Privacy and Ethics In Public Service
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Management Board Secretariat of Ontario
October 3, 2003
Interim Privacy Commissioner of Canada
(Check against delivery)
Most of you are privacy professionals. You're well-versed in what privacy is, what it means. I know that many of you are interested in hearing about the Personal Information Protection and Electronic Documents Act, which will extend on January 1, 2004, to cover all commercial activity in Canada. That won't have a direct effect on the provincial and municipal agencies that most of you work for, but it will have some indirect effects, and I'll be glad to talk about that today.
Bur first I want to situate this discussion of privacy in a larger setting: ethics and ethical responsibilities in public service. By that I mean both our responsibility to act ethically as individuals and our responsibility to ensure that our organizations act ethically.
I was appointed Privacy Commissioner of Canada on an interim basis in July, in order to help the Office deal with an extraordinary crisis. I doubt that this will be news to any of you. Revelations of wrongdoing and violation of public service employment and expenditure rules in the Office of the Privacy Commissioner were widely covered in the news media at the time. They've got a fresh lease on public attention this week with the release of the audit reports of the Public Service Commission and the Auditor General.
This has been an ethical crisis, and not one limited to my Office. Public scrutiny of government, public servants, and even political staff has escalated dramatically. Citizens, with an insistence that we've rarely seen in Canada, are demanding accountability, transparency, respect for rules and principles, and value for their tax dollars. This insistence on openness and correctness affects the entire federal public service, and it is extending to the provincial and municipal levels. Public servants at every level of government have to pay serious attention to it, and respond appropriately, if we are to regain the confidence and trust of Canadians.
The response has to be more than simply making a renewed commitment, however sincere, to hold our behaviour to account against ethical standards. We have to look very hard at the question of how this crisis arose. One of the challenges for me is to lead our Office through the painful process of self-examination, to understand how it was that some public servants apparently lost sight of their duty to Canadians, and how others failed to speak up and oppose wrongdoing.
It's important that we keep some perspective. The situation in the Office of the Privacy Commissioner was unusual. I have said publicly that I have never seen an Auditor General's report that was as devastating as the one that just came out. That says something about our Office, but it also says something about the federal public service, where such a negative report is so unusual. The fact is that the great majority of federal public servants observe the rules, conduct themselves honourably, and give Canadian taxpayers good value for their money.
But having said that this is extraordinary, we should not delude ourselves that it is some aberration that cannot be explained. The potential for these ethical failings is always there; if an organization slips into them, it is because it has not done enough to shore up its vulnerabilities to them.
The University of British Columbia runs an ethics Website, and one of the things that figures most prominently there is an article by the management consultant Larry Colero, about the systemic problem of ethical failings. He points out that robust ethics depend not just on corporate culture, but on the very structure of an organization.
For example, a U.S. survey of 1,000 business executives found that nearly half admitted being rewarded for taking action on the job that they considered unethical. One in three reported that refusing to take unethical action resulted in penalties.
Now, that appears to be a cultural problem. What can the organization do to address that? Tell people to be good? Remind them of the rules, urge them to observe them, perhaps threaten them with punishment-maybe even punish a few to set an example?
Those methods might work. But even their limited effectiveness is undercut if the organization is sending subtle contradictory messages in the way it's structured or the kind of behaviour that's rewarded.
Mr. Colero sets out five questions that those in charge should ask about their organization's approach to its ethical responsibilities.
First, what is the strategy to manage ethics? Are ethics understood, other than in broad philosophical terms? Are effective systems in place to foster and monitor ethical behaviour?
Second, who is responsible for ethics in the organization? It's fine to say that everyone is responsible, and it's true, but beyond that, is there an identified and clearly accountable person who understands ethics and can advise on ethical questions?
Third, are people equipped to address ethical issues as they arise? Is there guidance for employees? Is there an ethics code? Is there training? Is there an advisory service?
Fourth, are people in the organization provided with a safe opportunity to discuss ethical concerns-for example, if they feel pressured to violate ethics to achieve success, or to keep quiet about things they've witnessed?
Fifth and finally, are ethical integrity and moral courage rewarded even if they hinder other organizational objectives, or are they punished?
I think that these are questions we all would do well to pose to ourselves, in looking at our organizations and our ethical responsibilities. An organization that has not taken an ethical tumble can't afford to be smug about that, because it may in fact be poised on the precipice.
Setting out what defines ethical behaviour is properly a job for an ethicist, and I don't pretend to be one. But I think that any public sector body has to ask itself at a minimum whether its structure and culture support impartiality, professionalism, accountability, and confidentiality.
I want to expand a bit on the requirement for confidentiality. It's not always recognized as a fundamental ethical commitment. It's not stated as part of the code of values and ethics of the federal public service, for example. But in my view any claim that you are acting ethically in public service is only as strong as your guarantee of confidentiality.
As privacy professionals, you'll be familiar with the distinctions between privacy, security and confidentiality-privacy being control over the collection, use and disclosure of personal information; security, the process of protection of personal information; and confidentiality, the duty to maintain the secrecy of personal information entrusted to you and not misuse or wrongfully disclose it.
When privacy professionals explain these distinctions to general audiences, they typically focus on privacy, because so often that's the greatest gap in people's knowledge. They caution against misleading people by removing their fundamental right to control their own information and claiming to protect their privacy by ensuring confidentiality or security. That's what you see, for example, when an organization collects information without consent or collects more than it needs, and then encrypts it and protects it with firewalls and limits further disclosure. It's honouring a commitment of confidentiality and ensuring it with proper security-but that doesn't change the fact that it's violated privacy at the outset.
That's what my staff stress when they're making presentations to general audiences. I'm sure that many of you have made similar presentations, getting the message through to people to look beyond security and confidentiality to the more fundamental issue of privacy.
For you as privacy professionals working in the public sector, however, I want to stress the importance of confidentiality.
We often describe consent as the cardinal value for personal information practices. Consent is the means by which people exercise control over their personal information. But the fact is that it plays a less significant role in the public than in the private sector. Public bodies collect, use, and disclose a great deal of personal information on a compulsory basis. That's one very basic way in which the Privacy Act, which applies to federal government institutions, differs from the Personal Information Protection and Electronic Documents Act. It doesn't set out a lot of exceptions to the requirement that personal information can only be collected with consent-there is no such requirement. Personal information collected by federal government institutions must be directly related to their operating programs, but there's no requirement for consent.
That makes sense when you think of what government institutions do. Typically, government institutions collect personal information under statutory mandate. Things like censuses, taxation, or social benefits programs simply can't rely on consent for collection of personal information. But what that means is that public agencies have a lot of power over people's personal information. As a result, the duty of confidentiality is arguably their most important ethical obligation.
The federal Privacy Act can be viewed as a code of ethics for the management of personal information by public sector institutions. I want to turn now to the Personal Information Protection and Electronic Documents Act, or PIPED Act as we call it, and show how it takes matters a step further.
The PIPED Act is also a code of ethics, guiding commercial organizations in their personal information practices. It helps organizations to balance individual privacy rights with their needs to collect, use, and disclose personal information for reasonable purposes.
But it goes beyond just stating ethical principles. It imposes a structure on organizations-not a burdensome or highly bureaucratic structure, but a structure nonetheless-that makes it easier for them to act ethically.
The Act is based around the CSA Model Code, which actually forms part of it and is attached to it as an appendix. The Model Code sets out ten principles of good privacy practice. Most of you will be familiar with these, and I'm not going to list them. What I want to emphasize is the degree to which it requires more than good intentions.
The Code sets out the familiar principles of fair information practices. The purposes for collection of personal information have to be identified at the time of collection. Consent is required, with a few exceptions, for collection, use or disclosure. Collection, use, disclosure and retention are determined by what was consented to. The accuracy and completeness of the information has to be assured.
As important as those are, it's worth noting that the first requirement in the Code is accountability. An organization is responsible for personal information under its control, and it must designate individuals who are accountable for its compliance with privacy principles. In other words, the Code doesn't just call for a particular kind of desirable behaviour. It specifies that the organization is responsible for making it happen, and for designating people in the organization who carry out that responsibility.
The Code also specifies that organizations must protect personal information by appropriate security safeguards. There's a recognition here that personal information is held in trust by the organization, and that the confidentiality that's inherent in holding someone else's personal information is not just a matter of nice words, but is dependent on real actions-on structures.
Organizations must be open about their policies and practices on managing personal information, and make specific information about it readily available to individuals. On request, organizations must advise individuals of the existence, uses and disclosures of their personal information and give them access to it. Individuals must be able to challenge the accuracy and completeness of the information, and have it amended as appropriate. And finally, individuals must be able to challenge an organization's compliance with the principles, lodging that challenge with the individual that the organization has designated accountable for its compliance.
So those are the structural implications of the Model Code incorporated in the PIPED Act-not just rules, but concrete structures and observable actions that produce ethical behaviour. Ensuring that the structure is in place in an organization is a step towards answering Larry Colero's five questions that I referred to earlier. The structure reinforces words and thoughts, and strengthens an organization's commitment to ethical behaviour.
The Act is not reducible to this Model Code, but it's based around it. There are a number of ways in which it improves on the Code. It is stricter on exceptions to the requirement for consent, for example. And of course, it provides for independent oversight and redress, through our office and if necessary through the courts.
The PIPED Act requires commercial organizations to respect the privacy rights of individuals when they collect, use, or disclose personal information. As you know, bbeginning in January 2004, the Act will apply to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations in Canada. There will be one exception: in provinces with privacy legislation that's "substantially similar" to the PIPED Act, the federal government can exempt all or part of the provincially-regulated private sector from the Act. That is unlikely to be the case in the immediate future in Ontario, so it looks like you will be dealing with the Act.
Obviously, your involvement with it will be limited. The Act doesn't apply to any agent of the Crown. But if you disclose personal information to, or collect personal information from, private companies that are subject to the Act-and in the absence of provincial legislation, all companies will be-then you have to remember that the rules of the Act will apply to them. If you are outsourcing functions to the private sector that involve them using personal information for which you're responsible, you will be requiring them under contract to abide by the provincial privacy laws, which means that there is going to be a double set of rules applying to them.
Complying with the Act means an organization needs to do some homework. It has to review and analyze how it conducts its business to determine its personal information practices-what personal information it collects, why it collects it, how it collects it, what it does with it, where it keeps it, when it uses it, when and how it disposes of it, and to whom it discloses it. And it may have some restructuring and reorganizing work ahead of it, to meet the requirements of the Act.
I want to make clear, however, that we recognize that this is a challenge for small businesses. Large businesses have the resources to comply-training, putting in place the proper people, building the necessary structures. But they won't be the only enterprises subject to the Act. There's no limitation in the Act: any organization that collects, uses or discloses personal information in the course of commercial activities is covered, in the absence of substantially similar provincial legislation.
For me, it's not enough simply to say to them that this is the law of the land and they have to comply. Nor is it enough to trot out comforting platitudes about good privacy being good business. Good privacy is good business, but that doesn't help if it's beyond the resources of a small company. It might be good business for a Mom-and-Pop video store to advertise in the local newspaper, install the best burglar alarm system, and offer weekly loss-leader specials. If it hasn't got the resources to do those things, laws or regulations forcing it to do so are not going to help matters.
We in the privacy protection business, and particularly in my Office, with responsibility for a law that is going to apply directly to many small businesses, have a duty to minimize the impact on them. This Office will not act so as to diminish the relationship with small businesses or their relationships with their customers; on the contrary, we will act to enhance the relationship.
I've taken you on a bit of an excursion, so let me briefly run over what I've talked about so that you can get home again safely.
This is a time of ethical crisis in public service. Your organizations are under a lot of scrutiny from a sceptical public. As privacy professionals, you're well placed to help your organizations survive that scrutiny. You're responsible for what is arguably an organization's most important ethical obligation. People are not going to trust government institutions with their personal information unless they are satisfied that the values and ethics of those institutions are above reproach. Words alone aren't going to convince them of that. You need to build the structures that help the organization to behave ethically. Setting your organization up to comply with the PIPED Act and the CSA Model Code is a major step towards establishing ethical structures.
For all my saying that nice words aren't enough, I want to finish with some. First, one that's pretty meaningful for my Office these days, from Mark Twain: "Always do right-this will gratify some and astonish the rest." And second, one from Henry David Thoreau, reminding us of what this is all about: "Aim above morality. Be not simply good, be good for something."
Report a problem or mistake on this page
- Date modified: