swipe our plastic key to enter the office.
The debit card is a wonderful convenience, but its potential for gathering information about us is frightening. Your bank probably knows where you ate lunch yesterday, and where you bought your mother's Christmas present.
Suppose you have an elderly, shut-in aunt who likes her gin. Being a kindly soul, you make a habit of stopping at the liquor store for her on your way home. Anyone looking at your debit or credit card purchases might well conclude you're an alcoholic.
Perhaps a close friend has moved to Las Vegas. You fly down there four or five times a year to visit him. Someone looking at your travel habits is likely to assume you're a compulsive gambler.
Likewise, there are suggestions that collecting all of our medical records in one massive database would be a good idea, but who is to decide whether and with whom our medical histories will be shared? There is a powerful and steadily-increasing demand for our personal health information from any number of secondary users.
Suppose the records are shared with researchers at a pharmaceutical company. The pharmaceutical company decides it is reasonable to share the information with an insurance company, again, for research purposes. This is not a problem; all the names and numbers have been removed.
Or have they? American computer scientist Latanya Sweeney has shown that simply removing identifying details from patient records does not assure privacy.
With a few patient-specific details, an individual can be identified. The data can also be linked or matched with information from other sources to identify people by so-called "inferential disclosure".
In this case, two plus two equals you.
One day you apply for an insurance policy, but the company sees something it doesn't like in the blood test from your last checkup. It's quite possible the lab put your name on someone else's sample. It's not your mistake, but you still don't get the insurance, and you may never know why.
That same, inaccurate blood test could deny you a job, or dismiss you from the one you have now.
The vast array of data and the conclusions that can be drawn about us is simply stunning.
The destination, date and duration of virtually every telephone call we make.
Have you ever used a loyalty card at the grocery store? A credit card at the liquor store?
Is there a list of every movie you've ever rented?
Why were you taking anti-depressants in 1992?
None of your damn business indeed.
But, despite all this potential for intrusion, people quite rightly want to avail themselves of the advantages that information technology offers.
Quick and efficient access to financial transactions, flight bookings, almost any kind of information about anything, is a great leap forward. But if we pay for these conveniences with a basic and fundamental human right, we must question their value.
And individuals are doing just that. Public opinion surveys consistently show the vast majority of Canadians worry about the impact of the Internet and e-commerce on their personal privacy.
Privacy concerns are perhaps the single biggest deterrent to doing business online.
If you have to wonder - every time you click into a web site, every time you make a purchase with your debit card, every time you fill out an application for something - what information you are giving away, to whom you are giving it and for what purpose, you have no privacy.
To feel one is being monitored, to be self-conscious about every move one makes, is the essence of life in a totalitarian state.
Even when information about us is collected and stored and shared with the best of intentions, it can diminish our privacy.
The famous Human Resources Development Canada database, for example.
By combining the information in its own files with that of other federal departments, HRDC was able to put together an extraordinary database. Each of the more than 33-million files held as many as 2000 bits of information: from education and marital status to disabilities and employment history, and everything in between.
In all but name, the data was a centralized profile on each and every one of us.
Ironically, we Canadians tend to look down our noses at countries that do that sort of thing.
The existence of the database was not a secret. All the same, you would have had to go to some effort to discover the record existed, let alone find out what was in it or if the information was accurate.
On top of that, Canadians had no idea whether, to what extent, with whom or for what purpose the information was being shared.
HRDC has announced it is dismantling the database. This announcement came shortly after the database was brought to light in the most recent annual report tabled by my predecessor, Bruce Phillips.
That is why we have a Privacy Commissioner to monitor how government and private sector organizations respect citizens' right to privacy, and whether those organizations pursue fair information practices.
Which brings us to the Personal Information Protection and Electronic Documents Act.
This Act is intended to strike a balance between the information needs of our modern society and the rights of individuals to control how their personal information is collected, used and disclosed by the private sector. It is intended to give individuals a choice when it comes to revealing their personal information.
For all of us, the new law means a new level of privacy protection when dealing with private sector organizations.
For the private sector, it means a clear and consistent standard for the protection of privacy. A standard, I should add, that it must meet.
For the Office of the Privacy Commissioner, the new Act brings greater responsibility, an expanded role, and a new mandate to educate Canadians and organizations about the issues surrounding personal privacy.
At the core of the legislation is a code of fair information principles. I won't list all of them, but what they say, basically, is this:
- anyone collecting personal information in the course of a commercial activity must explain the purpose of collecting it, and obtain the individual's consent;
- they must limit the collection of personal information to what is reasonable under the circumstances, and use it only for the purpose for which it was collected;
- they cannot disclose this information to anyone else without consent, and
- they must allow individuals to have access to their own personal information and correct any inaccuracies.
I think it's worth noting here that these principles were not dreamed up by a bunch of bureaucrats in one of Ottawa's ivory towers. The principles are in fact the Model Code for the Protection of Personal Information developed under the guidance of the Canadian Standards Association. The Code is the product of five years of consultation with Canadian business, consumer and other groups.
In that sense, the Code is grounded in the reality of the marketplace.
These principles, and the new law as a whole, are also grounded in the reality that this is the direction in which the world is moving.
The European Union already puts restrictions on the transfer of personal information to countries that do not protect it adequately.
In fact, I have just returned from Brussels where I was explaining the Personal Information Protection and Electronic Documents Act to our trading partners in the E.U., and assuring them it is in line with the privacy principles in practice there.
Once the new law takes effect, organizations based outside Canada will be expected to comply with it when doing business here. And Canadian companies transferring personal information for processing outside Canada must ensure that third parties provide the same level of protection.
I am not going to stand up here and tell you that implementing this legislation will be a piece of cake. I do want you to know that my office is available to offer help and advice at all times.
I must say, I'm very pleased with the relationship we have with the private sector. I want this relationship to continue.
We have had many very useful discussions already with national associations representing key industries. The advice and input from banks, marketers, the telecommunications sector, Internet providers, manufacturers, retailers and others has been unfailingly thoughtful and practical.
We are in the final stages of preparing a guide to the new legislation for the private sector. It will be available before the end of the year. A number of key industry sectors in Canada have donated their time and expertise to reviewing the guide at various stages of its development. Their suggestions have been a great help in making sure the guide is as useful to business as it can possibly be.
Naturally, there have been some questions about the legislation and exactly how it will be applied. I would like to respond to some of the questions that have come up in our discussions with business.
First, there is the matter of what happens to the personal information already collected, the so-called "grandfathering" issue. Consent may not have been obtained when the information was acquired.
Let me be clear. The law makes no provision for grandfathering. So, using or disclosing this information requires the consent of the individual to whom it pertains.
There are a number of ways to deal with this. What I'd suggest as a start, is to take an inventory of the information on file, and make sure it is still needed for a specific purpose.
In the case of information for which a need remains, organizations should take advantage of routine customer contacts - contract renewals, for example - to advise customers about the reason for having the information and to seek their consent. Your relations with your customers are constantly being renewed - use one of these periodic contacts to obtain consent.
We've also been asked many times about when business will be expected to comply with the legislation.
The Act will be implemented in three stages. As of January 1, 2001, it will apply to federal works, undertakings and businesses. These include banks, airports, telephone companies, cable companies, broadcasters and firms engaged in interprovincial or international transportation.
It also applies to disclosures of personal information across provincial or national borders for consideration, by organizations such as credit reporting agencies or organizations that lease, sell or exchange mailing lists or other personal information. That means the personal information itself is the subject of the transaction.
Now, it is highly unlikely any of those enterprises will find me and a posse of auditors on their doorstep on New Year's Day. Nonetheless, the new law does take effect for this group on January 1, and a customer's right to file a complaint takes effect at the same time.
I am convinced from my contacts with business that organizations within this first group are well aware of the new law and have been preparing for its implementation for some time now.
For this group - the federal works, undertakings and businesses - the law also applies to their employees' personal information in the first year. The only exception is personal health information, which is exempt until January 1, 2002.
The final stage of implementation will take place in January 2004. At that time, the Act will apply to commercial transactions within a province. By then, we expect that many provinces will have adopted their own privacy legislation. When that is the case, the federal government will exempt organizations and activities in provinces that have adopted substantially similar legislation from the federal low. But one way or another, privacy protection will be the law of the land.
Can a business transfer personal information it has collected to an affiliated company or a subsidiary? Yes, provided the individual consents to the transfer.
As far as the Office of the Privacy Commissioner is concerned, each corporate entity is a separate organization for the purposes of the new Act. The transfer of personal information from one subsidiary to another constitutes a disclosure of that information, and therefore requires consent.
Upholding these and the other provisions of the Act is the job of the Privacy Commissioner of Canada. That may sound rather ominous, but the Privacy Commissioner is not a government enforcer.
I report directly to Parliament, not to the government of the day. My function is primarily that of ombudsman, an ombudsman for privacy matters, with a strong emphasis on resolving complaints. My role is to investigate, to mediate, to audit and to educate.
This is not to say the Privacy Commissioner is powerless. When privacy rights have been abused, the privacy commissioner can make those abuses public. If need be, the Privacy Commissioner can also seek remedy in the courts.
Like the Privacy Act before it, which sets out privacy rights with respect to the federal government, this new legislation gives the Privacy Commissioner broad investigative powers.
Those powers - to enter premises, subpoena documents, compel testimony - have never been used in the public sector, because there has always been voluntary cooperation. I'd like to keep it that way with the private sector, and I hope we are never put in a position of "last resort".
Of the tens of thousands of complaints filed with the office under the Privacy Act since 1983, only a handful has gone to court.
These numbers prove that a balanced, non-confrontational approach can work. It is the approach I intend to continue as our mandate expands to the private sector.
The nature of the job requires the incumbent to be tough-minded when necessary. The Privacy Commissioner is an Officer of Parliament, charged with the protection of Canadians' right to privacy. I will carry out that mandate.
I also intend the Office of the Privacy Commissioner to exercise with vigour its new mandate to carry out education and communications programs.
In the months ahead, my office will be embarking on a major public information campaign. We will be advertising, producing fact sheets and brochures, and speaking at events like this one across the country. We will be informing Canadians of their new, legislated privacy protections, and we will be reminding private sector organizations of their responsibilities under the act.
Business must respect this legislation, but my office will be as cooperative and informative as possible. Our job is to help, not hinder.
I believe the Privacy Commissioner can be a valuable resource to the business community.
The same is true of the legislation itself.
The better the private sector understands and addresses the issue of privacy, the better it will be able to establish the trust it must develop to succeed in the world of e-commerce.
We have all seen the results of the public opinion surveys. Consumers expect their privacy to be respected and protected. Enterprises that can offer reasonable assurances of privacy will win. Those that do not will lose. So it goes without saying that good privacy is also good business.
The protection of the individual's right to privacy is the cornerstone of a free, democratic society. I look forward in the years ahead to all of us working together to reinforce that cornerstone.
Report a problem or mistake on this page
- Date modified: