Government Online and on the Front Line
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
April 23, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
The G.O.L. initiative is an exciting and excellent one. Improving the way programs are delivered and making government more efficient and accessible are obviously worthwhile goals.
But they cannot come at the expense of a fundamental human right-the right to privacy.
My role, as an Officer of Parliament, is to see that the privacy rights of Canadians are respected. That includes ensuring that the letter and the spirit of the Privacy Act and the Personal Information Protection and Electronic Documents Act are observed.
But compliance with the law, isn't the only reason to consider privacy when you're talking about Government On-Line.
Respect for citizens' privacy is, I firmly believe,believe, the key to the success of Government On-Line.
I'm going to talk today about what privacy is, and why it's important. Then I'll outline some significant privacy issues with the G.O.L. initiative, and make some suggestions as to how they should be addressed.
I've frequently said that I believe that privacy will be the defining issue of this decade. That's because we are at a crossroads.
Until relatively recently, privacy was protected pretty much by default. As long as information about us was in paper records, and scattered over a whole lot of locations, someone would have to go to a lot of trouble to compile a detailed dossier on any individual.
So unless you were very famous, or very important, or... had done something really bad, your privacy was pretty safe.
But now the move to electronic record-keeping is eating away at those barriers - barriers of time and distance and cost-that once guarded our privacy from all but the most determined of snoops.
Now some stranger at a computer keyboard can compile an amazingly detailed dossier on your whole life, literally in minutes.
The choices we make in confronting the threats to privacy will determine what kind of world we leave for our children and grandchildren.
Privacy is a critical element of a free society-it's "at the heart of liberty in a modern state," as Justice La Forest of the Supreme Court has said.
That's because there can be no real freedom without privacy. In fact, many have suggested that privacy is the right from which all others flow-freedom of speech, freedom of association, freedom of choice, any freedom you can name.
None of us wants to go through life feeling that at any moment someone may be, either metaphorically or literally, looking over our shoulder. If we have to weigh every action, every purchase, every statement, every human contact, wondering who might find out about it, judge it, misconstrue it, or somehow use it to our detriment, we are not truly free.
That's why lack of real privacy is a distinguishing characteristic of so many totalitarian societies.
And that's why privacy is not only an individual right-it's also a shared value, a social, public good. Our society as a whole has a stake in the preservation of privacy.
We cannot remain the kind of society that we all want to be-a free, open and democratic society in which we all have the autonomy to fulfil ourselves-unless the right to privacy is respected.
We need to turn around the widespread idea of the privacy of the individual being balanced against the interests of society. The interests of society include the privacy of individuals. When privacy is lost, the individual feels it of course, but society is the real loser.
That doesn't mean that privacy is an absolute right. Sometimes some of it has to be sacrificed to advance other crucial social objectives.
But if we make too many trade-offs, accept too many calls to give up a little privacy here, a little privacy there, soon we'll have no real privacy, and no real freedom.
When someone proposes a limitation, a trade-off for some other objective, we need to scrutinize it very, very carefully. Is there really a need that clearly outweighs the loss of privacy? Will sacrificing privacy really achieve the objective? Is there a less privacy-invasive way to achieve the same objectives?
I define privacy as the right to control access to one's person and to information about oneself.
That distinguishes privacy from two related concepts: security, and confidentiality.
These sometimes get used interchangeably with privacy. That, I want to emphasize, is a mistake. They're entirely separate issues.
Privacy is our right to control information about ourselves-including the collection, use, and disclosure of that information.
Confidentiality is your obligation to protect personal information in your care, to maintain its secrecy and not misuse or wrongfully disclose it.
And, security is the process of assessing and countering threats and risks to information.
It's privacy that drives the duty of confidentiality and the responsibility for security. If privacy is not respected, ensuring confidentiality and security is not enough. If you collect, use, or disclose information about someone, without their consent, you've violated their privacy. That fact doesn't change just because you ensure confidentiality and security of the information.
Against this background, let me now turn specifically to Government On-Line.
There is no question in my mind that Government On-Line can revolutionize the way that government delivers programs, and the way that Canadians interact with government.
Streamlined service delivery, ease of access to government services and information, and elimination of duplication are some of the anticipated benefits.
G.O.L. mirrors changes that have revolutionized the private sector. It's going to make government less removed, more accessible, more business-like. That-and not just contract opportunities-is why the private sector supports it.
It promises to make Canada a world model in service delivery, and a world leader in technology.
I support these objectives wholeheartedly.
It would be a tragedy if we failed to achieve them because we got it wrong on privacy.
This is not just me talking as a privacy advocate.
The key in getting Government On-Line is to get the trust of Canadians. If Canadians think Government On-Line threatens their privacy, they're going to resist it.
I don't have to remind you about the problems last year with the Longitudinal Labour Force File at HRDC. This compilation of very personal, private information on every individual in Canada outraged Canadians so much that the government was forced to dismantle the entire database almost immediately.
That database may have been compiled with the best of intentions, in pursuit of objectives as reasonable as the objectives of Government On-Line.
But what mattered to Canadians was their privacy. The program failed because privacy was not built in at the outset.
What are the privacy concerns in the Government On-Line initiative?
Well, here are three of the most important.
First of all, some visions of Government On Line would lead to walls coming down between agencies and programs, within government and across levels of government.
That may sound wonderful. But remember: those walls are also walls between collections of personal information.
If government becomes a single, centralized body, the most profound impact will come from the merging of databases.
This is information about individuals and/or their interactions with government that's been collected for specific uses.
When it's held in separate databases specifically for those purposes-"silos" as they're called-the information is compartmentalized.
When the walls of those silos come down, two things can happen. One is that someone with a need to know only one piece of information can have access to lots more. The people processing your application for a CPP disability pension have a need to know your personal health information. No other government official needs to, or should.
That's one problem. The other is that information can be combined, to reveal new information. This can lead to profiles of individuals. That's a hot subject in the commercial world, and we've seen hints of it in government-including, as I mentioned, the HRDC Longitudinal Labour Force File.
Profiling of citizens is the hallmark of surveillance societies. The building of dossiers on individuals, tracking their activities and their interaction with government, has no place in an open, democratic society. It is the end of anonymity. It is the end of our right to go about our lawful, peaceable business unmonitored. It is the end of the right to be let alone.
I accept that sometimes there is justification for matching personal information from different sources. Both the Privacy Act and the New Private Sector Law allow it in certain exceptional circumstances. But those circumstances are strictly limited and they have to be justified.
Separate databases are a built-in protection against unrelated uses and against profiling. The advantages of this could be lost under the Government On-Line initiative unless we take steps to build in protections.
The second concern is this: delivering services or benefits electronically will involve the private sector. We know that; it's part of the explicit objectives of Government On-Line. The discussions about the secure channel, and the response to the government's call for private sector tenders to work on the project -and are an indication of just how massive the involvement of the private sector is going to be.
Again, we come to the issue of walls. The linkage of existing networks could eventually lead to one inter-operable system combining the information holdings of all sectors of society, public and private.
But the protections for privacy in the private sector are limited, even with the Personal Information Protection and Electronic Documents Act in force.
We can't let the objectives of efficient government and private sector development lead to the emergence of uncontrolled databases on Canadians.
We all support a thriving private sector and more efficient delivery of services. With the right privacy protections built in, it may not be a problem. But without them, I am absolutely certain that it will be.
The third concern is the need that an interactive government system will have for some sort of authentication, identification, and access device. The government has confirmed that G.O.L. will give clients what it calls "e-identities."
Authentication mechanisms are necessary for a networked economy, but they're fraught with problems of which we need to be aware, right at the outset.
Will this lead to some sort of smart card? These cards have the capacity to store or access large amounts of personal information, relating to different government programs and services. If they're designed right-for example, if you have different cards for different purposes-they can protect privacy.
But a single card that holds all the information about our interactions with government raises the problem of combined databases to a whole new level. It will accelerate the centralization and sharing of personal information. If all of an individual's transactions occur through, or are recorded at, the same source, we will have a powerful centre of data on all citizens.
The issuing, revoking, or withholding of such a card could be used to control social behaviour, limit an individual's activities, or punish unrelated activities.
And, unless we take steps to restrict it, the forces of convenience and efficiency will drive it towards becoming a national identity card.
In Canada we don't have to identify ourselves to anyone-agents of the state or anyone else-except for specific and limited purposes. This is not a country where you can be stopped by a police officer and casually required to produce your papers, like so many countries around the world.
The police do not routinely visit hotels each morning to record the passport and identity card numbers of guests. In Canada you have the right to go about your business anonymously and peaceably, without having to justify yourself, without having to be subject to surveillance.
It would be unacceptable to lose that.
So, am I saying that Government On-Line is a bad thing then? Absolutely not. But you need to build privacy into the system from the outset.
The G.O.L. initiative will fail, at the cost of enormous investments, if you assume that any privacy problems can be handled by others, after the fact. Privacy needs to be considered at the drawing board, not later.
This is not new to G.O.L. people. Almost two years ago, Canada's Chief Information Officer of the day warned that privacy cannot be addressed as an afterthought. The Public Sector CIO Council declared privacy "a significant element of any IM/IT project." In speeches and presentations, the President of the Treasury Board and the Clerk of the Privy Council have repeatedly acknowledged the importance of privacy.
And Canada's current Chief Information Officer, Michelle d'Auray, has stated clearly and frequently that privacy is to be a cornerstone of G.O.L..
So that's all very encouraging.
But if I go to the Government On-Line website and look at what the government is telling Canadians about addressing privacy concerns, what I find is this.
Information is protected from unauthorized use and disclosure.
There are IT Security Co-ordinators, and experts to help with IT and physical security.
There's a layered security approach, with firewalls, a Public Key Infrastructure, and strong access controls.
Authorization, authentication, and intrusion detection will assure secure, reliable business.
Everything I just cited to you is not about privacy-the right to control information about yourself. It's only about security and confidentiality.
They're not the same. Assuring security and confidentiality through firewalls, PKI, and a secure channel-these are good and necessary. But they don't address the critical issue of privacy. Outsiders might not be able to breach the system and access information-but government itself would have free rein.
So then, what would protect privacy? What would a privacy-friendly Government On-Line look like?
Take the first issue I identified: the trend towards unified, centralized databases.
The architecture of the system has to be informed by privacy principles.
I'm not going to go into detail here about these principles. They're widely known and widely accepted.
But let me just outline a couple of them. Information collected for one purpose should not be available for use for unrelated ones. Information should be kept only as long as it's needed for the purpose the individual consented to. Access to personal information should be limited to those with a need to know, for authorized purposes.
I'll be very frank with you. I don't think that you can respect these privacy principles without retaining some of those walls between banks of data.
I think the key advantages of Government On-Line can still be met, while maintaining information in separate silos and protecting the privacy of citizens.
Most individuals don't deal with 20 different departments in pursuit of government services. What single service do most Canadians need to contact multiple departments for? They contact HRDC for unemployment information. They contact CCRA about their taxes. They contact Citizenship and Immigration when they want to renew their passport.
If there really are services where you have to contact multiple departments, is it a good idea to reduce the number? Of course. But do Canadians really need to have only one password for all of government, and a seamless interface between different levels of government? Quite frankly, I don't think so.
I think you have to water your wine. I don't believe that one-stop shopping for government services can be done without gravely violating privacy principles.
What about the second issue, the involvement of the private sector?
This is not intractable. Private sector companies came up with the Model Code at the heart of the New Private Sector Legislation, and they pushed for the passage of that law.
They know that European Union countries have stringent protections for privacy, and the same thing is happening world-wide. They know that competing globally means meeting international data protection standards and protecting privacy.
That said, transfers of personal information to the private sector have to be subject to protections. That includes contractual commitments that companies will respect the Privacy Act. And it requires robust supervision and inspection to ensure that they in fact do so, without waiting to find out the hard way through some grave violation.
What about the problem of client authentication and "e-identities"?
I think that the default setting should be anonymity.
Construct your system around the way people would want to conduct their lives. Let them reveal information about themselves where they need to, as much as they need to and no more.
Where they can be anonymous, allow it. If there's no reason that is beneficial to the individual for one agency to know what he or she did with another agency, have the system keep it separate.
When Canadians go looking for general information about government programs, as opposed to actually having a transaction with government, you don't need to know who they are. There's no issue. Don't make it one.
If you're going to use smart cards, build privacy into them. Segment information. Use multiple cards. Put the control of the information on the card into the hands of the individual whose information it is. Otherwise, just don't do it.
The way to ensure that privacy is built in, when you're designing these projects, is to do a Privacy Impact Assessment for each initiative before it is funded.
This allows you to forecast a proposal's impacts on privacy, assess its compliance with legislation and principles, and determine what's required to fix any problems there may be. It helps you avoid the costs, adverse publicity, and loss of credibility and public confidence that could result from a proposal that hurts privacy. And you can use it to tell Canadians what you're proposing, and involve them in the design and implementation.
Do Privacy Impact Assessments at the earliest point in your projects. In my office, we're looking at setting up a process where we can review them and offer comments at an early stage. I can't give an unconditional seal of approval, but I can certainly give a heads-up if there are obvious shortcomings. I don't want to have to oppose something when it's gone too far and millions of dollars have already been spent.
I said at the outset that we are at a crossroads, that how we confront the threats to privacy will determine what kind of society we leave for our children and grandchildren.
But you know, the greatest threats to privacy seldom come from those who want to do harm.
They come from well-intentioned people who say that privacy needs to be sacrificed for some greater good-customer service, prevention of crime, efficiency.
I believe that it is possible to deliver government programs efficiently and conveniently, and get our Government On-Line, without sacrificing privacy.
If you recognize how important privacy is to our society and to our freedom-if you recognize how concerned Canadians are about it, and build your system accordingly-you'll have Canadians behind you all the way.
I firmly believe that protecting privacy, and winning the trust of Canadians', is the way to ensure the success of the Government On-Line initiative. Let's work together to make sure we build a privacy friendly Government On-Line.
- Date modified: