Pressing Privacy Issues in the Federal Sector
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
To the 2009 AAIP Conference
Notes for Remarks by
Assistant Privacy Commissioner of Canada
May 6, 2009
(Check against delivery)
Thank you, Françoise [Mme Guénette], and good morning, ladies and gentlemen.
It is a pleasure to have been invited to participate on this panel with two such distinguished colleagues.
As Assistant Commissioner responsible for the public-sector Privacy Act, I would like to share some thoughts today about some of the most pressing privacy issues facing the government of Canada.
In particular, I propose to explore three themes:
- How modern information technologies are forcing changes in the way privacy is protected within the government.
- The difficulty of integrating privacy and national security concerns;
- And specific ways in which the Privacy Act must be updated and strengthened to address modern issues.
1. Technological Challenges
As we all know, information and communications technologies are introducing major new challenges to the security and confidentiality of the personal information of Canadians.
The federal government is the nation’s biggest repository of personal information, and 90 percent of the government’s files are held in electronic form.
Thanks to such technologies as e-mail and BlackBerrys, and innovations such as “virtual teams,” many public servants today are communicating more by electronic means than ever before.
This has benefits, including greater efficiency. But more correspondence also creates more records, which need to be managed, archived and protected.
Moreover, because we are human, we often include in our messages a private word or two to our colleagues. Such personal information - if not severed - becomes part of the permanent record of the government of Canada.
We also tend to be hurried, perhaps tired or distracted when we communicate. Clearly, the chance of an accidental disclosure of personal information has increased exponentially over the days of the typewritten memo, filed as a single copy in a metal cabinet.
One solution is for institutions to devise thoughtful information-management policies that:
- Protect the personal exchanges of employees;
- Include protocols for information sharing, such as by managed electronic mailing lists;
- Regularly inform employees of the capacities and potential dangers of the office IT system, and
- Afford the option of secure communications channels.
If accidental privacy breaches are one risk, technology also enables the deliberate disclosure of personal information.
In the interests of transparency and public awareness, federal administrative tribunals such as the Public Service Labour Relations Board and the Public Service Commission choose to post the results of their investigations on their Internet sites - including, in some cases, the names of the individuals involved.
This can be a shock for the affected parties, who find intimate details about their health, financial situation or job performance posted online - often without their prior knowledge.
Our Office has been dealing with nearly 30 complaints about this practice since last year and, because these institutions fall under the Privacy Act, we’ve been taking a hard look.
We are committed to open justice. However, we are not convinced that the principles of transparency and accountability require the disclosure of sensitive personal information, including the names of individuals who appear before tribunals.
The solution we propose, therefore, is the anonymization of decisions. We are working with the Treasury Board Secretariat to develop guidance in this regard for federal administrative tribunals.
Wireless Audit and Cyber-security
The proliferation of technology can also threaten individual privacy through potential weaknesses in the security of government computers.
GhostNet, exposed earlier this spring, appears to have compromised an estimated 1,300 computers in embassies, banks, media organizations and other high-value targets around the world.
The Canadian government’s challenge is to protect its data from such a threat. The Public Safety minister, Peter Van Loan, recently said that Canadians can expect to see — within the next year - a new national strategy to protect Canada’s electronic infrastructureFootnote 1.
Our Office will be anxious to review this cyber-strategy, to ensure it fully protects and respects the security of personal information.
We’re also concerned about the use of wireless technologies in government. Our Office is now auditing the government’s wireless infrastructure, policies and practices with respect to remote computing and the ubiquitous use of BlackBerrys and similar handheld communications devices.
We want to make sure that the personal information of Canadians — from their tax, employment and pension records to their international travel patterns — is safe from hackers and saboteurs.
2. Privacy and National Security
That brings me to my second main point — the challenge of integrating national security with privacy.
I want to underline that these two objectives are complementary. Indeed, earlier this spring, the Auditor General of Canada noted in a report on intelligence and information sharing within Canada’s security apparatus, and I quote:
“For Canadians to have confidence in their security and intelligence organizations, they need to know that government agencies and departments maintain a balance between protecting the privacy of citizens and ensuring national securityFootnote 2.”
In response to her report, Transport Canada and the RCMP recently signed an agreement on better information sharing. We have asked to examine it to ensure it safeguards the privacy of Canadians.
Much more, however, remains to be done. After the 2006 O’Connor Commission report on the Maher Arar affair revealed mistakes in information sharing with tragic consequences for Mr. Arar, the Iacobucci Inquiry report, issued last October, linked — albeit indirectly — the torture of three Canadians to errors in the treatment and sharing of their personal information by authorities.
3. Privacy Act Reforms
While the Privacy Act sets out important rules for the appropriate collection, use and disclosure of personal information by government organizations, we’re also cognizant of the fact that it could do so much more.
Passed in 1983, the Act is outdated and inadequate. While we await a wholesale overhaul, we have proposed 10 “quick fixes” to address some of the most urgent shortcomings.
For reasons of time, I’ll mention just four:
“Quick fix 1” would see the law include a “necessity test,” which would oblige institutions to demonstrate the need for the personal information they collect.
Another recommendation would expand the grounds for judicial review, including possible damage awards, for people whose privacy has been breached by the state.
We’d also like to see a toughening of the rules for privacy impact assessments, or PIAs. Departments proposing to develop or substantially change a program or service should be obliged by law to report publicly on the impact of the initiative on the privacy of Canadians — before the initiative is implemented.
And one last “quick fix” I want to mention would strengthen the provisions governing the disclosure of personal information by the Canadian government to foreign states. The justification for that recommendation is underscored by the cases of the four Canadian men who were tortured in the Middle East.
With Mr. Arar, the inappropriate sharing of information with U.S. authorities cost Canadian taxpayers $10 million in compensation. And there’s no way to put a dollar figure on the personal cost to him.
One of the values we cherish as Canadians is our right to privacy, particularly in our dealings with the state.
It is the value that breathes life into so many of our other rights and democratic freedoms, as well as our personal autonomy and an expectation of living our lives in peaceful anonymity.
But, like other things of great value, privacy is fragile. It can be shattered through carelessness and inadvertence. It can be overlooked, forgotten or sacrificed as government pursues its agenda, even with the best of intentions.
And it can fall victim to hackers, terrorists and other evil-doers.
All of us in the broader privacy community must remain vigilant, and work together to better safeguard the personal information and the privacy of Canadians.
- Date modified: