Privacy Impact Assessment
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Interdepartmental Privacy and Government On-Line Working Group
May 8, 2002
Acting Director, Privacy Impact Assessment
(Check Against Delivery)
I have been asked to speak to you today about the role of the Office of the Privacy Commissioner in relation to the privacy impact assessments that are now a required part of Government On-Line projects and of other programs or initiatives that involve the collection, use or disclosure of personal information.
To put that into context, I'd like to talk a bit about what we do, and our views on GOL and privacy.
Many of you are quite familiar with the Office of the Privacy Commissioner - but for those who are not, the Privacy Commissioner is an independent guardian of the privacy rights of Canadians. This role includes overseeing and enforcing two federal privacy statutes; the Privacy Act that applies to all federal government institutions, and the new Personal Information Protection and Electronic Documents Act that extends our privacy protection rights to dealings with the private sector. Our office conducts research into privacy issues, promotes public awareness and education, and provides advice to Parliament, government and the private sector on privacy issues.
So that's us. We are a watchdog, and we are responsible for ensuring that the gathering and handling of personal information, in the public or private sector, does not violate privacy rights. That means not only responding to complaints, but undertaking audits, and just generally keeping a watchful eye on anything that has privacy implications, which is why we, of course, have an interest in any government initiatives that have an impact on privacy. Government On-Line is one of those initiatives that engenders a number of potential privacy risks.
Notwithstanding these risks, which I will discuss shortly, let me make it clear at the outset that our office supports Government On-Line. Anyone who has ever stood in line, or been bumped to numerous contact points, can appreciate the benefits that e-government offers.
There is no question in our mind that Government On-Line can revolutionize the way that government delivers programs, and the way that Canadians interact with government. Streamlined service delivery, ease of access to government services and information, and elimination of duplication are some of the anticipated benefits of Government On-Line.
Government On-Line mirrors changes that have revolutionized the private sector. It's going to make government less removed, more accessible, more businesslike. It promises to make Canada a world model in service delivery, and a world leader in technology. The Privacy Commissioner supports these goals.
To achieve these goals -to make Government On-Line work - privacy has to be built-in; it can't be an afterthought. Surveys have shown that both respect for citizen's privacy and winning the trust of the public are indispensable for the success of the government's on-line initiative.
About trust, we need to keep in mind that, unlike businesses, governments have the power to coerce the collection of personal information from their citizens. When a government agency or program needs personal information to carry out its mission, that information will be collected.
Whether it is for Employment Insurance or other programs, such as Income Tax, firearms registry or census, individuals are not in a strong position to refuse to consent to the collection and use of their personal information. Government agencies have the legal right to collect information from members of the public. More than often the information provided is not voluntary. In some cases, those who refuse to give up their information may not only lose a benefit, they may be fined or even sent to jail.
Therefore government has a special trust relationship with citizens - even greater than that demanded of private sector companies. Consequently, government must be particularly vigilant in maintaining the trust that citizens place in its ability to preserve their privacy, as well as the security and confidentiality of their records under its control.
Our position has always been that it would be truly unfortunate if we failed to achieve the benefits of GOL because we got it wrong on privacy, and consequently lost the trust of the public. If Canadians think dealing with government on-line is a threat to their privacy, they are going to resist it.
How can the benefits of GOL and respect for privacy be achieved? First of all, we need to know what we are talking about when it comes to privacy.
In the context of information systems, the terms "confidentiality" and "security" are often thought of as synonymous with respecting privacy. These terms, however, are better understood as particular manifestations of the right to privacy.
The Privacy Commissioner defines privacy as "the right to control access to one's person and information about oneself." The right to privacy means that individuals get to decide what and how much information to give up, to whom it is given, and for what uses.
Confidentiality is different. It's the obligation of a custodian to protect the personal information that it has been entrusted with. A promise of confidentiality imposes a duty of care to maintain the secrecy of the information, and not to use or disclose the information for an unauthorized purpose.
Security is something else again. It's the process of assessing the threats and risks posed to information, and taking steps to protect the information against unauthorized or unintended access, use, intrusion, loss, or destruction.
The significance of the differences between these concepts is perhaps best illustrated by example. If you collect more personal information than is necessary to fulfill a specific purpose, or without and individual's consent, a fundamental principle of privacy will have been breached. Treating that information as confidential or having the best security system in place to protect that information will not change the fact that an individual's privacy has been violated.
So the distinctions are significant: privacy, a fundamental right; confidentiality, an obligation to protect information; and, security, the process of protection.
With those distinctions in mind, let's turn briefly to the areas we're paying close attention to with GOL.
First, delivering government programs across departments and jurisdictions will likely lead to walls coming down between agencies and programs, within government and across levels of government.
That may sound good, but remember those walls are also walls between collections of personal information. They are there for a reason.
If government becomes a single, centralized body, a most profound impact will come from the merging and consolidation of databases.
This is information about individuals and their interactions with government that has been collected for specific uses. When it's held in separate databases specifically for those purposes-"silos" as they are called-it is compartmentalised and protected.
When the walls or those silos come down, two things can happen. For example, when information management systems are built on an open platform to permit data sharing, persons with access to the system may have access to more information than in fact they are authorized or need to know.
That's one problem. The other is that information can be combined to reveal new information. This can lead to profiles of individuals. Profiling of citizens is the hallmark of surveillance societies. The building of dossiers, tracking their activities and their interactions with government, has no place in an open, democratic society. It is the end of anonymity. It is the end of right to go about our lawful, peaceable business unmonitored. It is the end of the right to be left alone.
We accept that sometimes there is justification for matching personal information from different sources. Both the Privacy Act and the new private sector law allow it in certain exceptional circumstances. But those circumstances are strictly limited, and they have to be justified.
Separate databases are a built in protection against unrelated uses and against profiling. The advantages of this could be lost under the GOL initiative, unless we take steps to build in protections.
The second concern is this: delivering services or benefits electronically will involve the private sector. We know that; it's part of the explicit objective of GOL. Again, we come to the issue of walls. The linkage of existing networks could eventually lead to one inter-operable system combining the information holdings of all sectors of society, both public and private.
Our third area of concern is the impetus for some sort of authentication, identification, and access device. The government has suggested that as part of GOL initiative, clients will be given what it calls "e-identities."
Authentication mechanisms are necessary for a networked economy, but they're fraught with problems. For example, the need to validate transactions could lead to larger accumulations of personal data for identity and authentication purposes.
It may also lead to the establishment of a new national identifier, or de-facto version of one. To the extent that such an identifier could come to constitute a key to unlocking the entire storehouse of personal information collected by government, and its private sector contractors, it could become a powerful tool for the building of dossiers on individuals, tracking their activities and their interactions with government.
Such an identifier could also infringe on personal freedom. For example, the issuing, revoking, or withholding of such an identifier could be used to control, limit, or punish social behaviour and activities.
It may also give rise to other potential risks to individuals, such as identity theft and unintended disclosures of personal information, if used by unauthorised persons.
Finally, of course, there is the potential threat to the security and confidentiality of information transmitted over public networks attendant to the provision of on-line services. While open to technical fixes, the added vulnerability of information held and transmitted in electronic form is nonetheless real and substantial.
These troubling scenarios underline the need to ensure privacy is a primary consideration at the planning stage of any government initiative involving the collection, use and disclosure of personal information. We want departments and GOL leaders to know that one way to do this, when you're designing projects, is to do a Privacy Impact Assessment.
A PIA is a tool that allows a department to forecast the impacts of a proposal on privacy, assess its compliance with privacy legislation and principles, and determine what's required to overcome the negative impacts.
We believe that Privacy Impact Assessments can serve six main purposes in the design, acceptance and implementation of any government proposal:
- acting as an early warning and planning tool;
- forecasting and/or confirming the impacts of a government proposal on the privacy of individuals and groups;
- assessing the proposal's compliance with privacy protection legislation and principles (like the Privacy Act, PIPED Act and the CSA Model Privacy Code);
- determining the actions and strategies required to avoid or overcome the negative impacts of the proposal;
- avoiding the adverse publicity, the loss of credibility and public confidence, and the legal costs, remedies and sanctions that could result from a government proposal with negative impacts on Canadians' privacy; and
- increasing Canadians' privacy awareness by informing them of the details of the proposal and by involving them in its design, acceptance and implementation.
However, we must not confound PIAs with privacy compliance audits. A privacy compliance audit simply focuses on legal compliance with the laws. A PIA is a risk assessment tool that goes beyond the legal tests in privacy law, which represent minimum acceptable practice.
It involves looking at all the personal information practices that go into the system, such as what kinds of information are collected, how consent is obtained, how and for how long the information is kept, how it's used, and who it's disclosed to.
It involves looking at things like the purposes and statutory authorities for collection, use, and disclosure, what kinds of linkages there will be between this and other information, and how individuals will be able to exercise their right of access to their information.
It involves identifying risks to privacy associated with a given program, information management system or technology, and coming up with solutions to avoid or at least mitigate those risks.
In sum, a PIA is the following:
- a feasibility study from a privacy perspective.
- a risk-management tool
- a sensitization instrument to help create an organisational culture of respect for privacy.
- And finally, a means of monitoring whether your methods of addressing privacy risks are working.
Just as environmental impact assessments are a regular feature of environmental proposals, it makes sense to evaluate technological initiatives for their privacy implications early on, and this is what PIAs are designed to do.
On May 2, 2002, the Government of Canada implemented a PIA Policy that applies to all government programs and services that collect, use or disclose personal information, not just those that are based on electronic delivery.
The conduct of a PIA is a shared responsibility. As the TB Policy states, they are co-operative endeavours, requiring a variety of skill sets, including those of program managers, technical specialists, and privacy and legal advisors. The deputy head of federal institution, departments or agency is responsible for determining if a PIA is required.
Of particular significance is the fact that this policy requires government bodies to inform the Office of the Privacy Commissioner of all PIAs being conducted and to send completed PIAs as soon as possible to our office for review.
By reviewing the documentation in co-operation with institutional officials, our office will then be able to provide advice and guidance to institutions and identify solutions to potential privacy risks.
Our role is not to approve or reject the projects that are assessed in the PIAs-our role is to assess whether or not departments have done a good job of evaluating the privacy impact of a project or proposal.
As well, formally involving a privacy oversight office in the process of assessing the privacy impact of new and modified government projects and proposals would be a first. It would make for a collaborative, non-judgmental way of promoting the goals of the Privacy Act. This kind of collaborative approach makes a great deal of sense.
We suggest, therefore:
- that you conduct an initial assessment of your project as early as possible;
- that you contact us directly with questions at an early stage - we can help you understand what we are looking for in a PIA; and
- that you send us the final PIA as soon as it is complete.
Let's look a little more closely at the kinds of questions you'd ask in an initial assessment of a given project. Will the proposal involve:
- a new or increased collection, use or disclosure of personal information, with or without the consent of individuals;
- a broadening of target populations;
- a shift from direct to indirect collection of personal information;
- an expansion of personal information collection for purposes of program integration, program administration, or program eligibility;
- new data matching or increased data sharing of personal information between programs or across institutions, jurisdictions, or sectors;
- development of new or extended use of common personal identifiers;
- significant changes to the business processes or systems that affect the physical or logical separation of personal information or the security mechanisms used to manage and control access to personal information; or
- the contracting out or devolution of a program or service to another level government or the private sector.
These are questions likely to alert you to possible violations of privacy. You also need to ask questions about the resources to deal with them-such as whether there's an accountability structure in place to deal with privacy issues.
Down the line, when you're reviewing the compliance of your systems with privacy legislation and principles, the Privacy Impact Assessment will prove an excellent tool for ensuring that those involved in the review-system operators, management, and representatives of the oversight body-understand each other and the system.
In summary, what will our office be looking for when in reviewing PIAs?
- First of all, we will want to make sure that the department or agency has the legal authority to collect personal information.
- Next, we want to ensure that the PIA is very clear about the amount and type of personal information that will be collected, how it will be used, and if it will be disclosed to other departments or organizations.
- We will also be looking to see if the project involves data matching. In other words, will it involve combining unrelated personal information to create new information about individuals?
- And we will be reviewing the PIA to make sure that the personal information will be adequately protected.
Overall, we want to be able to assure ourselves that the PIA accurately identifies all the privacy risks associated with the project and that appropriate measures are being proposed to avoid or minimize these risks.
If done right, a PIA is a way to avoid extra costs, adverse publicity and the loss of credibility and public confidence that could result from a proposal that is not privacy friendly. A PIA is also a way to raise awareness and understanding of privacy principles both internally and among citizens.
How will our office operate?
Our comments are not intended to be made public, but are intended as guidance and advice to the department.
We have been working on developing our review procedures for several months in anticipation of the official launch of the policy.
The Privacy Commissioner will be informed of every PIA when we receive it.
We have created a unit specifically to review PIAs with senior members of OPC staff.
We certainly understand the need for a quick turnaround and we don't want to delay projects.
We encourage departments and agencies to contact us as early as possible so that any potential trouble spots can be identified at an early stage.
- Date modified: