Chief Privacy Officer (CPO) Conference
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
February 12, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
Good morning. It's a pleasure to see so many of you here.
I find that encouraging - not just because I enjoy a good audience, but because of what it says about corporate attitudes to privacy.
It was reported in a recent issue of Privacy Times that there are some 500 Chief Privacy Officers in the U.S.
This shows that privacy is becoming an important corporate issue.
Organizations that want to meet the challenge of privacy are recognizing that they have to appoint dedicated people, with specific skills and a good understanding of what privacy is all about.
It's almost certain that in Canada, relative to the size of our economy and population, we have as many or more CPOs.
I say that because of the requirement in the Personal Information Protection and Electronic Documents Act that organizations appoint individuals to be accountable for their privacy practices.
A meeting like this is a great opportunity for Canadian CPOs to get together and share information.
And one of the things you'll want to talk about, I'm sure, is how you work with my office in meeting your responsibilities under the new federal privacy legislation-the "PIPED Act," as we call it.
I hope to be able to facilitate that discussion by talking to you a bit about my role as Privacy Commissioner of Canada, and about your roles as Chief Privacy Officers.
I'll begin, though, with a cautionary note-or a bit of cheerleading, depending on how you see it.
The position of CPO is virtually a requirement under the new private sector law. But it can't simply be window dressing.
I have high expectations of organizations in this respect.
CPOs are the front line in the protection of privacy. And they have to be the internal privacy advocates in an organization. So organizations have to make sure that they structure and staff that office appropriately.
It should go without saying that a CPO needs to have an understanding of, and sensitivity to, privacy issues. You don't have to be a lawyer, but you have to understand privacy law and the rights and responsibilities that flow from it. You don't have to be an information technologist, but you do have to understand technology, its capabilities and their implications.
But more than that, you have to be in a sufficiently senior position, with the authority to make things happen. A CPO has got to have access to the highest levels of the organization, and has to have the necessary resources to get the job done.
These last points are crucial, because the CPO, as the organization's internal privacy advocate, is not always going to be the most popular member of the management team.
You have to be the tough cop. You're the one telling people that they can't do what they want to do. You have to tell the marketing people that their clever new promotion violates privacy principles. You have to break the news to the human resources managers that they've got to stop using that convenient old standby, the Social Insurance Number, to identify employees.
So there will be days when you feel lonelier than the Maytag repairman, and where it seems like your only friend in defending privacy is the Privacy Commissioner of Canada.
With that in mind, let me tell you a bit about who I am and what I do.
I'm an independent Officer of Parliament, appointed to champion the privacy rights of all Canadians. That involves playing a dual role. First, I have oversight over Canada's two privacy laws - the Privacy Act that governs the federal public sector, and the new PIPED Act that applies to the private sector.
It's my duty to ensure that the rights of all Canadians under these laws are respected, and to investigate and adjudicate complaints when people believe that their privacy rights are being violated.
My other, closely-related, role is exercising my mandate to educate Canadians about their privacy rights, to promote respect for privacy and an understanding of responsibilities for the protection of privacy.
It's in the first of these roles - as privacy watchdog -that you as CPOs will probably know me best.
When a customer or employee complains to my office about one of your organizations, it's likely that you'll be our first point of contact as we start sorting it out.
As I'm sure you know, I have full investigative powers. I can order the production of documents, enter premises, and compel testimony.
But I and my predecessors have never once had to use those formal powers under the Privacy Act, because we've always been able to get voluntary cooperation. I very much hope that this will also continue to be the case under the private sector law, as it has been so far. My preference is always for a collaborative approach.
When an organization and its customers or employees get into a dispute about privacy rights and responsibilities, my hope is to work with all parties to find a solution that works for everyone.
If I find that an organization is violating privacy, I'll suggest how the problem can be fixed.
I don't have order-making powers. I'm essentially an ombudsman.
But I do have instruments at my disposal in the event - which I hope will be very rare - that an organization is violating privacy rights and refuses to mend its ways.
I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
Or I can publicly make it known that a given organization has been found in violation of the privacy law and still refuses to respect the privacy rights of Canadians - and then rely on publicity and public opinion to move things forward.
That's one of the most effective enforcement mechanisms I know of, and it helps to educate everyone-the organization, other organizations, consumers, employees, and the public at large-about what privacy means and what their rights and responsibilities are.
Now that we've got a year of the private sector legislation under our belt, let me give you a few words of practical advice about the complaint process, drawn from some of our experiences.
Under the act, one of the things I can do when someone approaches my office with a complaint is refer them back to the organization for it to be dealt with internally. That's a useful provision in certain circumstances.
But at least in some organizations, there appears to be some misunderstanding on this point:
I can refer complainants back, but I'm not obligated to, and I don't if it's not appropriate.
When is it not appropriate? Well, in many cases the individuals have tried working with the organization and have failed. Often, complainants are angry with the organization.
But most important, there's the question of public interest.
When a complaint is filed under the PIPED Act, there's more than just an individual interest at stake. The rights in the act are public rights, and there's a public interest in protecting them-that, after all, is why we have legislation and a Privacy Commissioner.
Especially if there appears to be a systemic aspect to the complaint, I have to be very sure that the remedy for the complaint addresses that public interest.
We also need to be clear about the role of the CPO in an investigation. Again, there sometimes appears to be some misunderstanding.
Besides being a resource to the organization itself, the CPO is a valuable point of contact for us. But my staff and I have the authority to decide how the investigation is conducted.
It's we who decide whom we're going to interview, and what documentation we need to see.
And let me give you the following piece of advice-maybe the best advice I can give. If we call you about a complaint, don't call in the lawyers.
Our system is set up to avoid costly and time-consuming litigation as much as possible.
That's why it's not simply black-letter law enforceable by taking a case to court. And it's why the Privacy Commissioner functions as an ombudsman instead of having order-making powers.
This comparatively informal system is to your advantage, to the complainants' advantage, and to ours. Don't turn it into an adversarial process that doesn't benefit anyone.
Bringing in the lawyers can't stop me from investigating a complaint, because the law requires me to.
Lawyers can't stop me from issuing whatever finding I conclude is appropriate, because that's my duty.
All they can do is run up your company's bills - and, in the worst-case scenario for any company, be obstructive enough to create exactly the kind of public controversy you're trying to avoid in the first place.
So my advice to you is: Don't treat me and my Office as an adversary. We're here to help you comply with the law and respect privacy rights.
Since we all know that good privacy is good business, we're both on the same side. Don't create confrontation in circumstances that are much better served by cooperation.
What kinds of things are we seeing when we investigate complaints?
I know that there's a lot of commitment to privacy out there, but there's no question that there's some distance to go yet.
In some cases, too much information is being collected.
An organization's purposes for collecting, using, or disclosing personal information aren't always clearly identified.
Sometimes, information is being retained for too long without a good reason, and it's not always being stored properly with appropriate safeguards.
It's important to remember that no law, whether it's the PIPED Act or any other, will protect personal information on its own. It's up to organizations-to you as CPOs-to supplement it with policies, procedures, and programs, and to build a culture of privacy.
Let me touch briefly on a couple of the issues that I think you, as CPOs, should be turning your minds to.
You may be a CPO for a family of companies-maybe a financial conglomerate that includes investment firms, mutual fund companies, insurance companies, and trust companies.
With related companies like this, there's going to be a push to share customer information between subsidiaries.
It's very important to remember that, for the purposes of the PIPED Act, sharing personal information with a subsidiary is considered to be a disclosure.
And that means that it requires consent. That's also something that I think you should observe even if the act doesn't apply to you. It's a simple matter of respect for customers' personal information-and that makes it good business practice.
A lot of your focus is on the personal information of customers and clients.
That's understandable, since so much of modern business is tied up with customer relationship management, with knowing your client.
And it's understandable because concern about customer information has largely driven the privacy agenda over the last few years.
You're continually confronted with this challenge: your organization wants to know its customers, so it collects information about them-but that personal information belongs to the customers, not to the organization.
The organization is holding its customers' privacy in its hands, holding that personal information in trust.
As important as customer information is, there's more to privacy, and the office and role of the CPO has to be more than an extension of customer relations.
Customer privacy may be what you are most familiar with, but the other issue you have to deal with is the privacy rights of employees.
Contrary to what some people like to believe, employees have real and extensive privacy rights.
You'll run into them in almost every facet of your organization's work.
Just the basic business of knowing who your employees are, for pay and benefits purposes, imposes serious privacy obligations.
It's up to you to ensure that collection of your employees' information is limited to what's really necessary.
You'll have to ensure that it's safeguarded with proper security measures, and disclosed only under authorized circumstances.
You have to ensure that your employees have access and correction rights to their information.
You've also got to look at things like collecting and using information for performance appraisal and promotion purposes.
You've got to understand privacy rights over things like lockers and desk drawers, electronic monitoring of employees' e-mail and Internet use, and how much the organization can know about an employee's off-duty activities.
You may have to address your minds to the privacy issues surrounding employees' personal health information, drug testing, and genetic testing.
One very positive development I saw recently was a private sector organization emulating the system that federal government departments use under the Privacy Act.
It did an inventory of all its information about its employees, and catalogued the information into well-defined information banks.
That's an important step, because it gives you a clear understanding of what personal information you have and what you're using it for. It's also the basis for you to be open and accountable with your employees about their personal information.
Your organization may be one that has legal responsibilities for employee privacy.
That's the case if you're in a federal work, undertaking or business-your employees are covered under the Personal Information Protection and Electronic Documents Act. Quebec's privacy law applies to employees.
And when other provinces pass privacy laws for the private sector, they'll have to apply to employees to be considered substantially similar to the Federal Law.
But even where there's no legal requirement, a good CPO should protect the privacy rights of employees anyway.
These are fundamental rights, and people should not be expected to check them at the door when they enter the workplace.
It's good business, too: you're well served by a workforce with good morale, and privacy, as an integral part of human dignity, is crucial to morale.
I'm sorry to say that, despite the requirements of the law and the dictates of good management, the fact is that some organizations don't seem to get it yet.
We're seeing too many organizations that have not yet developed codes to deal with workplace issues. We're seeing too many workplaces without complaints processes for employees.
This is an area where I would expect a CPO to play the role of internal privacy advocate.
If your employer hasn't addressed these things, it's up to you to build the culture of privacy, and the structures that will protect it. Remember, it's good management, and good for business.
Eventually, that will be recognized and you'll be thanked.
A privacy issue that's of particularly great concern to me is video surveillance.
This is something that we fortunately haven't seen a lot of in this country-compared to the UK, for example, which has more than two million surveillance cameras.
We haven't gone that far, but some communities have installed public video surveillance systems, and others are considering it. That's the thin edge of a very dangerous wedge.
I believe that video surveillance of public spaces such as streets and parks is the most urgent and important privacy issue facing us as a society.
Our fundamental right to privacy, our right to go about our lawful, peaceable business on our public streets anonymously and without systematic scrutiny by agents of the state, is gravely threatened by it.
I raise this with you in part simply to appeal to you, as citizens in a highly visible leadership role, to take a stand against it.
But I'm also raising it with you because it's not just a law enforcement issue, or one where I'm only concerned about the action of government.
The privacy of customers and employees is at stake here, too.
In fact, the proliferation of video surveillance of businesses may be what's led some people to propose extending it to the surveillance of public places.
And it may be what's led some people to acquiesce so meekly to videotaping of every aspect of their public lives.
Where that really comes to a head is in the workplace. When your only alternative to consenting to being videotaped is to give up your job, you can't be said to have consented. If someone complains to me about video surveillance in the workplace, I'm not going to be impressed when an organization tries to brush it off by saying that the employee consented to it.
The PIPED Act makes it clear that even consent alone isn't enough. Precisely to avoid coerced consent, the Act says that a collection of personal information has to be for purposes that a reasonable person would consider appropriate under the circumstances.
And where there's disagreement and a complaint, the Act makes me a proxy for that "reasonable person."
Perhaps, as reasonable people, we can all agree on a test that can help to clarify whether video surveillance is justified in a particular circumstance, such as in a given workplace.
I proposed this test as a criterion for assessing any proposed new privacy-invasive security measures in the wake of September 11. But I believe that it can be very useful in assessing video surveillance as well.
This test involves asking four questions.
First, is there a real problem or threat that has to be addressed?
Second, will violating privacy in the proposed way actually be effective in addressing the problem-will it actually make a decisive difference?
Third, is the violation of privacy proportional to the magnitude of the problem? If your problem is pilfering of pencils, it's not going to justify wholesale video surveillance of an entire workplace.
Finally, is there a less privacy-invasive way of achieving the same goal?
You'll be serving your organizations well if you look at these kinds of question from the outset. And you'll be a valuable ally to me and my office, and to privacy, when you raise these questions about privacy invasive practices.
The question of justifications for limitations on privacy came into sharp focus after the terrorist attacks of last September.
The business community, like everyone else after September 11, was determined that something like this must not happen again. And, for perfectly understandable reasons, lots of businesses wanted to do their part.
That had big implications for organizations and the way they handled personal information. They had to know who their employees were and whether they posed any kind of threat. That's a perfectly legitimate concern, but it's important not to over-react, and to know where to draw the line. A lot of organizations hold information that might be of use to law enforcement and security forces. Again, there are legitimate ways of handling that, with proper judicial oversight.
Let me be very clear: I have no intention of ever standing in the way of protecting the public in appropriate and necessary ways.
But we are not going to defeat terrorism by abolishing the very things that make our society worth living in and fighting for. Quite the opposite is true.
Privacy and security can and must coexist. Privacy is a fundamental right, and security is a condition that we have to ensure, in order to enjoy our fundamental rights.
Again, we have to scrutinize every proposed measure that violates privacy.
Every time someone proposes a measure that trades off privacy for a supposed enhancement of our security, we have to pose those questions: Is it necessary, is it effective, is it proportional, and is there no less privacy-invasive alternative?
Those are the tests. We have to insist that those who are proposing the measure justify it according to those criteria.
In this respect, you as CPOs have to be the internal conscience of your organizations. It's up to you to push your organizations to intrude on employees as little as possible, while still ensuring that legitimate and justified security needs are met.
It's up to you to ensure that your organization collects, uses and discloses information about them lawfully-and not just lawfully, but fairly.
You're the ones who can encourage your organizations not to treat every employee like a potential terrorist.
You're the ones who can ensure that your organizations adhere to the law whenever there's any question of handing over customer information for law enforcement purposes.
Let me conclude by reminding you of the importance of the responsibility you've taken on, and to commend you for taking it on.
Sometimes it's difficult to see past the details of the particular personal information issue you're working on, and to remember the bigger picture.
You're engrossed in drafting a consent clause, or examining the security of personnel files, or trying to figure out exactly what personal information your organization really needs for its next marketing campaign.
You're struggling to develop a procedure for your customers and employees to get access to their personal information.
What it's about is the protection and strengthening of a right that underpins all our human freedoms.
Privacy, our right to control access to ourselves and information about ourselves, is at the heart of freedom of speech, freedom of thought, freedom of conscience, freedom of association.
I've often said that privacy is the defining issue of this decade, because it's so threatened by technological, social, and political developments.
How we address those threats will determine what kind of world we hand over to our children and grandchildren.
As CPOs, if you make sure that you have the knowledge, the clout, the resources, and, above all, the grit, to stand up for this fundamental right, you'll help to ensure that it's a genuine and vibrant right that we experience throughout our daily lives.
You'll be the ones who make a difference.
So I congratulate you and thank you for taking up the challenge.
We're looking forward to working with you.
- Date modified: