The Kiwanis Club of Belleville Meeting
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
August 27, 2002
(Check Against Delivery)
What I hope to achieve today is to define privacy for you, to explain why privacy is different from confidentiality and security, and to give you a brief overview of the new Personal Information and Electronic Documents Act.
So what is privacy?
Privacy is not easily defined, though most people have a sense of what it means.
The best-known definition dates back over a century, to the American jurists Samuel Warren and Louis Brandeis. They defined privacy as "the right to be let alone", a definition that, if nothing else, is easily understood, but is inadequate to deal with the modern complexity of privacy and the threats to it.
Privacy is, of course, about being let alone: about being free from interference and surveillance.
But modern threats to privacy are more subtle. They are about compiling and manipulating personal information about us, and using that information for purposes we haven't consented to, or that we're not entirely aware of or don't understand.
The Privacy Commissioner of Canada, George Radwanski, defines privacy as the right to control access to one's person and information about oneself. That definition, I think, is better suited to the challenges facing us in today's world.
Whatever they mean by it, people recognize that there is something fundamentally important about privacy. George Orwell's 1984 has become a cultural beacon because of its depiction of a world without privacy. People react viscerally to that: they sense that there can be no real freedom without privacy, that privacy is the right from which all freedoms flow --freedom of speech, freedom of conscience, freedom of association, freedom of choice.
Privacy is frequently cited in national constitutions as an inviolable right. It underlies the Canadian Charter of Rights and Freedoms' prohibition of unreasonable search and seizure. Interpreting that prohibition, Mr. Justice La Forest of the Supreme Court of Canada defined privacy as "being at the heart of liberty in a modern state".
To say that it is fundamental, of course, does not mean that it is absolute. Privacy exists in a balance with other rights and obligations.
But I want to emphasize that it's not a question of balancing the privacy of the individual against the interests of society.
Privacy is not only an individual right; it's also a social, public good. Our society as a whole has a stake in its preservation. We cannot remain a free, open, and democratic society unless the right to privacy is respected.
In other words, the interests of society include the privacy of individuals. And when that is lost, society also loses.
Now let me clarify how privacy differs from security and confidentiality because unfortunately the terms are often used inter-changeably. They are in fact three separate and distinct issues.
Privacy is our fundamental right to control the collection, use and disclosure of information about ourselves.
Confidentiality is the obligation of a custodian to protect personal information in its care, to maintain the secrecy of the information and not misuse or wrongfully disclose it.
Security is the process of assessing threats and risks to information, and taking steps to protect it.
So the distinctions are dramatic: privacy a fundamental right; confidentiality, an obligation to protect information; and, security, the process of protection.
But it's privacy that drives the duty of confidentiality and the responsibility for security. It is privacy that has to be addressed before we can deal with the ensuing notions of confidentiality and security. And if it is not respected, ensuring confidentiality and security is not enough. If information about someone is collected, used, or disclosed without their knowledge or consent, ensuring the confidentiality and security of their information doesn't mean that their privacy has been respected.
A good example to illustrate the differences among privacy, confidentiality and security is the HRDC long file case. You may recall HRDC's Strategic Policy Branch had developed a Longitudinal Labour Force File for research evaluation, policy and program analysis to support departmental programs. It contained records on 33.7 million individuals drawn from widely separate internal and external files, such as welfare and income tax records. Each citizen profile could contain as many as 2000 data elements. The LLFF was relatively invisible to the public and there were important gaps in the legal framework to protect the information.
When the existence of the database was made public, more than 70,000 Canadians demanded to obtain access to their personal information contained in the database. As a result of the public outcry, the database was dismantled.
While HRDC had in place strict protocols for access to the database - access was strictly limited to only very few public servants and researchers - and while security was not an issue - no information was ever improperly disclosed from the database; Canadians were, nonetheless, concerned that their privacy had been violated. They were concerned about the vast collection of personal information without a specific defined purpose. They were concerned that information had never been purged from the database. They were concerned that the state had unduly pried into their private lives.
Much is said these days about the strategic issues surrounding the advances in information technology and what it means for businesses. At the same time, IT solutions, with their ease of handling masses of information, can import tremendous privacy risks if they do not build privacy protection into their design. Technology itself may be neutral. But, without rules of the road to govern the handling of personal information, it becomes anything but neutral.
Unregulated technology becomes a threat to privacy because it exponentially increases our capacity to collect, use and disclose quantities of personal information. It allows us to move it instantaneously across great distances. Technology has eliminated the protection of personal information that was the inherent byproduct of inefficient manual filing systems. Individuals need additional protection for their privacy now that manual filing systems no longer serve as de facto gatekeepers of privacy.
The well-founded fear that technology would be used to suppress this fundamental right of privacy was one of the key forces behind the development of the Personal Information Protection and Electronic Documents Act. The main privacy provisions of the Act came into force on January 1, 2001.
I would like to give you a brief overview of this legislation: the timeframe for implementation, details on compliance and the complaint process. You will be happy to know that the Web site of the Office of the Privacy Commissioner of Canada at www.priv.gc.ca contains a detailed guide to the operation of the Act.
The implementation schedule is as follows:
As of January 1, 2001 the law applies to federal works, undertakings or businesses, such as banks, telecommunications companies, airlines, railways and interprovincial trucking companies and to the employee records in those organizations. It also applies to personal information disclosed across borders for consideration.
As of this past January 1, the law also applies to personal health information collected, used or disclosed by organizations described under phase one of the law.
On January 1, 2004 the law will apply to the collection, use and disclosure of personal information by any organization in the course of commercial activity within a province and all personal information in all interprovincial and international transactions by all organizations subject to the Act in the course of commercial activities.
The Personal Information Protection and Electronic Documents Act enacts what is known in the privacy business as a code of fair information principles. These fair information principles consist of rules to regulate the collection, use and disclosure of personal information, and to provide individuals with access to personal information held by others.
Personal information is any information about an identifiable individual. Organizations include associations, partnerships, persons and trade unions. Bricks-and-mortar and e-commerce businesses are both covered by the Act. The term commercial activity includes the selling, bartering or leasing of donor, membership or other fund-raising lists.
The act does not cover all collections of personal information. For example, it does not include personal data gathered strictly for personal purposes (such as your personal greeting card list), or for journalistic, artistic or literary purposes, or for a non-commercial activity.
The heart of the law is the Canadian Standards Association's Model Code, which is embodied in the Schedule to the act. The code is a consensus developed by a partnership of business and government. It was designed to provide organizations with the personal information they need for legitimate purposes while protecting individuals' rights and interests. The code rests on 10 principles that normally define an organization's responsibilities. These principles are:
An organization is responsible for personal information under its control and shall designate individuals who are accountable for the organization's compliance with the following principles.
- Identifying Purposes
The organization must identify the purposes for which it collects personal information at or before the time of collection.
The individual must know of and consent to the collection, use or disclosure of personal information, except where inappropriate.
- Limiting Collection
The organization must limit its collection of personal information to that which is necessary for the identified purposes. And it must collect the information by fair and lawful means.
- Limiting Use, Disclosure and Retention
Organizations must not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. And they must keep the personal information only as long as required to fulfil those purposes.
Personal information must be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
Organizations must protect personal information by security safeguards appropriate to the sensitivity of the information.
An organization must make readily available to individuals specific information about its policies and practices on managing personal information.
- Individual Access
Upon request, an individual must be informed of the existence, uses and disclosures of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance
An individual shall be able to challenge an organization's compliance with the principles to the individual designated accountable for the organization's compliance.
Of course, complying with these principles means an organization needs to do some homework. It must review and analyze how it conducts its business to determine:
- What personal information it collects;
- Why it is collected;
- How it is collected;
- What is done with it;
- Where it is kept;
- When it is used or disposed of, and
- To whom it is given.
Many organizations may be surprised to learn that they really don't know what personal information they collect, how they use it, or what quality controls and security safeguards, if any, they have in place. One lesson learned in the early days of the federal Privacy Act was that some government organizations were collecting excessive amounts of personal information for no valid reason, and at unnecessary cost. Laws like this aim to eliminate the practice of getting it all, getting it now, and thinking of a use for it later. That is what data profiles are made from and it is the opposite of good privacy practice.
In essence, the act requires organizations to establish an open and transparent relationship with their clients. That can only be good for business. Exceptions to that general rule should be limited and specific.
Now I want to deal with some of those exemptions, clarifications and amplifications. Each of those principles I described earlier is modified or clarified in the act. I am not going to deal with these exhaustively but I do want to focus on the collection, use and disclosure of clients' data. Then we'll look at the obligation to respond to clients' requests to see their personal data. Finally, I'll touch on the oversight of the law.
As we consider the various parts, I ask you to keep in mind a test set out in the "Purpose" clause of the law - that is, the concept of the "reasonable person". The clause requires organizations to balance the individual's right to privacy with the organization's need for personal information for purposes the "reasonable person" would consider appropriate. The concept informs all of Part I of the act (the privacy law) as well as Schedule 1, essentially the CSA code.
First, let's consider collection of clients' information. The law establishes rules for an organization's collection of information, limiting collection to those details needed to achieve the stated purpose. Which details must you have to provide the service or conduct the research? Organizations should determine which details are required for the project, then specify - both for employees and clients - what information it requires. And the act is clear that organizations may not mislead or deceive individuals about the purpose for collecting the information.
Second, we'll deal with consent. The act requires individuals to consent to the collection, use or disclosure of their information, except where "inappropriate".
Section 7 of the Act allows organizations to collect information without the individual's knowledge or consent, but only if
- The collection is clearly in the individual's interest and consent cannot be obtained in a timely way;
- The individual's knowledge of/or consent to the collection would compromise the availability or accuracy of the information and the collection is reasonable to investigate a contravention of laws;
- The collection is solely for journalistic purposes; or
- The information is publicly available and specified in regulation.
The act also establishes that organizations may use personal information without the individual's knowledge or consent
- To investigate a contravention of a law;
- During an emergency that threatens the life of an individual;
- For statistical, scholarly study or research;
- If the information is publicly available; or
- If it was collected in the interests of the individual or was reasonable for investigating a contravention of laws.
Finally, the act sets out several circumstances in which information may be disclosed to others without the individual's knowledge and consent. These include, for example, among others:
- To a lawyer representing the organization;
- To collect a debt the individual owes the organization;
- To comply with a subpoena; etc.
Perhaps the most critical component of any data protection law is accountability; the individual's right to know how an organization manages its personal information holdings. Clients should be able to obtain the information without unreasonable effort and the information should be generally understandable.
But arguably the crux of accountability lies in individuals' rights to seek access to the information you hold about them, to know how you are using it and to whom you disclose it, as well as to ensure its accuracy. The act establishes some procedures for seeking access.
Of course, an organization is not always required to comply with the applicant's request. There are circumstances in which the organization can refuse.
An organization may refuse access if:
- the information is protected by solicitor-client privilege;
- giving access to the information would reveal confidential commercial information;
- giving access could threaten the life of another individual;
- the information was collected to investigate the contravention of laws; or
- the information was generated during a dispute resolution process.
Now what happens when things go wrong, as they inevitably will? Anyone who is unhappy about your organization's information handling practices, or is dissatisfied with the results of an access request, may complain to the organization's designated officer. This should be someone senior enough to have the organization's confidence and who also has sufficient clout to make changes when necessary.
This first step is an important part of the scheme because it puts the onus for dealing with dissatisfied clients where it should be - on the organization. Resolving these disputes is a great learning experience. It can require staff to think through procedures they never questioned, and frequently to change them when they don't meet the test.
The next step, if the applicant is still not satisfied, is to complain to the Privacy Commissioner. The Commissioner must investigate any complaints. However, he can decide not to issue a formal report if he concludes that the complainant should first use other remedies or another law, or if the circumstances are simply too old to investigate, or the complaint is trivial, vexatious or made in bad faith. The Commissioner may also initiate his own complaint if the evidence warrants.
The Commissioner has broad powers to investigate, including summoning witnesses, compelling evidence and entering premises. In practice, he has seldom needed to be so heavy handed. The most critical aspect of the Commissioner's role is that he is an ombudsman. And like all ombudsmen, his focus is on ferreting out the facts and achieving resolution of the problem - reaching reasonable solutions by reasonable people. The office is non-confrontational and non-adversarial.
Once the Commissioner issues the formal report, the complainant has the right to seek a Federal Court review. The Commissioner cannot order organizations to comply with the law. He simply attempts mediation and conciliation.
If the court agrees, it conducts a de novo review, meaning that it examines the legality of the organization's actions, not the Commissioner's investigation. If the court concludes that an organization has breached the law, it can order the offender to change its practices and publish notices about the changes. The court can also award damages, including damages for humiliation.
In order for government, companies and organizations to be in compliance with the PIPED Act, they need to build privacy in at the outset of their business plan. One way to do that is by using a Privacy Impact Assessment. This allows for the examination of any system or initiative organizations are considering to develop with a view to forecasting its impacts on privacy, assessing its compliance with legislation and principles, and determining what's required to fix any problems there may be.
Privacy Impact Assessments allow organizations to forecast impacts of a proposal on privacy, assess its compliance with privacy legislation and principles, and determine what's required to overcome the negative impacts. It helps avoid the costs, adverse publicity, and loss of credibility and public confidence that could result from a proposal that hurts privacy.
The Act does introduce a new way of doing business in Canada. However, this is not a radically new way of doing business compared with other Western countries. Far from it. The Act simply brings Canada up to speed with much of the rest of the Western world, which long ago recognized the importance of establishing fair information practices in both the public and private sectors.
There will be hiccups in the early stages of applying the Act. It is not the intention of the Office of the Privacy Commissioner of Canada to barge in and demand immediate and perfect compliance with the Act. That would present an impossible demand on the private sector and it would color the Act as an instrument of oppression, rather than a vehicle to encourage respect for a fundamental human right.
As long as we have the technology, we will face the temptation to intrude. But is that what we really want to stand as one of the defining characteristics of our society, a society where the fundamental human right of privacy is at the mercy of overly-inquisitive minds and intrusive technologies such as video surveillance? I hope that you agree that this is not what we want. We want instead to ensure that organizations have access to personal information that they legitimately need to carry on their activities. At the same time, surrendering one's privacy must not become the necessary price for living in a modern democratic society. Rules of fair information practices, are, at their core, about respect for each other.
- Date modified: