Protecting Privacy During Investigations
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Fraud: Prove It Seminar
March 17, 2009
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
I am delighted to be here and I’d like to thank the organizers of this seminar for making privacy issues a key component of the program.
At first glance, privacy and forensic investigation may seem like two issues that are somewhat at odds with each other – your goal is to uncover and reveal the facts; while privacy is about limiting the exposure of information.
However, the two may not be quite as incompatible as they first seem. In fact, I would argue that the two are complementary – I would even go so far as to say that the principles of privacy can actually assist you in your investigations.
Considering how sensitive the information you uncover is, your understanding of the privacy law framework is absolutely crucial.
This morning, I would like to offer a general overview of the legal and governance framework for privacy law in Canada.
From that legal framework, we draw the key privacy principles that should guide you in your work. I’d like to offer some concrete tips on how you can implement those principles on a daily basis.
And, finally, I’d like to discuss some recent trends to watch for – and adapt to.
The Legal Framework
Privacy is governed by a mix of federal and provincial acts. You will be able to determine which legislation applies by assessing your status as an employee, contractor or firm engaged in commercial activities and whether you are under any contractual obligations to comply with specific legislative provisions.
If you are an employee of a federal institution listed in the schedule to the Act, the federal Privacy Act will apply. Bodies covered by the Privacy Act include the RCMP, Canada’s national security agencies and specialized units within federal government departments.
If you are a contractor for the federal government, you are subject to the terms of your contract, which must import the relevant legal standards from the Privacy Act.
If you are part of a private company, or your own firm is a private company, the information you handle is likely covered by the Personal Information Protection and Electronic Document Act – PIPEDA.
This legislation covers commercial activities in Canada, except in B.C., Alberta and Quebec, which have adopted private sector privacy legislation recognized as substantially similar to PIPEDA. Some provinces have enacted legislation covering personal health information.
Finally, if you are acting on behalf of a provincial government agency or a municipal government, the privacy issues are governed by the relevant provincial legislation and/or contractual provisions.
Before you begin any investigation, ask yourself this question: What is my legal framework in terms of privacy? In other words, based on my status as a public servant, contractor or private sector firm and the province in which I operate, what are the laws that protect privacy that I need to be aware of and what are my contractual obligations?
The application of the various laws can be extremely complex in the context of investigations. For example, individuals who are covered by PIPEDA may also be required by contract to comply with the Privacy Act when doing investigative work for federal institutions subject to that Act. Treasury Board has advised that where more than one law applies, the most stringent privacy principles or standards should be adopted.
Make sure you seek expert advice if you’re not sure what your obligations and responsibilities are!
Governance Structure at the Federal Level
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.
The Commissioner is an Officer of Parliament.
We oversee the two federal laws I mentioned a moment ago, the Privacy Act, which governs the management of personal information in federal public institutions, and PIPEDA, which applies to the private sector.
As an ombudsman, the Commissioner receives and investigates complaints about departments and businesses covered by these two laws. If our Office finds that the complaint is justified, we work with the organization to improve its privacy policies and practices.
Although the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence, we rarely use these powers – most organizations co-operate with our Office.
We also do research, policy development and public education to support public and private organizations in protecting the right to privacy.
We support federal government departments in assessing the privacy impacts of programs, government policies and legislation.
This work includes conducting audits of federal departments and programs.
By way of example, you may have recently seen news reports about our audit of Elections Canada. We found that gaps in the way in which the personal information of Canada’s 23 million registered voters is governed could expose Canadians to serious consequences such as identity theft.
Last year, we completed audits which raised privacy concerns related to both the RCMP’s exempt data banks and Canada’s passport operations.
I am responsible for the implementation of the Privacy Act, which has been in place since 1983.
My fellow Assistant Commissioner, Elizabeth Denham, is responsible for PIPEDA issues.
I should also note that the federal structure is divided between the Office of the Privacy Commissioner and the Office of the Information Commissioner. Our Office deals with issues around access to personal information, while their mandate focuses on access to other types of information held by the federal government.
Governance Structure at the Provincial Level
There are a large number of provincial acts relating to privacy issues.
Here in Manitoba, for example, you have the Freedom of Information and Protection of Privacy Act, or FIPPA, which applies to both provincial and municipal entities.
Manitoba also has legislation protecting health information, the Personal Health Information Act (PHIA).
Most provinces and territories have Information and Privacy Commissioners, although a few, including Manitoba, have an Ombudsman.
At the provincial level, officials are responsible for both access to information and the protection of privacy rights.
The provincial offices are independent agents of their respective provincial legislature.
Privacy and Contractors
The use of contractors in forensic investigations has increased significantly in recent years.
If you are contracting out, you’ll need to ensure your contractors understand which privacy law applies to their work – and, of course, that they will fulfill the obligations contained in that legislation.
It is strongly recommend that private sector organizations stipulate these requirements in your contract. Government institutions must ensure that their contractual arrangements do not weaken their ability to comply with their obligations under the Privacy Act.
You should also state in the contract that, at the end of a project, the contractor must give back all documentation containing personal information.
We’re currently investigating a case in the federal public sector involving a contractor who widely disclosed an individual’s personal information. We discovered that there was no language in the contract about abiding by the Privacy Act. (The department has since changed its standard contract.)
Under the Privacy Act, contractors must be required by contract to abide by the same rules that govern public servants. When it comes to privacy, they need to follow the same rules as government employees.
Legal Backdrop: Canadian Charter of Rights and Freedoms
The backdrop to our legislative and governance framework is the Canadian Charter of Rights and Freedoms – specifically Sections 7 and 8.
As the supreme law of Canada, the Charter applies to government action and guarantees a number of rights and liberties for everyone in Canada.
Since there is no explicit and freestanding right to privacy in the Charter, if a right to privacy exists under the Charter, it has to be found in the provisions that touch on matters of individual autonomy.
Section 8 is the most widely recognized source of privacy protection in the Charter.
It operates to protect an individual’s “reasonable expectation of privacy” from unreasonable state intrusion.
Where there is no “reasonable expectation of privacy”, section 8 has no application. This is because state intrusions will only be characterized as “searches” or “seizures” where an individual can be said to have a “reasonable expectation of privacy”.
Therefore, to determine whether there has been a breach of s. 8 of the Charter, one must first ask whether a government action violates an individual’s reasonable expectation of privacy in the circumstances.
If not, there is no “search or seizure” within the meaning of section 8.
If there has been a violation of the reasonable expectation of privacy, the analysis proceeds to an assessment of the reasonableness of the search/seizure in the circumstances.
The law recognizes three general zones of privacy:
- Territorial – the best example of which is your home;
- Personal or corporeal, which involves the privacy of the human body and physical personality including images and voice; and
- Informational, which relates to the privacy of intimate details of your personal life, including sexual orientation, employment, social views and so on.
Whether a reasonable expectation of privacy exists in any particular case depends on the totality of the circumstances. Courts will consider factors such as:
- the subject matter of the search/seizure;
- whether an individual has a direct interest in the subject matter of the search/seizure
- whether an individual has a subjective expectation of privacy in the subject matter of the search/seizure;
- if yes, is this subjective expectation objectively reasonable, considering factors such as:
- the circumstances in which state intrusion occurs;
- the place where state intrusion occurs;
- the purposes of the state intrusion; and
- the nature of the privacy interest at stake – territorial, informational or personal (physical)
- whether the subject matter was in plain view;
- whether the subject matter had been abandoned;
- whether the information was already in the hands of third parties; if so, was it subject to an obligation of confidentiality?
- whether the police technique was intrusive in relation to the privacy interest;
- whether the search exposed any intimate details of the Applicant’s lifestyle, or information of a biographical nature
A recent notable example of this analysis was the Supreme Court of Canada’s finding in the sniffer dog cases that high school students have a reasonable expectation of privacy in the contents of their backpacks: “backpacks are the repository of much that is personal, particularly for people who lead itinerant lifestyles during the day as in the case of students”
Where a reasonable expectation of privacy has been found to exist, the next phase of the analysis is whether the search or seizure in violation of a reasonable expectation of privacy was reasonable under the circumstances.
In assessing the reasonableness of a search or seizure, courts will generally consider:
- Whether the search/seizure was authorized by law;
- Is the authorizing law itself reasonable;
- Whether the manner in which the search was carried out was reasonable
Necessity and proportionality; consent; accuracy and security are some of the key privacy principles that apply regardless of whether you are operating under the Charter, federal privacy laws or provincial privacy laws.
I’ll deal with each one in a bit more detail ...
Necessity and Proportionality
A necessity test is internationally recognized as a basic privacy principle.
There’s a necessity test in PIPEDA as well as the public sector legislation in almost all provinces and territories.
There is also a necessity test included in Treasury Board policies and we have asked the federal government to make it an explicit legislated requirement at the federal level.
During the course of our work, we’ve found examples of unnecessary collection in both the public and private sectors.
For example, our Elections Canada audit raised concerns about the information the agency was collecting from provincial agencies for the purpose of updating the national voters list.
Elections Canada was receiving the personal information of 16 and 17 year old drivers from provincial motor vehicle registrars – even though these teenagers aren’t old enough to vote. The agency had also been automatically receiving other information that it was not seeking – such as whether a person’s driver’s licence had been suspended.
The agency agreed to follow our recommendation to stop collecting information it doesn’t need.
A good example from the private sector involves the retail sector and its collection of driver’s licence information from people returning merchandise without a receipt.
In our investigation of the breach at TJX – the U.S. retail giant which owns Winners and HomeSense stores in Canada – we found that hackers gained access not only to credit card numbers, but also driver’s licence and other identification numbers.
We understand the need to identify fraudulent returns, but have serious concerns about recording people’s driver’s licence and other sensitive identification numbers.
In response to our concerns, TJX proposed an innovative new process to deal with fraudulent returns which doesn’t involve keeping driver’s licence numbers in its system.
Store staff will continue to ask for identification where there is a valid business reason to do so. However, when information such as a driver’s licence number is keyed into the point-of-sale system, it will be instantly converted mathematically into a unique identifying number that can’t be readily linked back to the individual.
Our Office, along with the Alberta and British Columbia Commissioners, recently issued guidelines advising retailers to exercise caution when it comes to collecting information from consumers’ driver’s licences and recording the numbers.
A necessity test is a vital principle of privacy protection. By building better controls at the collection point, there is less potential for the misuse or disclosure of personal information.
You can also lower the cost of collecting, storing, retaining and ultimately archiving data.
Generally speaking, privacy principles require organizations to inform individuals in a meaningful way of the purposes for the collection, use or disclosure of personal data.
Consent should be obtained before or at the time of collection, as well as when a new use is identified.
Consent is only meaningful if the individuals understand how their information will be used.
Personal information may be collected without consent if obtaining consent would compromise the availability or accuracy of the information and collection is required to investigate a breach of an agreement or contravention of a federal or provincial law.
Under the Privacy Act, the basis of collection is need – that personal information is needed for an institution to administer and operate programs. In an Employment Insurance investigation, for example, the personal information collected has to be directly related to that investigation.
Under PIPEDA, consent is the basis of the collection of personal information. Even during an investigation, you need to obtain consent unless an exception to the requirement to obtain consent applies.
Consent – Disclosure Exceptions
There are also exceptions allowing for the disclosure of personal information without an individual’s consent or knowledge.
Under PIPEDA, organizations may disclose personal information without the individual's knowledge or consent in a number of instances, for example:
- To comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
- To the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act;
- To a government institution for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law.
- To an investigative body named in the Regulations of the Act or government institution on the organization's initiative when the organization has reasonable grounds to believe that the information concerns a breach of an agreement, or a contravention of a federal, provincial, or foreign law.
Privacy laws exist to protect the rights of individuals. They are not intended to stand in the way of justice, so they provide a certain amount of latitude in the case of investigations.
But I want to emphasize that this exemption, along with others, is meant to help ensure we continue to live in a safe and just society. It is not meant to be used as an excuse to gather whatever information you can find.
As investigators, it is essential that you strike a balance between your efforts to expose wrongdoing and the obligation to respect individuals’ right to privacy.
You should be able to articulate the rationale for why you are collecting or disclosing personal information.
Accuracy is another principle that is particularly important in the context of investigatory work.
I suspect I don’t need to see this to a profession that attracts accuracy aficionados, but … it is incumbent on you to keep personal information as accurate, complete and up to date as necessary, taking into account its use and the interests of the individual.
Personal information should be updated when necessary to fulfill the specified purposes. One way to determine if information needs to be updated is to ask whether the use or disclosure of out of date or incomplete information would harm the individual.
A word of caution about expressing opinions about an individual – for example, “It’s my opinion that Miss X is a crook.” The opinion becomes the personal information of that individual. Opinions are not only the personal information of the writer. They are also the personal information of the object of the opinion. This concept is not widely understood.
My advice is to remember that opinions about an individual could be subject to an access to personal information request. Be particularly careful about off-hand comments that could come back to haunt you.
I’d also propose a couple of other tips to help ensure that the personal information in your care is accurate:
- Record the date when the personal information was obtained or updated.
- Record the steps taken to verify accuracy, completeness and timeliness of the information.
An important step to fulfill your responsibility to safeguard personal information is to develop and implement a security policy.
Security measures should include:
- physical measures such as locked filing cabinets, restricted access to offices, and alarm systems;
- technological tools such as passwords, encryption, firewalls;
- organizational controls – for example, security clearances, limiting access on a "need-to-know" basis, staff training and agreements.
You should keep sensitive information files in a secure area or computer system and limit access to individuals on a "need-to-know" basis only.
You should also review and update security measures regularly.
You should also make employees aware of the importance of maintaining the security and confidentiality of personal information. One way to ensure awareness is by holding regular security training.
Another important point: When you pass along information, for example, to a client, make sure personal information that has no relevance to the investigation is removed or blocked out.
And, finally, don’t keep information for longer than you need it.
Going back to my earlier example of the Winners/ HomeSense breach, we found the company was keeping some personal information indefinitely – for long after it was actually needed. Hackers wouldn’t have been able to get their hands on that information if it had been disposed of in a timely and secure way.
Trends and Threats
Let’s shift now to look at some of the key emerging trends in privacy – some of which may touch on your work.
The range of threats to the privacy of Canadians is vast. In our global society, security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information.
Globalization raises the challenge of trying to find a cross-border privacy language.
Technological advances hold out the promise of greater convenience, but sometimes at a cost to privacy and the ability to control our personal information.
Governments appear to believe – mistakenly, in many cases – that the key to national security and public safety is collecting mountains of personal data. Privacy often receives short shrift as new anti-terrorism and law enforcement initiatives are rolled out.
Personal information has also become a hot commodity in the private sector.
Adding to our concerns is the fact many businesses fail to adequately protect this sensitive information – leaving it vulnerable to hackers and identity thieves.
The list of issues that our Office deals with each day will always be long. However, we have identified four top strategic priorities to help us to take a more focused approach to emerging privacy issues.
These priorities are: Information technology, national security, genetic information and identity integrity, or identity theft.
The speed at which technologies are developing is truly breath-taking. Many emerging technologies are raising new risks for privacy – RFIDs, surveillance technologies and nanotechnolgies, to name but a few.
The mere fact that information is now held electronically changed your world: through email in particular, people now create a high volume of written documents, with no quality control and no proper archiving. These emails also contain a high level of personal information for you to swift through and protect.
Cyber crime – as criminality occupies cyber space, forensic investigation has to move there as well. Our challenge, you as investigators and us ombudsmen, watch dogs, is to be absolute “cracks” at technology – it is essential to do our work to master every new tool cyberspace offers. For you, for us, it means hiring very strong IT people.
One technological development that is extremely relevant to your work is the rapid expansion of “cloud computing.”
This is where software and data are stored on servers hosted by a service provider, and the business applications are accessed via a web browser, from anywhere you have Internet access.
The issues for forensic investigations become far more complex than visiting an office and looking through file cabinets, computers and servers right there on the premises.
With traditional partners and service providers who handle your sensitive data, you have a pretty good idea where you data is and can extend appropriate security controls to protect it. But with cloud computing, you don't know and, as a practical matter, can't know where your data is. You don't know what server is computing for you, where it's transiting over which network, even where it's stored as the providers' systems respond dynamically to your rising and falling requirements and those of thousands of other customers.
The flexibility and scalability that makes cloud computing attractive makes it unpredictable and complicates the conduct of forensic examinations. For example, how do you figure out where a document was stored in order to recover it? This will be a major challenge.
Handheld devices only exacerbate the technological challenges I have just mentioned: they complicate tracking with PIN to PIN exchanges, they generate written records “on the fly”, thus with great potential for inaccuriacies.
Wireless communications – and we are conducting an audit of such in six federal governments departments – may highly increase the vulnerability of personal information by making illicit access possible.
Some of your work on investigations related to identity theft and have a first-hand understanding of the massive scale of this global problem.
Systemized attacks on corporations by criminals who are able to harvest large quantities of personal information are resulting in significant costs for corporations, which trickle down to all of us.
Our Office has been urging the federal government to pass identity theft legislation and to take strong legislative action against spam.
We are also calling on the government to take a more coordinated approach to identity protection. At the moment, a number of departments and agencies are interested in preventing identity theft, but no one has overall responsible for doing anything about it.
We see the vulnerability coming mainly from these trends:
- Social networks, where a person shares personal information with 800 “friends”, whether Facebook or Patients Social Network;
- People search engines – facilitating search on a person who has never even exposed herself;
- Increased gathering of information: stores asking for your phone number, banks and credit cards asking for personal identifying information (mother’s maiden name).
I hope you will take away a few key privacy issues to keep in mind when conducting your investigations.
First, consider which privacy legislation. In some cases, this is complex and you may need to seek expert advice.
If you’re using contractors, you must ensure they are aware of their legal responsibilities and obligation – put this requirement right in the contract!
Finally, be mindful of key privacy principles: Necessity and proportionality; consent; accuracy and security.
Privacy laws can actually help you in your investigations. By playing by the privacy rules, you will actually end up imposing even greater rigour to your investigation.
This means you will likely end up gathering a lot less information; however, what you do gather will be essential and will help you build your case.
Conducting forensic investigations involve painstaking and detailed work which may result in the collection of a lot of extraneous personal information.
Knowing your obligations and responsibilities when it comes to privacy is important.
Part of the reason you belong to an organization like the Association of Certified Forensic Investigators of Canada is that you are committed to excellence – doing a job thoroughly and doing it right.
We need organizations like this one, which is dedicated to getting to the bottom of fraud, but is committed to doing so by following the rules.
Your investigative work often reveals new threats and challenges; new holes in systems; new issues to consider. We watch these developments with great interest and strive to ensure that our work reflects the realities of today’s society, while championing the privacy protections that we all hold so dear.
- Date modified: