A Privacy Check Up For Canadians: Is the Glass Half Empty or Half Full?
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the 10th Annual Privacy and Security Conference
February 3, 2009
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(CHECK AGAINST DELIVERY)
Good afternoon and thank you so much for inviting me to be part of this exciting conference. Congratulations to the organizers on the 10th anniversary of the Privacy and Security Conference. I’m delighted to be part of an event that recognizes the critical relationship between the privacy and security worlds.
I’d like to take a moment to present the members of my Office who are also here. I’ll ask them to stand up....
Both of our Assistant Commissioners are here. Chantal Bernier, who has responsibility for the Privacy Act and public sector issues, is brand new to our Office. I hope you will take the opportunity to introduce yourselves to her.
Elizabeth Denham – no doubt a familiar face to many of you – is responsible for PIPEDA matters.
Steven Johnston, our Senior Security and Technology Advisor, and, also from our research team are, Melanie Millar-Chapman and François Cadieux.
Steven Morgan is our new Director General of the Audit and Review Branch.
From communications, Anne-Marie Hayden, as well as Jill Pyle, who you’ll find at the Office of the Privacy Commissioner booth in the exhibitors area.
And from our Legal Services, Policy and Parliamentary Relations Branch, Ann Goldsmith and Hedy Kirkby.
I know that any one of these folks would be happy to answer any questions you have about our work over the course of the conference.
Some months ago, conference organizers proposed that we call this presentation, A Privacy Check Up for Canadians – Is the Glass Half Empty or Half Full?
Certainly there is some good news to report on the privacy front.
While various federal departments and I are occasionally at odds on certain privacy issues, I appreciate the confidence and support the federal government has demonstrated by nearly doubling my Office’s budget over the last five years.
This funding is allowing us to hire a new generation of tech-savvy privacy experts. We’ve just hired 20 new investigators, who are currently taking part in an intensive two-month training session.
Not too long ago, I marked my fifth anniversary as Commissioner. When I think about where things stood when I first joined the Office, I am amazed at how far we’ve come.
So, that’s the “glass half full.” And while I try to avoid being a “glass half empty” kind of person, I would like to focus my remarks today on some of the privacy issues of deep concern to me. I also would like to share some thoughts on where we should be looking for solutions.
A New Privacy Landscape
New technologies – be they electronic health records, social networking sites, Internet traffic management systems – are constantly raising new privacy challenges for individual Canadians and my Office. We’re currently conducting investigations into complaints about Facebook and deep packet inspection.
Personal information is being collected, shared, analyzed, transferred and stored at an absolutely astonishing rate. And – too often – it is not being properly protected, either by the individuals whose information it is, or by organizations that retain it.
The number and the scope of data breaches we’re seeing around the globe is alarming.
A recent article in The Economist quoted a professional investigator who observed that, whatever purpose a piece of information may have been created and shared for, it will eventually be used for something else – a challenge to orthodox privacy principles.
We face a daunting list of privacy challenges – many arising from new technologies which fascinate us as consumers and contribute immeasurably to the comfort and prosperity of our societies.
These challenges are familiar to each of you. I will risk the disapproval of many of you by saying that I think that the answer to this wide array of challenges is not simply more technology.
Of course, technology may often be part of the solution, but my key message to you today is that people are in charge of how technologies are applied (or not applied); people must bear the responsibility of what happens with the technologies. This may seem to be self-evident, but I believe it’s something we have lost sight of in recent years.
Cultural and Technological Shifts
Some of you may remember Second World War posters like these from history class. The idea of protecting information went well beyond the military context.
The way we see personal information has changed dramatically in a relatively short period of time.
The incredible growth of the Internet, for example, has led to a new ethos: Information is for sharing.
We have a younger generation that has grown up with the World Wide Web and believes that extensive information sharing is good – and that hoarding information is, well, lame. Our recent focus group research on social networking told us that many young people don’t see a downside to disclosing most personal information online.
The world of commerce changed, too. Through the 90s, businesses increasingly recognized that personal information could be a big money-maker. They began collecting, using and selling more and more of it.
In the wake of 9-11, meanwhile, governments around the world have become far more interested in amassing personal information in their attempts to combat terrorism.
Technological advances have clearly played a role in all of these cultural, economic, and political shifts – each one having profound impacts for privacy.
Meanwhile, powerful new technologies mean huge aggregates of personal information are extremely portable.
Little devices can contain massive amounts of personal information and they have an alarming tendency to go missing. You’ll recall how two computer disks containing the personal data of every British family receiving a child benefit – 25 million records – disappeared in the mail.
The privacy challenges arising from all of these shifts are enormous. So, what can we do? What must we do?
Search for Solutions
First, we have to recognize that technology is not a complete solution to such challenges. Privacy problems arising from one technology are rarely solved in the long-term through adoption of another set of technologies.
Most technologies follow the same pattern; someone smart can always find a way to 'game' the system. This goes for any technology or industry.
For a simple case in point, look at the history of code-breaking – one advance in encryption always leads to a reciprocal push in attempts to break the security.
Another example: Look at the global credit and financial markets – some of the smartest, most technologically-sophisticated companies on the planet couldn't save themselves from the disastrous impact of their own collective decisions.
One could argue their technologies – financial data mining, complex credit-ranking systems, sophisticated financial instruments – blinded them to the need for good, old-fashioned approaches such as due diligence, equity evaluation and security guarantees.
And while we need to support technological progress, we need to ensure we don’t focus too much on new technologies as the only solution to privacy. You don’t arrive at long-term solutions to technological problems by just throwing more complicated technologies at them.
Think of it this way: If you wanted to stop car crashes, yes, you’d use a technology such as brakes even ABS brakes, but a more important factor would be driver education – the human factor.
I strongly believe that the keys to protecting privacy are: personal values, personal and corporate actions and smarter enforcement.
Better informed citizens and consumers, more personal responsibility, good corporate practices, better laws and smarter regulatory oversight and strong enforcement are far more effective than simply big, complex technological fixes.
Lessons from Britain
This is exactly what the British concluded after major investigations into that massive data breach at Customs and Revenue.
British experts determined that, while technology might have created the problems that led to the breach by allowing so much personal information to be stored on a tiny disk, technology was not the way to prevent future data spills.
Instead, Britain has adopted a multi-pronged approach, including:
- Privacy training for all government employees;
- More emphasis on the accountability of senior officials;
- A beefed up privacy impact assessment process; as well as
- Stronger enforcement powers for Britain’s Information Commissioner, including the ability to conduct spot checks and to impose substantial fines on organizations that deliberately or recklessly commit serious breaches of the Data Protection Act.
Another important notion now being discussed in Britain is the need to put a dollar-value on personal information.
This is an idea which has challenged us in the enforcement of PIPEDA – how to ascribe a value to the loss of personal information, especially in the absence of provable damages.
We know the worth of the hardware and software that stores personal data; we know the salary of the person who manages the database; but – the vast majority of the time – no one has thought about the value of the personal information.
We also need to find better ways to make decision-makers more accountable for decisions that affect the security and confidentiality of our personal information.
Data breach notification requirements in our laws would be a great help. The “red flags” initiative of the U.S. Federal Trade Commission is one my Office is watching with interest.
In Canada, I am increasingly convinced that we need to seriously study the structure of private-sector data protection enforcement at the federal level. Many observers over the last few years have vaunted the merits of provincial enforcement models as preferable.
Is an ombudsman model the best way to set personal information policy? Does the opaque complaint investigation process serve the best interests of privacy regulation? Should the Privacy Commissioner have order-making powers – as advocates have long been calling for? What would smart enforcement comprise in the 21st Century?
My Office will commission a study by a person with expertise in administrative, access to information and privacy law. The study will eventually be made public to serve as a catalyst for policy discussions.
The study will be made public to serve as a catalyst for policy discussions.
Questions about smarter and more practical approaches to enforcement are also being asked in different regional fora around the globe. APEC, APPA, OECD – Europe. My office participates in these discussions to attempt to contribute to our common understanding of privacy principles and appropriate accountability standards in order to better protect Canadians.
Importance of Training
Another key to preventing data breaches is employee training – again, it is the human element which is crucial.
Polling for my Office in 2007 found that only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws. This is a huge concern!
We recently conducted an analysis of 86 breaches reported to my Office and found that employee awareness and training was the most important contributing factor. It was an issue in more than half of the spills we examined!
We found that very basic mistakes - human errors - often lead to breaches. Breaches are caused mostly by employee misconduct and human error, not technological weaknesses.
A new Ponemon Institute survey found half of business managers have disengaged their laptop’s encryption technology. Again, the human factor at work!
While we’ll never eliminate such mistakes and lapses in judgment, organizations could dramatically reduce the risk to personal information by properly training employees.
The OPC strongly supports efforts to professionalize people involved in the protection of personal information – the work of organizations like the IAPP, CAPA, CAPAPA, the University of Alberta and a Quebec-based organization.
Organizations need to ensure that all employees understand their responsibility to protect personal information. An employee who understands this responsibility will not put CDs containing the sensitive information of 25 million people in the mail!
We will see fewer mistakes, less human error when employees consider themselves as trusted stewards of sensitive data. And bad economic times and cost-cutting should not alter my prediction.
Technology has wrought a sea change in our personal lives and in how our society understands privacy and, at times, put other priorities first.
This change in perspective is not a view we can simply legislate away or upgrade our way out of. Privacy is about people and the choices they make. In many ways, we enjoy privacy to the extent we ask for it, demand it or define it.
While we are seeing a generational shift in attitudes, I am convinced that privacy remains a deeply held but differently defined value among younger Canadians. They expect corporations and governments to take steps to protect their personal information in this transformed privacy landscape.
Governments and organizations must be challenged as they attempt to collect more and more personal information. New technologies and safeguards slapped on the back-end to protect whatever they have collected has its limits – as the continuing data breach saga illustrates.
Let’s not make the mistake of looking only to technology as a major cure for every privacy challenge. I am not alone in this viewpoint. Bruce Schneier wrote an article in the Wall Street Journal a few weeks ago entitled: Why Technology Won’t Prevent Identity Theft. He noted that no authentication system is perfect, pointing out that, “we can reduce the risk of impersonation, but it will always be with us; technology cannot ‘solve’ it in any absolute sense.”
People are at the centre of respecting personal information; people are at the centre of accountability; and people are at the centre of the changes we need to see in order to better protect the privacy of Canadians and other citizens of the world. People make the choices that can lead to a world where privacy is respected.
- Date modified: