A distrustful environment is like a barren tree

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

How to monitor the implementation of privacy policies and cultivate trust in electronic environments

Remarks at a seminar entitled “Confiance et environnements électroniques

Montreal, Quebec
November 20, 2008

Address by Nathalie Daigle
Legal Counsel

(CHECK AGAINST DELIVERY)


Introduction

Life often teaches us that one of the best ways of helping someone is to give them responsibility and let them know you trust them.Footnote 1 

Similarly, in Canada, government and private businesses are responsible for implementing individual privacy protection standards. Canadians expect government and private businesses to respect their right to privacy by acting in accordance with the  requirements of privacy legislation and the policies they adopt.

If privacy protection was fully developed in Canada, we would all be satisfied with the work of government and businesses and their attempts to ensure compliance with fair information practices. But threats to privacy are growing with the emergence of new technologies, and the law does not prevent all evils. The defence of the basic right to privacy protection has two bases: (1) change in information management practices, and (2) public awareness of the importance of privacy protection.

We have seen the environment change over the last twenty years. It is now obvious that pollution is harmful and recycling has become our habit. The same new awareness has to dawn concerning personal information: it is harmful to collect this information without consent, circulate it with indifference, and conceal information practices from the public. It is also harmful not to afford this information the protection it needs.

It is therefore important for governments and private businesses to design privacy protection standards that protect their personal information holdings. They can do this by identifying the inherent risks to privacy and committing themselves to minimize them. It is also important to make citizens aware so that they properly safeguard their own personal information.

We must not forget that the trust of citizens and Web users has to be won and is a major factor in any environment: without it, no project can come to fruition.Footnote 2 As noted by Quebec writer Napoléon Bourassa:

There is always greatness and courage in the trust given to those who ask it of us, and this can only inspire esteem and compassion.

A multi-faceted mandate for the Office of the Privacy Commissioner of Canada

But trust does not rule out control. Parliament has mandated the Privacy Commissioner of Canada, Jennifer Stoddart, to act as ombudsman, defender and keeper of the Canadian people’s right to privacy. The Commissioner therefore ensures that the federal public sector and the private sector (in provinces without laws substantially similar to the Personal Information Protection and Electronic Documents Act (PIPEDA))address how they handle personal information and informs the public of their right to privacy protection.

More specifically, the Commissioner oversees the management of personal information by government and businesses and ensures the enforcement or implementation of:

  • the Privacy Act which applies to federal institutions;
  • the Personal Information Protection and Electronic Documents Act, which governs the handling of personal information in the course of commercial activities in the in private sector;
  • Treasury Board Secretariat privacy protection guidelines and policies for federal departments and agencies; and
  • privacy policies adopted by businesses subject to the PIPEDA.

For both public and private sectors, it is worth handling personal information properly since trust in this area is won in drops and lost in buckets.

The Commissioner’s role in monitoring the implementation of privacy policies

It is part of the Commissioner’s mandate to oversee the application of the law and the implementation of privacy protection guidelines and policies in federal departments and agencies and businesses subject to the PIPEDA. However, it is up to government and business—not the Office of the Privacy Commissioner (OPC)—to establish effective standards for privacy protection. The design and implementation of these standards must be developed internally and not be imposed from outside.

An outside monitoring agency like the OPC can and should suggest the main components of effective standards. It can also conduct reviews and audits after the fact to see whether all is going as planned. Yet success in this process is really the responsibility of government and businesses.

Government online or e-government

Government agencies—and the public as well—press for the introduction of online government services. Actually, Canada’s success in this area is remarkable. Online services offered to Canadians ensure less pointless duplication of information and better service to citizens.

But the more information that exists in a system, with more visits and users, the more vulnerable people are to overmonitoring, whether by governments or officials. Can we accept what amounts to a detailed personal file and trust government not to misuse it?

Federally, in fact, e-government is here, but the law always runs far behind. The 25-year-old Privacy Act requires government institutions to inform people of the reasons why their personal information is being collected. But the law should require stricter compliance with the principle that personal information is to be used solely for the purposes of its collection. The law should also establish stricter controls for accessing the information pool.

If the government wants to be more connected with its citizens, it must assure them of greater protection. The government must remember that when it comes to protecting privacy, citizens do not extend their trust: they loan it.Footnote 3 The government must therefore set an example to nurture its citizens’ trust.

Lastly, the Privacy Act, despite its needed reform, should not impede the proper management of personal information, especially since increased protection can be gained with the guidelines and policies issued by the government.

Businesses subject to the PIPEDA

Apart from attempts by fraudulent third parties and skilled hackers, several major incident reviews by the Privacy Commissioner’s Office have shown that the absence of clear, effective privacy policies and lack of employee training leads to contraventions of legislation and ineffective handling of personal information.

In April 2008, for instance, the Commissioner shared her concerns about the privacy practices of a major online box office, Ticketmaster Canada Ltd. The Commissioner started an investigation after someone complained that the company’s policies and practices for the collection, use and disclosure, of its clients’ personal information were not compliant with the PIPEDA.

During this investigation, the Commissioner focused on the issue of consent, but also looked at whether Ticketmaster was following the PIPEDAprinciples of access, transparency, and accountability. The investigation revealed that, though the company did have a privacy policy, it was lengthy, complex, and difficult to read.

It turned out that, to buy their tickets, the clients of Ticketmaster’s online service had to consent to the use of their personal information for marketing purposes, in glaring contravention of the PIPEDA. As a result of the investigation, Ticketmaster reviewed its privacy protection practices so that it was clear what information was collected, with whom it was shared, and how it was used. The company also edited its online notices and call-centre telephone scenarios to allow clients a chance to consent to let Ticketmaster and certain event organizers send them marketing information.

Ticketmaster US also amended its privacy policy to make it easier to understand and use. Yet the company did not implement a system for its American activities that would give clients a chance to consent to receive marketing information as it had done for its Canadian and UK operations.Footnote 4 

It is important for businesses operating in Canada and abroad to adopt the highest possible privacy protection standards to comply with Canadian privacy legislation. Multinationals must ensure that their online presence reflects the PIPEDA. Web sites accessible from Canada may fall under OPC investigative jurisdictionFootnote 5 and must therefore comply with the PIPEDA.

In the end, Ticketmaster’s steps to resolve complaints to the OPC were deemed satisfactory. However, the Commissioner said she was “very concerned about the idea that, seven years after PIPEDA’s promulgation, a major firm working online across Canada was breaking the law.”

In short, during the Commissioner’s investigations, it sometimes seems that companies don’t know the law and have not established a system of accountability. The Commissioner’s Office has developed an array of tools and resources to help companies with PIPEDA compliance. Last year, it launched an interactive online learning tool to help businesses bring their privacy protection practices and policies in line with the Act. It also produced a PIPEDA handbook entitled, Protecting Personal Information: Your Responsibilities.

In sum, e-commerce is steadily growing and clients the world over are expecting businesses to protect their personal information amid their commercial endeavours. The Commissioner’s message is this: “Clearly, the establishment of best privacy practices for all company operations is good for business. And besides, it’s the law in Canada.” This means that businesses subject to the PIPEDA should be mindful of the following quote from Quebec novelist Charlotte Savary:Footnote 6

The key that opens every door … trust.

The regulators’ role in raising awareness of these issues

The Commissioner’s Office circulated a discussion paper on the role of identity in society in January 2008. It sets out to enlighten the public on how identity shapes the right to privacy. It outlines the basic concepts around identity, including identification and authentication. Individuals have a major role to play in protecting their personal information. It is up to them to ask questions and avoid the use of untrustworthy identification and authentication processes.

In July 2008, a survey commissioned by the OPC revealed that more than half of Canadians are uneasy about giving retailers their personal information. Personal information is increasingly prized in the marketplace. Consumers are taking charge and increasingly challenging demands for personal information. Admittedly, businesses need to know and understand their clients, but if they are unable to explain why they are collecting our information, we do not have to give it to them.

Remember that the PIPEDArequires businesses to reveal why they are collecting personal information, limit the amount and type of information collected to that required for their stated purposes, and take appropriate steps to protect and secure the personal information in their control.

Lastly, carefree Web users should commit to memory this quote from French poet and playwright Pierre Corneille:Footnote 7

Too much trust attracts danger.

CONCLUSION

Globalization and the growth of online businesses are increasing the transborder flow of personal information. With the commodification of this data, its value continues to mount. Can our federal laws protect personal information in this ever-changing world? These are some of the underlying issues the laws must deal with. At the same time, the adoption of effective policies or guidelines may enable us to offset the potential ramifications of emerging technologies for privacy protection.

In this presentation, I have  outlined some of the issues with which the Office of the Privacy Commissioner must deal with on a practical level. These privacy protection issues are important because they affect people’s lives. The proof of this is that people keep lodging complaints about how government and businesses are managing their personal information.

As stated by Italian painter and scholar Leonardo da Vinci:Footnote 8

Experience shows that he who never trusts will never be disappointed.

Yet the refusal to trust anyone is not a solution either. Instead, government and businesses must set the example to gain people’s trust if they want to keep dealing with them in an electronic world. How can they do this? With a secure Web site and an effective, understandable privacy policy.

In electronic environments, people will undoubtedly keep showing the courage to trust others and, remember, this can only inspire esteem and compassion. Basically, is human nature not already inspired by nature? Would birds build nests without their instinctive trust in the world?Footnote 9 Let us tap into the same instinct to protect our personal information by sharing it only with those deserving o f our trust!

Endnotes

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: