Security and Privacy for Government On-Line Conference

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

December 4, 2001
Toronto, Ontario

George Radwanski
Privacy Commissioner of Canada

(Check Against Delivery)


I addressed a Canadian Institute conference on privacy and Government On-Line last April. It's quite telling that the same topic is the focus of another Canadian Institute conference so soon. It's an indication of how important the topic is.

I would have liked to have come here today and said something entirely different from what I said in April. I would have liked to be able to say that the privacy issues in Government On-Line have been addressed and resolved.

That's not the case, unfortunately. My concerns about GOL are unchanged, and I can't say that they've been adequately addressed yet.

There are promising signs, and I'll come to those. But I would be remiss in my duty, which is to champion the privacy rights of all Canadians, if I didn't once again make my concerns very clear.

GOL is an important initiative. It promises to improve the way programs are delivered, and to give people a wider range of choice as to how they gain access to government services. It promises to make government more efficient and accessible. It will contribute to making Canada a world leader in technology, and to the development of a thriving private sector. These are things we all want.

But life is not always about what we want. It's more often about making reasoned decisions when we're faced with difficult choices. And we need to make reasoned decisions and hard choices about GOL. For all its promised advantages and benefits, we have got to make sure that the price we pay is not our fundamental human right of privacy.

The federal government needs to fully recognize that respect for citizens' privacy is critical to the success of Government On-Line.

That's one of the lessons we've learned from the development of electronic commerce. People are concerned about their privacy, and they're reluctant to engage in electronic transactions if they think their privacy is at risk.

Addressing those concerns was one of the principal reasons Parliament passed the Personal Information Protection and Electronic Documents Act, which gives people control over their personal information in commercial exchanges. Its application is limited at the moment. But within a few years it or a provincial law substantially similar to it will apply to all commercial exchanges in Canada. And that is largely because legislators recognize that electronic commerce, with all its benefits, will only succeed in Canada if consumers' privacy concerns are addressed.

The same holds true for Government On-Line. People will not accept it, at least not in any significant numbers, unless they are assured that their privacy is protected.

The title of this conference, "Security and Privacy for Government On-Line," indicates, I hope, that people now appreciate that security and privacy are not one and the same thing. They have to be distinguished from each other, and from a third related concept, confidentiality.

The distinctions weren't always clear to the architects of GOL. I commented last time I was here that the Federal Government's website on GOL professed to talk about privacy, but in fact only talked about confidentiality and security.

Once again, let me clarify the terms.

Privacy is our right to control information about ourselves, including the collection, use, and disclosure of that information.

Confidentiality is our obligation to protect other people's personal information when it's in our possession. It's an obligation to care for the information, maintaining its secrecy and not misusing or wrongfully disclosing it.

And security is the process of assessing and countering threats and risks to information.

Again, let me stress that privacy drives the duty of confidentiality and the responsibility for security. If you don't respect privacy-if you collect, use, or disclose information about someone without their consent-it doesn't matter that you ensure confidentiality and security.

That's why all the assurances in the world about security and confidentiality won't satisfy me that the privacy concerns in the Government On-Line initiative are being addressed. It's all well and good that information is protected from unauthorized use and disclosure, that physical security is assured, that there are firewalls and encryption measures and intrusion detection.

Those things govern the information once it's collected. They're necessary, but they're not sufficient. They don't amount to privacy protection. The privacy concerns remain.

And what are those privacy concerns? Well, I'll recap three of the most important.

First, the merging of databases, as walls come down between agencies and programs, within government and across levels of government.

We all like cooperation and coordination between agencies that have a common goal. We all oppose duplication and waste. So the idea of breaking down the walls can be pretty appealing.

But some walls between collections of personal information are crucial.

Information about individuals and their interactions with government is collected for specific uses. The separate databases it's held in-"silos" as they're called-reflect the specific purposes justifying the collection and retention of the information. The information is compartmentalized. Yes, there's some duplication. That's a trade-off for a couple of benefits.

Without those silo walls two things can happen.

One is that someone with a need to know only one piece of information can have access to lots more than he or she needs or has any right to. If I surrender information in order to get a CPP disability pension, the only person who should have access to that information is someone with a demonstrable need for it, for the purposes I agreed to when I surrendered it. And that person has no business knowing anything else about me. I can only count on that being the case when there are walls between the different banks of information.

That's one problem. The other is that information can be combined, to reveal new-sometimes misleading or inaccurate-information. This can lead to profiles of individuals, and it's here that the great danger lies.

Profiling of citizens is a distinguishing feature of surveillance societies. Building of dossiers on individuals, tracking their activities and their interaction with government, has no place in an open, democratic society.

We have a well-established and long-cherished right to go about our lawful, peaceable business anonymously and unmonitored. None of us would agree to renounce this right if we were asked to do so. No political party in the country would even contemplate asking the public to surrender it.

We can't allow it to slip away from us in the pursuit of some ill-considered efficiency.

The second concern is the involvement of the private sector in delivering services or benefits electronically.

There's nothing intrinsically wrong with that, of course. It may well lead to more efficient delivery of services, and probably will contribute to the economic health of the private sector as well. With the right privacy protections built in, it may not be a problem. But without them, it will be.

Again, the problem is that the existing walls between banks of personal information help to protect privacy. Linking networks could eventually lead to one inter-operable system combining the personal information holdings of both the public and the private sector. And privacy protection in the private sector, even with the Personal Information Protection and Electronic Documents Act in force, is patchy. Unchecked and unguided, the pursuit of the objectives of efficient government and private sector development could very well lead to the emergence of uncontrolled databases on Canadians.

The third concern is the need for an authentication, identification, and access device-an "e-identity."

Authentication is a big issue in a networked economy. Electronic commerce tends to require that businesses know whom they're dealing with. Ingenious minds are always looking for alternatives so that we can do business without authentication, but those alternatives haven't really caught on, and I think it's likely that we're stuck with authentication. Most people seem to be content with it in electronic commerce. But its use by the state is a different issue, and we need to be aware of the problems, right at the outset.

We need to ask two questions about authentication of clients of government services. First, to what extent is there actually a need to identify the client?

If people have a ready means of authenticating their identity in an electronic interface with government, it may be tempting to require authentication when it's not really needed.

Obviously, if you're seeking a government benefit, you have to identify yourself. The government has to be able to verify that you are who you say you are, that you're entitled to the benefit, and that you haven't already received it.

But there's no need to ask people to authenticate their identity in a transaction that can just as reasonably be done anonymously. A simple request for information, for example, requires no authentication of the client's identity.

What's needed here is a conscious choice to require authentication only when necessary. The default setting should be anonymity.

That shouldn't be something we have to argue for, but unfortunately it is. While authentication is necessary for some transactions, it becomes easy to slide into demanding it where it's not really required.

Things like cookies, digital certificates, and public key encryption all contribute to client identification and detract from anonymity. They should only be used where anonymity will not work.

The other question we need to ask is this: How deep do we need to drill to authenticate identity, and what evidence will satisfy us?

If you are interfacing on-line with the Department of Human Resources Development for Canada Pension Plan benefits, the department needs to verify certain things about you. If you are inquiring on-line about your passport, the Department of Foreign Affairs needs to verify certain things about you.

The kinds of information those departments need to know about you are not the same, although there obviously is some overlap, like your name and your date of birth. Whatever means of authentication is chosen, the architecture of the system has to reflect that. Authentication for one purpose must not elicit information from you that's only required for another purpose.

Again, we shouldn't have to belabour the point, but we do. It's just all too easy to design a one-size-fits-all authentication device, like a smart card, that incorporates all the information about our interactions with government, and then makes it all available, indiscriminately, every time we interact with a government department.

So those are my concerns about Government On-Line. They were my concerns when I last spoke here, and they continue.

They should be the concerns of the architects of GOL as well, because GOL will fail, at the cost of enormous investments, if those concerns are not addressed.

Now, as I said earlier, there have been some very hopeful developments. In the federal government, especially in the Chief Information Officer's branch at Treasury Board, GOL people are taking these concerns seriously. I'm not saying that the problems have all been addressed. I'm saying simply that the existence of the problems is recognized, and GOL architects are looking at ways of addressing them.

Best of all, they're looking at ways of building-in solutions to privacy problems in the early stages of the GOL projects. The GOL architects are beginning to recognize that privacy can't be dealt with as an afterthought, and that proper design is more cost-effective than retrofit.

They see the challenge now as one of finding ways of increasing efficiency while still respecting privacy. They've recognized that the architecture of GOL systems has to be informed by privacy principles-so that, for instance, information collected for one purpose isn't available for use for unrelated ones, and is kept only as long as it's needed for the purpose the individual consented to.

There's a growing recognition in the Chief Information Officer's branch that respecting privacy principles may mean that government departments have to maintain some of those separate information silos.

They're recognizing that transfers of personal information to the private sector have to be subject to protections like contractual commitments that companies will respect the Privacy Act.

And I believe that they're coming to terms with the reality that departments don't need to know someone's identity every time he or she transacts with government. They are starting to accept, I think, that anonymity should be the default setting. And that where anonymity is not possible, authentication information is limited and segmented; the only personal information that's revealed in authentication is the information that's needed for that specific transaction.

What's most helpful in building privacy into systems at the outset is a Privacy Impact Assessment. And that's what I want to talk about now, because it holds great promise for the federal government's GOL initiative. In the Chief Information Officer's branch, there's been a real interest in Privacy Impact Assessments and that's given me cause for optimism.

What exactly is a Privacy Impact Assessment? Quite simply, it's an analysis of the likely impacts on privacy of a project, practice, or system. It involves looking at all the personal information practices that go into the system, such as what kinds of information are collected, how consent is obtained, how and for how long the information is kept, how it's used, and who it's disclosed to. It looks at things like the purposes and statutory authorities for collection, use, and disclosure, what kinds of linkages there will be between this and other information, and how individuals will be able to exercise their right of access to their information. And it looks at privacy legislation and principles, and assesses how the project or system complies with them overall.

What are some of the privacy impacts you'd be looking for? Let me give you some examples.

You would want to ask whether your system or project is going to lead to data matching. Will it be possible to combine unrelated personal information to create new information about individuals?

Will it be possible to track an individual's transactions with programs?

Will the system, especially its demands for identification and authentication, lead to profiling, transaction monitoring, and other forms of surveillance?

Will the program or system entail the physical observation of individuals?

Will it facilitate electronic misuse of publicly available personal information?

Those are questions about possible violations of privacy. You also need to ask questions about the resources to deal with them-such as whether there's an accountability structure in place to deal with privacy issues.

In effect, this is a feasibility study from a privacy perspective. It's an excellent way to forecast impacts on privacy, and determine what's required to overcome the negative impacts.

And it's more than that. It's sometimes referred to as a risk-management tool. That's because a lot of the privacy impacts that are identified aren't certain to happen. There's a risk rather than a certainty that data matching, for example, will lead to new information, or that authentication will lead to profiling.

But it's also a risk-management tool because getting it wrong on privacy is a risky proposition. As I said earlier, design is more cost-effective than retrofit. And you don't want your latest project to bring an oversight body like my Office down on you.

Doing a Privacy Impact Assessment enables you to sensitize the various elements and personalities in your organization to privacy issues, helping to create an organizational culture of respect for privacy, where everyone supports and understands privacy as part of the corporate goal.

And a Privacy Impact Assessment is a very useful tool for monitoring the system as it progresses. You've identified privacy risks, you can see whether your means of addressing them are working, and you're alert and attuned for new, unforeseen ones coming up.

Down the line, when you're reviewing the compliance of your systems with privacy legislation and principles, the Privacy Impact Assessment is an excellent basis for ensuring that those involved in the review-system operators, management, and representatives of the oversight body-understand each other and the system.

I've been urging the federal government for some time to use Privacy Impact Assessments, and the idea seems to be catching on. The Chief Information Officer's branch of the Treasury Board has been developing a policy on their use, and the branch's expertise in Privacy Impact Assessments is rapidly developing.

We've also considered developing a process whereby we can review Privacy Impact Assessments and offer comments at an early stage.

I'm enthusiastic about that kind of approach. It would make for a collaborative, non-judgmental way of promoting the goals of the Privacy Act. That would be a departure from the complaint-driven model that characterizes so many rights-protection agencies. My staff could work with GOL people in a helpful way, so that they wouldn't have to wait until they got a complaint to find out that they might have overlooked something about privacy.

Of course, there is a place, and a need, for the complaint process. Canadians must have the right to challenge organizations to respect their privacy. But it's not in anyone's interests to have me oppose something when it's gone too far and millions of dollars have already been spent. And as always, prevention is better than cure. It's better to protect privacy up front than to try to undo the damage after a breach of privacy. Sure, someone can complain to me when their privacy has been violated, and I can help find a remedy, and take steps to make sure it doesn't happen again. But let's face it: they can't get back their lost privacy.

So this kind of collaborative approach would make a great deal of sense for an office like mine. My job is to apply both principles and flexibility to privacy questions. Helping organizations with their Privacy Impact Assessments would be a very good way to do that.

Although this conference is focused on government, I know that a lot of you are from the private sector. I want to stress that the Privacy Impact Assessment is a useful tool in the private sector as well.

More and more organizations are coming under the scope of privacy legislation, and of course even those that aren't required to under law are usually very concerned about protecting privacy.

They should do Privacy Impact Assessments, because being concerned about protecting privacy is usually not enough. Good intentions, on their own, don't protect privacy.

Privacy, in fact, is often most threatened by well-intentioned people. They don't see themselves as trampling privacy. They just see themselves as trading it off for some greater good. Sometimes it's customer service. Sometimes it's public security. And often, especially where government is concerned, it's something called efficiency.

I say "something called efficiency" because I think it's too often forgotten what efficiency really is.

It's not doing more with less, or being lean and mean, or getting the biggest bang for the buck, or any of those other clichés.

Efficiency refers to the relation between means and ends, to the choice of the best means to achieve a particular goal.

How we define those goals is the crucial question. And it is a simple fact that protecting privacy has to be part of those goals. Privacy is not an impediment to efficiency, or something that you can sacrifice to be more efficient. It is something that you have to protect. That's a fundamental element of your goal. It's up to you to find efficient means to achieve that goal.

I'm confident that it's possible to deliver government programs efficiently and conveniently, and get our Government On-Line, without sacrificing privacy.

The key to that, though, is to recognize how important privacy is to our society, and how concerned Canadians are about it, and build your system accordingly.

If you build it, they will come. Canadians will embrace Government On-Line enthusiastically if they are assured that their privacy is safe. My advice to you all is to find a way to work together, involving system architects, program managers, and representatives of oversight bodies like my Office. A collaborative approach and a commitment to privacy is your best guarantee of the support of Canadians for Government On-Line.

Thank you.

Date modified: