Protecting Privacy in Canada: Monitoring Compliance
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Information Systems Audit and Control Association:
Annual General Meeting
May 31, 2001
Director General of Privacy Practices
and Reviews Branch
(Check Against Delivery)
Let me start by giving you a little background about the Office of the Privacy Commissioner-what we do and how we operate with respect to the Privacy Act and the new Personal Information Protection and Electronic Documents Act that came into effect on January 1, 2001. After this brief introduction, I will talk more specifically about compliance issues including the role of audits. I propose to conclude by touching briefly on the concept of privacy.
The position of Privacy Commissioner was established in 1983 as an independent ombudsman to investigate complaints from the Canadian public about the federal government's handling of personal information. The Privacy Commissioner is an Officer of Parliament who does not report to or through a Minister. The Commissioner reports directly to Parliament which enhances the independence of the Office.
The Privacy Commissioner is responsible for overseeing compliance with two pieces of legislation: the Privacy Act that applies to more than 140 federal government institutions; and the Personal Information Protection and Electronic Documents Act that applies to organizations that use personal information in the course of conducting commercial activities.
As an ombudsman, the Commissioner does not have the power to make binding decisions. As a result, our Office is a persuader, not an enforcer. When persuasion does not work, and as a last resort, the Commissioner can attempt to use public opinion to secure remedial action.
However, the Commissioner is not without formal powers. The Office has the power to compel documents and evidence under oath, to report urgent matters directly to Parliament, and to take some matters to Federal Court. The 17 years of experience that the Office has had with this ombudsman role has shown that heavy-fisted enforcement is not necessary to secure the privacy rights of Canadians. Rather than emphasizing confrontation, the ombuds role emphasizes resolving complaints and correcting the underlying problems that lead to those complaints.
Since 1983, we have handled more than 20,000 complaints involving scores of government departments and agencies with widely differing functions and management systems.
Fewer than a dozen of these complaints have ended up in the Federal Court. We would like to think that this is because, overall, the recommendations made by the Commissioner are perceived as informed and fair. Our approach has always been non-confrontational and non-adversarial-an approach that will be even more necessary in the private sector.
In addition to complaints, people call and write us about anything that touches on their personal privacy. This can include junk mail, social insurance numbers, credit card applications, video surveillance, and cross border shopping. Recently, these calls and letters run to more than 10,000 a year. Since 1983, we have handled over 70,000 inquiries from Canadians on all manner of topics that touch on their personal privacy.
Perhaps our most important role is as an educator and an advocate for Canadians' privacy rights. We would risk irrelevancy if we do not follow, and speak out on, the issues that potentially threaten our privacy.
The Personal Information Protection and Electronic Documents Act
What has changed with the Personal Information Protection and Electronics Document Act? In one sense, not much. Part 1 of the act (that is, the privacy section) gives the federal Privacy Commissioner oversight responsibility with substantially the same powers that exist under the Privacy Act and we intend to continue with the non-confrontational approach that we have used in enforcing the Privacy Act.
In another sense, the Personal Information Protection and Electronic Documents Act reflects a profound change. The act represents a significant step towards ensuring that Canadians can exercise some control over the use of their personal information in commercial transactions. With the important exception of the province of Quebec, the rest of Canada has not enjoyed this right up to now. From the private sector's perspective, the legislation imposes new obligations. Probably the most important obligation is that, with limited exceptions, the private sector will not be able to collect, use or disclose an individual's personal information without that person's knowledge and permission.
The intent is not to prohibit companies from using clients' personal data. Nor is it to impede business-companies have legitimate needs for personal information about their clients. This goal is to encourage business to establish more open and transparent relationships with their clients and to provide a user-friendly process for clients to obtain their personal information and challenge its accuracy.
The law is being phased in over three years. Now, the law applies to federally regulated businesses such as banks, telecommunications companies, airlines, and any organizations disclosing personal information across inter-provincial and international borders for consideration. As well, the legislation now applies to all organizations in Nunavut, the Yukon and the Northwest Territories that use personal information in the course of commercial activities.
Starting January 1, 2002, the law will begin to apply to personal health information collected, used or disclosed by organizations to which the legislation now applies.
On January 1, 2004 the law will apply to all commercial activity in Canada, whether federally or provincially regulated. However, the federal government may exempt organizations and/or activities in provinces that have adopted substantially similar legislation. In other words, either the federal act or provincial legislation will apply to all businesses that collect, use or disclose personal information. Quebec already has such legislation in place and so will be largely exempt from the federal act. Some other provinces have announced that they will pass similar legislation.
Our Approach to Compliance and Enforcement
Now, let me explain the Office's approach to compliance and enforcement. The Office of the Privacy Commissioner has two ways to assess how well, or how badly, organizations are complying with the fair information handling standards. The first is complaints and I have already indicated that we receive a large number of Privacy Act complaints each year. And to date, we have received more than 20 complaints about the information handling practices of businesses. The second way we monitor compliance is through audits.
The Role of Audits
Where do audits fit in this approach? Investigating complaints from the public has always enjoyed a higher profile and more resources while resources devoted to audits have been very elastic, expanding and shrinking in step with overall resources. Over the course of the past 17 years, we have placed varying degrees of emphasis on audits. Our approach to auditing-who we audit, the scope of audits, and our methodology-have all changed through the years.
Perhaps predictably, the OPC's approach to auditing compliance shifted within the first few years of our existence away from an optimistic-and perhaps unrealistic-plan to systematically audit all of the federal government institutions under the jurisdiction of the Privacy Act.
Overtime, the Office has shifted its emphasis to targeted auditing and to providing advice to government institutions. Our focus shifted away from physical security and more attention was paid to information handling practices and the knowledge and attitude of staff.
The Office has not abandoned auditing-we are currently auditing two government institutions- but we have become very selective. Let me take a moment to discuss the outcome of one recent audit.
Three years ago, the Office concentrated its meagre compliance resources-four staff-almost entirely on Human Resources Development Canada (HRDC). Why HRDC? With federal government reorganization, HRDC became the federal government's largest repository of personal information on its citizens with information relating to labour market adjustment programs, social and income security programs, social development and education programs, and employment insurance programs. The combination of huge personal databases, powerful computer systems and growing links with provincial social programs and the private sector made HRDC a natural focus for privacy concerns.
Our audit team concentrated on an informal but systematic review from which it assembled a profile of the department. The team concentrated its resources on those activities that seemed to put clients' privacy most at risk. One of the activities that stood out was the Longitudinal Labour Force File.
You may recall from the media coverage that the Longitudinal File contained records on more than 33 million individuals drawn from widely separate internal and external government files. The data was never purged, which explains why there were more records than the entire population of Canada. The database was 23 times bigger than the census database and was measured in tera bytes of information.
The database contained more than 15 years worth of Revenue Canada's complete tax records. It contained employment insurance records, information from provincial and municipal social assistance programs, child tax benefit records, national training program records, record of employment information, immigration and visitor files and more.
What was wrong with the file from a privacy perspective? Several things. First of all, this was an extraordinarily detailed database, which could contain as many as 2000 elements on an individual. Second, the database was relatively invisible. Third, research databases should have defined parameters that include a limited retention period-this database lacked limits. Finally, there was no legal protective framework.
We told HRDC about our concerns in September 1998. HRDC responded by conducting its own internal review, which concluded that the organization "respects all the privacy legislation as well as related legislation and associated rules." In his annual report, released in May 2000, the previous Privacy Commissioner called this database "the next thing to a citizen profile." The public's dissatisfaction with, and disavowal of, that citizen profile was fast and furious. The day after our annual report was published, the story was reported on the front pages of all French and English dailies across the country.
Within 48 hours HRDC had received more than 500 requests for access to the file. Just to give you a sense of the public's concern, I should tell you that HRDC received more than 69,000 requests from Canadians to see the information HRDC holds about them. And as you probably know, HRDC responded to Canadians' dissatisfaction by dismantling the database.
I have discussed the HRDC database because the experience demonstrates two important points: the first is that, used judiciously, the Privacy Commissioner's ability to publicize his findings can be a powerful tool, even without the authority to order organizations to change their practices; second, the public's response to the media stories about the database shows that Canadians do care about privacy.
Audits under the Privacy Act have usually been conducted by a team of two to four officers who visit selected headquarters and a number of regional offices. They review a random sample of files from selected banks and interview managers and staff who use and control the files. In our experience, the audits have revealed some persistent problems:
- Employees are generally not aware of the impact of the Privacy Act on their day-to-day handling of personal information;
- The physical security of personal information is often inadequate;
- Duplicate files are held throughout organizations; and
- Schedules for retention and disposal either don't exist or are not followed.
Once an audit is completed, the Commissioner provides the audited organization with a copy of the audit report and any recommendations he considers appropriate. Details from this report may be included in the Commissioner's compulsory annual report to Parliament. I would like to be able to report that our findings, once communicated to the appropriate parties within the departments audited, were immediately acted upon. However, this has not always been the case. A series of subsequent follow-up reviews found that in many cases, items slated for remedial action years before had still not been addressed.
Audit Powers under the Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act gives the Commissioner the authority to audit private sector organizations that is similar to his authority under the Privacy Act. However, there is one significant difference. In the case of the Personal Information Protection and Electronic Documents Act, the Commissioner can only conduct an audit if he has "reasonable grounds to believe" that the organization is contravening a provision of the act.
What might prompt the Commissioner to believe that an organization is not in compliance with the act? There are several possibilities:
- A serious incident reported by the media, for example, the discovery of printed records containing sensitive personal information at a dump site or sitting in a back alley recycling bin;
- A series of complaints that indicate systemic problems with an organization's information handling practices; or
- Information provided by an individual under the whistleblower provision.
In conducting an audit, the Commissioner has the power to summon and enforce the appearance of any person before him. He has the authority to administer oaths, receive evidence and, at any reasonable time, enter premises other than a dwelling house on satisfying the security requirements of the organization. The Commissioner can also examine or obtain copies of records found in any premises.
It is a criminal offence to obstruct the Commissioner during an investigation or audit or knowingly dispose of information that is the subject of a request by an individual. The legislation also makes it a criminal offence for employers to take retaliatory actions against employees, for example, employees who report a contravention of the legislation to the Privacy Commissioner or who refuse to contravene the data protection provisions.
What to expect from an audit by the Privacy Commissioner
The Commissioner's powers may sound excessive. In fact, they reflect the importance that the government, and I believe most Canadians, attaches to protecting personal information. As I have mentioned, our Office does not intend to pursue the goals of this legislation through unnecessary confrontation. In an attempt to reassure you further that we prefer consultation and co-operation to confrontation, let me suggest what an organization can expect from an audit:
- In keeping with the Commissioner's co-operative approach, privacy audits are non-confrontational. We have no interest in embarrassing organizations; on the contrary, we want to help organizations improve their personal information handling practices.
- The Commissioner will inform the organization in writing that an audit will be undertaken. The letter will specify the focus of the audit, propose a reasonable timeframe and provide the name of the officer delegated to conduct the audit.
- Although the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence, audits will not normally be conducted on such a formal basis.
- The officer will meet with the organization's representative for a preliminary discussion of the intent, purpose and scope of the review process.
- When the officer requires access to any of the organization's premises he will satisfy security requirements. The officer will return any documents within 10 days of a request for their return but they may be requested again if the need arises.
- At the conclusion of the audit, the officer will debrief the organization's representative on the findings. The officer will prepare a report providing the findings of the audit and any recommendations that the Commissioner may have with regard to problem areas.
- The Commissioner will send the report to the organization and may ask to be kept informed of actions the organization takes to correct identified problems.
Although we have received additional resources to oversee compliance with the Personal Information Protection and Electronic Documents Act, we still have a relatively small compliance staff. Just as in the past, we will have to use these resources selectively, which means that, at most, we will be able to conduct only a few audits each year. As yet, we have not started any audits of private sector organizations.
Why Privacy is Important
I would like to conclude by looking at the big picture. What do we mean when we talk about privacy and why is privacy important? Privacy is not easily defined, though most people have a sense of it and what it means.
Probably the best-known definition dates back over a century, to the American jurists Samuel Warren and Louis Brandeis. They defined privacy as "the right to be let alone," a definition that, if nothing else, is easily understood.
The Privacy Commissioner of Canada, George Radwanski, defines privacy as the right to control access to one's person and information about oneself. That definition, I think, is better suited to the challenges facing us. It captures two important concepts: the notion that the individual should be able to exercise control; and secondly, it reflects the extent to which many contemporary privacy challenges revolve around informational rather than physical privacy. Whatever they mean by it, people value privacy.
Like any other right, privacy exists in a balance, and is always subject to such limits as are, in the words of the Charter of Rights and Freedoms, "demonstrably justified in a free and democratic society."
But I want to emphasize that the balancing act should not be conceived as the privacy of the individual balanced against the interests of society.
Privacy is not only an individual right; it's also a social, public good. Our society as a whole has a stake in its preservation. We cannot remain the kind of society we want to be-a free, open, and democratic society-unless the right to privacy is respected.
In other words, the interests of society include the privacy of individuals. And when that is lost, society also loses.
I also want to clarify the terms privacy, security, and confidentiality. These sometimes get used interchangeably. That's a big mistake, particularly given the current focus on government-on-line initiatives and the extent to which the Internet is driving many privacy concerns. Privacy, security and confidentiality are three separate and distinct issues.
Privacy is our fundamental right as individuals to control information about ourselves-including controlling the collection, use, and disclosure of that information.
Confidentiality is the obligation of a custodian to protect personal information in its care, to maintain the secrecy of the information and not misuse or wrongfully disclose it.
Security is the process of assessing threats and risks to information, and taking steps to protect it.
So, the distinctions are dramatic: privacy is a fundamental right; confidentiality, an obligation to protect information; and, security, the process of protection.
But it's privacy that drives the duty of confidentiality and the responsibility for security. It's privacy that has to be addressed, before we deal with the ensuing notions of confidentiality and security. And if it is not respected, ensuring confidentiality and security is not enough. If information about someone is collected, used, or disclosed, without their knowledge or consent, ensuring the confidentiality and security of their information doesn't mean that their privacy has been respected.
It all begins with privacy.
- Date modified: