Canadian High Commission Freedom of Information and Privacy Conference
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
March 5, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
I'd like, first of all, to thank and congratulate the Canadian High Commission for organizing this conference. I believe that this is an excellent and very valuable opportunity to exchange ideas.
Before discussing the relationship between access to information and the protection of privacy, I would like to take a moment to talk a bit about my mandate and my office.
As was mentioned when I was introduced, I have only been in this position for six months. It's an exciting time to be the Privacy Commissioner of Canada.
I believe that privacy will be the defining issue of this new decade.
That's because we have come to a kind of crossroads. Until recently, privacy really was protected mainly by default.
As long as personal information was kept in paper files and scattered in a variety of locations, someone would have had to go a great deal of trouble to compile a detailed dossier on any one of us.
Unless you were very famous, or very important, or had done something really bad, your personal information and hence your privacy were relatively safe.
But today, information that just a few years ago might have taken weeks or months to dig out can be compiled literally in minutes at a computer keyboard.
Add to that the personal information trail we leave through such things as credit cards, debit cards and those little plastic access cards we may use to enter the office or the parking garage, that faithfully record our comings and goings, and all the new surveillance technologies, including the growing use of biometrics to strip away our anonymity.and the net effect is that we are living in an entirely new reality:
While it used to be that people had to go out of their way to access our private data - now we, as individuals and as a society, must go out of our way to ensure that our private data stay private.
How we deal with this new reality will determine the very type of society we leave to our children.
Another reason that this is an exciting time to be the Privacy Commissioner of Canada is because the federal government's new Personal Information Protection and Electronic Documents Act came into force as of January 1, 2001. This law is intended to strike a balance between the information needs of our modern society and the rights of individuals to control how their personal information is collected, used and disclosed by the private sector.
Very broadly speaking, its main provisions are the following:
No private sector organization covered under the law can collect, use or disclose personal information about an individual without his or her consent.
It can collect, use or disclose the information only for the purpose for which that consent was given.
Individuals have the right to see the personal information held about them by an organization, and to correct it if it's wrong.
And there are effective oversight mechanisms to ensure that privacy rights are respected, and avenues for redress in instances when they are not respected.
For Canadians, this legislation means a new level of privacy protection when dealing with private sector organizations.
For myself and my Office, it brings greater responsibility, an expanded role, and a new mandate to educate Canadians and organizations about the issues surrounding personal privacy.
To meet these new responsibilities, I have expanded the office's communications and investigation capabilities, I am placing more emphasis on research and policy development and I plan to conduct more compliance audits.
My office has embarked on a major public information campaign. We have started on the process of informing Canadians of their new, legislated privacy protections, and reminding private sector organizations of their responsibilities under the Act. We have provided you with copies of our Business Guide and Guide for Consumers.
My appointment as Commissioner has, of course, also given me occasion to think a great deal about privacy - what it is we are trying to protect, its importance to society, and how it relates to other values such as freedom of information and open government.
As a former journalist, I certainly understand the importance of freedom of information and the critical role that can sometimes be played by access legislation.
But I am also aware that it can sometimes be used as a substitute for good investigative journalism, giving priority to what can readily be obtained under access law over what might be more important to find out. And the information obtained under access laws can therefore generate shallow controversies - over some politician's travel expenses, for instance, that displace more thoughtful policy debate.
I must also admit to occasional concern that access to information laws can sometimes modify governmental processes, not always for the better, by making officials very careful about what they commit to paper and even what views or advice are provided.
In any event, notwithstanding such reservations, I would like to take this opportunity to congratulate Great Britain for passing a Freedom of Information Act, which does on the whole lead to more open and transparent government.
But turning now to the interplay between privacy and access to information, there are two points I want to make, that I'm sure will not be universally popular, but that I very strongly believe:
First, privacy trumps access.
And, second, the two can best be dealt with separately, not together.
Privacy is perhaps the most basic of our freedoms. Many have suggested it is the right from which all others flow - freedom of speech, freedom of association, freedom of choice-to name but a few.
We are not truly free if we must carry out our lives in the knowledge that every transaction we make, every place we go, every human contact we initiate - may be known and judged, perhaps misjudged, by an endless potential array of intruders on our privacy. That is why lack of real privacy is a distinguishing characteristic of so many totalitarian societies.
Privacy touches all aspects of our lives - our relationship with our families, our emotional lives, our self-expression, and our relationship to the state.
While privacy is universal and timeless, access to information is a much more modern concept that is really only meaningful in certain circumstances.
Access is an administrative right that may improve the quality of government. Privacy is a fundamental human right that is essential to the quality of our lives.
While access to information is a very desirable right in a democratic society, it cannot be said to be vital to freedom.
Access to information has developed as a refinement of democracy; privacy is the very cornerstone of it.
The relationship between privacy and access to information is complex.
At one extreme, there is a tendency to assume that they are inevitably at odds with one another, that one cancels out the other.
Certainly, some privacy skeptics argue that an over-emphasis on privacy encourages anti-social behaviour and limits the beneficial effects of communal scrutiny. A more open society, according to these critics, is likely to be safer and more caring. This is a view that I reject. Privacy need not be sacrificed for public safety, and I cannot imagine that a society in which privacy is not valued can really be more caring or compassionate.
Viewing access and openness as antithetical to privacy does not really serve either very well, and only promotes the popular misconception that the two concepts are inherently incompatible.
It seems to be a common belief, and it has been put this way many, many times, that access and privacy are opposite sides of the same coin, that in some way, one acts as some sort of balance to the other.
To equate the two, to say they have the same value, that one is somehow a necessary balance to the other is, in my view, a very serious mistake.
A number of Canadian provinces combine freedom of information and privacy in the same legislation, and vest responsibility for both in one person, perhaps on the assumption that access and privacy need to be balanced. This is not a responsibility I would want to have.
Nor do I envy, for that reason, the challenge faced by my colleague here, Elizabeth France, who is now responsible for both the new Freedom of Information Act and the Data Protection Act.
The federal situation in Canada is somewhat different, in that the Access to Information Act and Privacy Act are separate statutes, with separate origins, and two Commissioners.
Both Acts had their origins in the late 1960s. The Access to Information Act as part of a general and entirely reasonable desire to make government more open and accountable, and the Privacy Act in the growing concern that the relentless expansion of the computer database was threatening a basic human right.
The first legislated protections for privacy were included in a section of the Canadian Human Rights Act, given royal assent in 1977. The first Privacy Commissioner for Canada, a member of the Human Rights Commission, was appointed the same year.
Access to information and privacy became true bedfellows, strange or otherwise, in 1980, when a new government introduced a bill containing both the Access to Information Act and the Privacy Act, undoubtedly contributing to the view that the two go hand-in-hand. The bill became law in 1983, with a Privacy Commissioner to oversee the Privacy Act, and an Information Commissioner to keep tabs on the application of the Access law.
Even though the two Acts were introduced and passed as part of the same bill, the government of the time considered it a matter of principle that privacy legislation should have a profile of its own, and not be part of general access information.
Indeed, an underlying principle of the Privacy Act, according to one of the lawyers who wrote it, was that "the right of an individual to privacy with respect to government-held information about him- or herself should be recognized as a greater order of right than the general right of a citizen to obtain information from government files."
Despite their quite different-and often incompatible-functions, the Canadian law decreed that the Information and Privacy Commissioners would operate from one office, with one budget, sharing everything from telephones to paper clips. It also allowed that, in a pinch, one person could do both jobs.
This was not a very satisfactory arrangement. The same administrative staff opened mail addressed to either commissioner, retained and briefed legal counsel for one or the other as needed, and handled individual case files for both sides.
Certainly, great care was taken to avoid conflicts, but there was a tremendous potential to compromise the integrity of investigations being conducted by either Commissioner-especially in those instances where the Privacy Act was invoked to prevent the release of personal information being sought under the Access to Information Act.
A parliamentary committee tasked with reviewing the two acts found that this cohabitation was jeopardizing the ability of both Commissioners to undertake impartial investigations and render impartial findings.
Even though the committee recommended the Commissioners' offices be separated to avoid any real or perceived conflict of interest in the discharge of their respective mandates, the government of the day not only ignored that particular recommendation but in 1991-1992 announced it would combine the functions of Information and Privacy Commissioner in one person, in order to save money.
This, I believe, would have been disastrous for both access and privacy, and thankfully, it did not come to pass.
It is worth mentioning that the Information Commissioner at the time was quite supportive of the idea, noting that while there "may be honorable differences over which of the two sometimes conflicting values should prevail in a given case, playing the privacy card is also a delaying tactic."
A telling remark, to say the least.
The offices of the Information and Privacy Commissioners continued to share accommodations, some staff and budget until just a few months ago, when the responsibilities of the Privacy Commissioner were expanded to include oversight of new private sector privacy law. I expect the few remaining administrative links to be severed within the coming weeks.
I believe this formal separation of the two areas to be a significant advance for both access and privacy in Canada.
As I mentioned earlier, privacy and access are not always in opposition. Many privacy acts-including Canada's Privacy Act and Bill C-6-contain provisions allowing an individual to have access to his or her personal information. Such provisions are an important element of privacy protection because they allow an individual to see how much information the government has collected, and to correct any errors, or, in the case of the private sector, they allow an individual to determine whether or not a business has collected more information than it needs to fulfill specified purposes. This is one place, and perhaps the only place, where the two principles intersect.
There have been, and doubtless always will be instances where the two principles conflict with one another. On those occasions, I believe it is absolutely necessary that the defense of the two principles be carried on in an open, transparent and independent way.
Any appearance of bias or conflicting interest in representing either would debase the currency of both.
This is especially true now, with new tensions arising between access and privacy in a number of areas:
Personal information deemed to be "publicly available" is exempt from the Privacy Act. Just what is and is not "publicly available" has been debated for some time, and the temperature of the debate is rising. For example, all sorts of personal information collected in government registries have traditionally been open to public inspection.
A measure of privacy was assured by the simple fact the information was, if not impossible, at least awkward to access. While there may be a valid public interest in maintaining open access to something like the Bankruptcy Registry, or court records, for instance, is there a public interest to be served in posting this information on the Internet where it can be accessed at any time, by anyone for any reason?
I would argue that such bulk disclosures of personal information were never contemplated by those who drafted the Privacy Act. Indeed, the freedom of information and privacy legislation in the Canadian province of Manitoba specifically prohibits the disclosure of personal information from a government registry on a "volume or bulk basis."
The Privacy Act allows the disclosure of personal information where the head of an institution determines the public interest in doing so clearly outweighs any invasion of privacy that could result from the disclosure.
Disclosures under this section are made for many reasons; one of the most controversial is the disclosure of information about violent offenders who are released into the community. My office has taken an active interest in this issue. My predecessor commented on several provincial initiatives that have attempted to deal with this issue and the office issued a discussion paper on the subject. This is also an issue that I intend to pursue.
The public believes it has a right to access this information in order to protect itself, but what of the individual offender's right to privacy?
In the U.S., states are required to maintain sex offender registries. Many states have posted these registries on the Internet. Not surprisingly, there have been numerous incidents of vigilantism. In Canada, the release of this kind of information is dealt with on a case-by-case basis, which I believe to be more appropriate, although the pressure to follow the American example remains. This is also an issue with which your country has been struggling. I understand that Great Britain established a sex offenders' registry in 1997 although you have so far resisted calls to give the public an automatic right to know the names and addresses of convicted sex offenders.
These are but two examples of the kind of tension that exists between access and privacy. There are arguments to be made from both sides, strong arguments-but can the same person make both arguments and do justice to either?
I believe the answer to that can be found in those cases where access and privacy have come together in the Canadian court system. While it is certainly not the only bone of contention, these disputes frequently centre on a particularly troublesome section of the legislation dealing with the personal information of government employees.
The courts have been asked on several occasions to determine whether the information proposed for disclosure is personal information, or is information related the individual's position or function as a government employee, and therefore eligible for disclosure.
Typically, the Information Commissioner has argued for maximum disclosure, and the Privacy Commissioner naturally, for greater protection where the information seems to relate more to the individual than his or her job.
A case before the courts at the moment deals with a request for information on the previous postings of four members of the Royal Canadian Mounted Police. The Information Commissioner argues this information relates to the officer's position; my position is that this information amounts to their employment history, and is thus personal information and entitled to protection.
While I cannot predict the outcome of this case, I can predict that whatever the decision, it will have been reached, and will be perceived to have been reached, in an open and impartial way, with a full and fair hearing for the arguments from both sides.
Were the same decision to be made by one individual acting for both sides, I do not believe I could make the same prediction.
In a landmark decision in 1997, the Supreme Court of Canada ruled that while the Access to Information Act and the Privacy Act have equal status and must be given equal effect, both statutes recognize that privacy takes precedence over access.
This is as it should be, and the way the citizens of a democracy expect it to be.
Canadians value their right to freedom of information; they treasure their right to privacy. To say the two are of equal status-to encourage the perception that access and privacy are of equal status-is, in my view, misleading, and unhelpful.
Can government offer both access to information and privacy? Yes, but only if there are separate and adequate protections for both, and only if it is recognized that in all but the most exceptional circumstances, privacy must come before access.
I believe we must always be very clear: Access to information is desirable. Privacy is essential and fundamental.
Report a problem or mistake on this page
- Date modified: