Treasury Board ATIP Conference
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
December 11, 2000
Privacy Commissioner of Canada
(Check Against Delivery)
I want to talk about a number of things today.
First, since I'm new in this job, I think it's only fair I tell you something about my personal approach to the question of privacy, and why I think it's worth protecting.
I also want to talk some about how the Office of the Privacy Commissioner will be changing in the months ahead, and what kind of an impact those changes might have on those of you here today.
Finally, I want to spend some time on some of the special privacy and information issues facing government departments and agencies, and how the Office of the Privacy Commissioner can help you deal with those issues.
As I'm sure you know, the Personal Information Protection and Electronic Documents Act comes into effect in just a couple of weeks. This legislation marks the beginning of a new era of privacy protection for Canadians, and a new era of responsibility for the Office of the Privacy Commissioner.
Along with its existing duties in the federal public sector, the Office will be responsible for overseeing Canadians' new private sector privacy rights. We also have a new mandate to carry out research and public education on privacy issues.
This is something the Office has never had before. I believe public education is nothing short of fundamental to the job of Privacy Commissioner, and I plan to pursue this new mandate with enthusiasm.
Thankfully, along with these new responsibilities, the Office has also been given some additional resources to carry them out. In other words, I can assure you our new duties in the private sector will not come at the expense of our existing responsibility to the federal public sector.
If anything, the opposite will be true. With more resources, a bigger mandate to carry out research and communications, and the experience we'll gain working with the private sector, I think we'll be able to do an even better job in the public sector.
Now, I know many of you have been dealing with the Office for some time, and have become familiar with whom to call about what. In many cases, that will not change.
We do have a number of new people though, and we've done some re-organizing on the administrative side to reflect the changes in our mandate, so you may well find things are a little different when you call for help or advice on something.
Trust me, this is not a deliberate attempt to frustrate.
Rather than read out a long list of names and job descriptions, I'd suggest for the time being that you continue to call on the people you've dealt with in the past. If they're not the right people any more, they'll make sure you do get connected to the right people.
The organization may be different, and there may be some new names and personalities, but the commitment to our central mandate is the same.
The Privacy Commissioner is an officer of Parliament, charged with defending Canadians' right to privacy. I intend to carry out that mandate, and I consider it a privilege to be entrusted with this responsibility.
Guaranteeing the right to privacy is absolutely basic to any society that wishes to call itself free and democratic. So many of the other freedoms we prize so highly flow from the right to privacy.
If we feel someone is watching and recording us, or worry that our private actions may become public, our freedom of choice is diminished. Our freedom to express ourselves and our freedom to associate with whom we choose is constricted.
I do not believe it is an exaggeration to say our right to privacy is in greater jeopardy now than at any time in history. I believe that privacy will be the defining issue of this new decade.
In terms of privacy, we really have come to a crossroads.
How we deal with this issue, this new reality, now - over these next few years - will decide how the individual relates to society in Canada for many, many years to come. It will determine the very type of society we leave to our children.
Until recently, we could take our privacy pretty much for granted. Privacy was protected more-or-less by default.
Unless you were very famous, or very important or had committed a crime, your personal information was scattered here and there, and kept in hard copy files.
Assembling any kind of dossier on any one of us meant quite a bit of legwork: Someone would have to go to some trouble to find out about you.
To say "times have changed" is a bit of an understatement. Today, information that even a few years ago might have taken weeks or months to dig out can be compiled literally in minutes at a computer keyboard.
It is exactly this ease of access that has prompted the Administrative Office of the United States Courts to consider whether it should limit the traditional openness of court records. The move to electronic record-keeping is eating away at the wall of paper that once guarded our privacy from all but the most determined of snoops.
It used to be someone had to go out of their way to access our private data - now we must go out of our way to ensure our private data stays private.
So what exactly is this privacy we are trying to protect?
U.S. Supreme Court Justice Louis Brandeis provided what has become the classic definition of privacy in 1890, when he described privacy as simply "the right to be let alone."
All of us want to be able to go about the business of our lives without having someone looking over our shoulder, demanding to know what we're doing, and why we're doing it.
In that context, privacy might well be defined as the right to say "none of your damn business."
In some respects, that definition still stands, but in the modern era, I believe privacy is much more than just the "right to be let alone." For one thing, we can feel "let alone," in the sense that no one is bothering us, and still be having our privacy invaded from a distance.
If you asked me, I would define privacy as the right to control access to one's person and to information about oneself.
As long as society and other individuals make their judgements about who we are based on the information they have about us - and I suspect that will be the case for a good long time - this idea of control over our personal information will be at the very heart of our personal privacy.
Critical to that notion of control is the concept of choice, or consent.
The more we become involved with the collective whole and society at large, the more information we surrender about ourselves. When we apply for a job, open a bank account, explore the Internet, or take part in any of the myriad transactions of daily life, we make another contribution to the gradual erosion of our private selves.
Thus, privacy is not an absolute. It is rarely stripped away in one fell swoop. It is a continuum of choices and trade-offs.
Revealing information about ourselves only when and as we choose is the very essence of privacy.
Today, that choice is often made for us. Surveillance has become a matter of routine. Cameras record us at the bank machine and at the corner store.
A computer records what time we pull into the office parking garage, and yet another camera watches us wait for the elevator. A computer notes the time we swipe our plastic key to enter the office.
In the United States, cellphone companies have been ordered to implement so-called "location tracking" by the middle of next year, and this feature will inevitably find its way to Canada.
Location tracking allows service providers to know within a matter of a few metres where a cellphone call is coming from. This is seen as a major step forward for emergency services, and as a necessity by computer companies anxious to offer new applications tied to a cellphone user's location.
Our precise location is something we might not always want to share or be asked to explain. Suppose a stalker was able to access this information. Who will ensure this information is kept in the proper confidence?
The debit card is a wonderful convenience, but its ability to gather information about us is startling. Your bank probably knows where you ate lunch yesterday, and where you bought your mother's Christmas present.
Likewise, there are suggestions that collecting all of our medical records in one massive database would be a good idea. But who is to decide whether and with whom our medical histories will be shared? There is a powerful and steadily-increasing demand for our personal health information from any number of secondary users.
It is not extremism to believe this could lead some people to avoid seeking treatment.
If you knew your insurance company or your employer, or even the police, might have access to what it could reveal about you, would you be more, or less likely to submit to the blood test recommended by your doctor?
Something in that blood test could cost you a chance at a better job; it could cost you the job you have now.
Think of the assumptions people might make about us based on the medications we have been prescribed.
Suppose your genetic profile were revealed to an especially interested party. Your entire family could be stigmatized for generations to come.
Yes, we have laws to protect us against discrimination in employment. But if we have no idea whether and to what extent an employer has access to our personal health information, or even if the information is accurate, how can we know whether we have been discriminated against?
The vast array of data, and the conclusions that can be drawn about us from it, is simply stunning.
Just think what your income tax return reveals about you, including your income, assets and debts, and maybe some history.
Add to that health information, including information about disabilities, and maybe genetic information.
.and information about conjugal arrangements, everything from divorce to sexual orientation.
Ever had a student loan, or claimed a deduction for tuition fees? Think what's available about your educational background, including who financed it, what you studied, and what you failed.
Searched for employment through a Canada Employment Centre? Collected Employment Insurance? You've left a trail of data about your employment history, including information about job performance and reasons for termination of employment.
Ever filled out a "Returning Traveller's Declaration" after a little foreign travel, indicating where you were, for how long?
And of course, if you've had any involvement with the criminal justice system..
Despite all this potential for intrusion, people quite rightly want to avail themselves of the advantages that information technology offers.
Quick and efficient access to government services, financial transactions, flight bookings, almost any kind of information about anything, is a great leap forward. But if we are expected to pay for these conveniences with a basic and fundamental human right, we must question their value.
And individuals are questioning the value. Public opinion surveys consistently show the vast majority of Canadians worry about the impact of the Internet and e-commerce on their personal privacy.
Privacy concerns are perhaps the single biggest deterrent to doing business online.
If you have to wonder - every time you click into a web site, every time you make a purchase with your debit card, every time you fill out an application for something - what information you are giving away, to whom you are giving it, for what purpose, and how it might be interpreted, you have no privacy.
To feel one is being monitored, to be self-conscious about every move one makes, is the essence of life in a totalitarian state.
Even when information about us is collected and stored and shared with the best of intentions, it can diminish our privacy.
Another, perhaps less widely publicized, example is the use of returning travellers' customs declarations to check for employment insurance fraud. I don't think anyone would argue that HRDC should not have the authority to detect fraud. We challenged this program, however, because of its effect on the privacy of thousands of innocent Canadians swept into the net.
Just last week, the Ontario Minister of Correctional Services was forced to resign after a member of his party shared the names of several Young Offenders with the legislature. The proceedings of the legislature are carried live on television, so the names were shared with the entire province.
The member wished to congratulate the young people on their graduation from a Corrections "boot camp". Clearly, he intended no harm, but harm was done. I am quite sure these young people would prefer to decide for themselves whether to include that particular milestone on their resumes.
The Ontario government has announced plans to implement mandatory drug testing for people on social assistance. Personally, I think this is a gross invasion of privacy. But, in any event, who will be responsible for safeguarding this highly-sensitive information, and how long will it be stored?
Who should have access to this information? The health ministry could probably make a case for access, and so could the people who run government job-training programs, and by extension, potential employers.
More and more government services are being given over to non-profit, community organizations. In many instances - the field of corrections is just one of them - very delicate personal information is included in the transaction. Will these organizations have the expertise and resources to protect the security and confidentiality of this information?
We want to encourage the creation of what I call a "culture of privacy" within organizations in both the public and the private sectors.
This means assessing the potential impact on privacy of every initiative at every step of the way. In the digital age, I believe privacy assessment should be as much a part of the policy development routine as cost analysis, so that problems can be addressed before they become complaints.
I think the best way to do that is to measure every information-gathering exercise against the Principles of Fair Information Practices set out in the schedule to the PIPED Act. I won't list them all, and of course most of you will be familiar with them, but here is basically what they say:
- anyone collecting personal information in the course of a commercial activity must explain the purpose of collecting it, and obtain the individual's consent;
- they must limit the collection of personal information to what is reasonable under the circumstances, and use it only for the purpose for which it was collected;
- they cannot disclose this information to anyone else without consent, and
- they must allow individuals to have access to their own personal information and correct any inaccuracies.
These principles may be attached to a law that applies to the private sector, but I believe they are just as valid for the public sector.
Organizations should be able to justify every request for personal information, because with the advances in technology, it has become just too easy to assemble a whole person from scattered bits of information.
I think the famous Longitudinal Labour Force File at HRDC offers an excellent and cautionary example.
As wholesome as the intent may have been, Canadians were indignant to learn the Government of Canada was holding a detailed file on each and every one of us.
That the file was for all intents and purposes invisible served only to increase Canadians' suspicions.
People being people, many assumed that if the file was invisible, it was because there had been a deliberate effort to make it that way. And if there's no good reason for keeping something secret, then there must be a bad reason.
Canadians were assured the information had been collected according to the provisions of the Privacy Act. This was not what Canadians wanted to hear.
Far from reassuring them their personal information was being handled with all due regard for their privacy, it left Canadians wondering just whose privacy the Privacy Act was supposed to protect.
I think the HRDC example shows that where privacy laws are concerned, Canadians want the government - especially the government, which they have no choice but to trust with so much of their personal information - they want the government to respect not only the letter, but also the spirit of the law.
The HRDC case also demonstrates the importance of maintaining a policy of openness and transparency when privacy is concerned.
I cannot help but think that if someone, somewhere along the line, had stopped for a moment and thought about what they were doing, thought about what it looked like they were doing, and told Canadians what was going on and why, the whole mess might have been avoided.
Canadians either might have agreed that the intended uses were reasonable or they would have had the chance to object at an earlier stage, avoiding what instead ensued.
Government departments and agencies that collect personal information from Canadians do so with the force of law behind them. They ask all kinds of personal questions and expect prompt and honest answers.
Now, I'm sure everyone here knows that telling someone it's a federal offence to give an incorrect answer is not enough to guarantee the accuracy of the information you get that way. Information obtained through coercion is bound to be a little suspect.
To put it another way, the correct answer to "Why should I tell you that?" is not necessarily, "Because I'll put you in jail if you don't."
In short, any organization's ability to collect and use personal information is directly related to its ability to convince Canadians the organization can be trusted to protect that information and respect their privacy. To be taken seriously, this commitment must be visible both in word and in deed.
I'm sure everyone here also recognizes the importance of responding promptly to individuals' requests for personal information about themselves under the Privacy Act. I find myself signing far too many letters telling complainants that they were not provided information within the time provided by law.
This is something I will be getting tough on. It's unacceptable to me, as it is to the Canadian public, that any part of the government of Canada should ever be breaking a law of Canada.
Canadians agree to surrender their personal information to governments because they trust their governments to treat the information with care, and use it only for the purpose stated at the time of collection. I think the intensity of the reaction to the HRDC file shows the value Canadians place on that trust.
I believe it is safe to say Canadians' trust in governments' ability to hold up their end of the privacy bargain has been diminished by the HRDC situation.
In the future, as e-commerce grows and the federal government moves to bring all of its services online by 2004, Canadians will want more and better assurances the privacy of their personal information will be protected.
If the public does not have confidence in the privacy of these transactions, the efficiencies they promise will never be fully realized.
As Privacy Commissioner, it's my job to ensure Canadians' right to privacy is not abused. I believe the best way to do that is to ensure Canadians know their rights, understand why they're important, and how to exercise them.
If Canadians are to have any influence in the privacy debate, they must have access to information from a reliable, independent source.
That is why I am so enthused about my new mandate to carry out research and public education.
My Office is committed to an extensive communications strategy that will inform Canadians of their privacy rights, and remind organizations of their privacy responsibilities.
By promoting privacy research, we will be able to bring emerging privacy issues to public attention, and ensure privacy concerns remain near the front of public consciousness.
Any organization, public or private, would do well to consider the implications of a public that is much more aware of its privacy rights, and how to go about exercising them.
I will continue to put a strong emphasis on the Privacy Commissioner as ombudsman, investigating complaints, and using the powers of persuasion, mediation and negotiation to resolve disputes.
The Office will continue to exercise its power to conduct audits, and to bring abuses to the public's attention through the media.
I do want to stress that the Privacy Commissioner is not an enforcer, nor an advocate for either side. The Privacy Commissioner is an advocate for privacy.
In that role, my Office is dedicated not just to making sure organizations know their obligations under the law, but to helping organizations find ways to meet those obligations.
As an example, we have just published a business guide to the new PIPED Act, explaining the new legislation in layman's terms, and offering suggestions for implementing various provisions. A citizens' guide to the new legislation will follow in January.
We are in the process of re-designing and expanding our web site. We want it to be both a source of information for the public, and a means by which organizations can share privacy-related information with one another.
We are also developing communications products specifically for the public sector, so you will be hearing more from me. And I hope I hear from you, because we are in this together.
The Privacy Commissioner of Canada does not own the franchise on privacy. Privacy, by its very definition, belongs to each and every one of us. I can think of no possession more personal than our privacy.
Canadians share much of this personal possession with their governments. They do so in the belief that their governments will treat it with the care and respect such a valued possession deserves.
Those of us in this room have a special responsibility to ensure that trust is not misplaced.
I look forward to working with you as we strive to live up to that responsibility.
- Date modified: