Privacy Protection in the Public Sector
Challenges and OPC responses

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at CAPAPA Conferences

May 5, 2010
Toronto, Ontario
Vancouver, B.C.

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)


Good morning and thank you for inviting me to join you today.

We know that CAPAPA plays a cornerstone role in Canada's access and privacy landscape, and is dedicated to the professional development of privacy and access professionals in both private and public sectors.  So I'm very happy to be here with you today"

I was asked to provide you an update on privacy protection with respect to organizations subject to the Privacy Act  including issues, decisions and new developments.

So here is how I intend to go about it:

  • First, for the sake of discussion, I thought we could just remind ourselves what are the characteristics of privacy protection in the public sector – what is at stake?
  • Second, what are the risks?
  • And thirdly, how is the OPC addressing these risks – describing both our work strategies and our substantive decisions.

I. Characteristics of Privacy Protection in the Public Sector

So what characterizes privacy issues in the public sector?

  1. Firstly, democracy and freedoms are at stake. We’re not just talking about fairness, we’re not just talking about individual rights, we are talking about the relationship between State and citizens, about democratic values.  Concretely, that means every issue has ramifications beyond an individual case or a specific policy.

    For example, when the Canada Revenue Agency envisages implementing a web crawler to collect information from the Internet on various businesses and do bulk markers against CRA databases to develop risk profiles for fraud and non-filers, an undeniably valid purpose, it is redefining the rights of the State to exercise surveillance on individuals.
  2. Secondly, and it follows from that first point, precisely because of the deep implications of public policy on privacy, it affects long-term social change.

    For example, how soon do you think we will be able to take a flight without being treated like a suspected terrorist?  My guess is, long after the threat will have abated. Because we will have grown to socially accept the restrictions on our privacy.
  3. Thirdly, the public sector collects the most sensitive type of personal information.

    Sure, a private company may get nosy: a store will ask you your phone number to inform you of their promotions, a bank will justifiably want your credit history before it gives you a loan.

    But the government holds information no one else can even pretend to have: your SIN, your exact level and source of income and, in relation to law enforcement authorities, your whereabouts, your encounters with the law etc…
  4. Finally, the government has a lot of power to use that information: particularly in relation to national security and law enforcement, what the government knows about you can land you in a lot of trouble, fairly or unfairly, as we have seen, most extremely, in the case of Maher Arar.

Bottom line: privacy protection in the public sector is a potent issue and therefore requires the highest level of vigilance.  Why do I mention it?  Because it is easy to be complacent in the face of a well-run democratic government as we have in Canada.  And yet the risks are there.

II. Privacy protection risks in the public sector

Let me move then, specifically, to what the risks are.

In our last Annual Report we boiled them down to two main ones:

  1. The policy pressures coming from a changing public safety and national security context.
  2. The power and vulnerability of the now all pervasive information technology.

Let me expand on each, as each has defined the scope of our work in the last few years.

1. Policy pressures from public safety and national security policies.

We need to acknowledge that the context of public safety and national security has changed.

To use the words of Justice Beverley McLachlin, while terrorism in not new, the modalities of terrorism have changed.  The same can be said for crime.  And the way these modalities have changed, completely changes the privacy landscape:

  1. In relation to national security, the threat has gone from States to individuals: we are no longer watching the Soviet block, we are watching a diffuse network of individuals.  The impact that is relevant to us is that government surveillance is now more focussed on individuals and that has increased the collection of personal information, thus raising privacy implications.
  2. In relation to crime, the key development that is relevant to us is that crime has moved to the Internet, either as a convenient, anonymous instrument for criminal activity, or as a target, through cyber-attacks.

    This impacts on privacy in two ways: firstly it calls for law enforcement to act on the Internet, therefore to penetrate a territory that is widely considered personal; it means Internet surveillance

    Secondly, it puts personal information at risk through cyber attacks.  You will see in our last Annual Report, reference to a hacker breaking into Agriculture and Agrifood Canada computer system and exposing credit information of 60,000 agricultural producers.

This leads to the second main risk in public sector privacy protection:

You are all confronted, every day, to the potential and the perils of a connected world: emails transmit almost instantly information that used to take days to reach its destination…and they can go to the wrong person, just as fast.

Emails have replaced long talks and therefore transform these long talks into volumes of written information.

Emails are casual, typed from various devices, various locations, and spread information widely and…wildly.

Adding to this phenomenon, is the increased reliance of government on the Internet. The benefits of on-line government as a democratic tool and a service tool are undeniable. 

However, transparency takes a different meaning when it means rendering personal information accessible worldwide, without restriction.

I am referring specifically to decisions of administrative tribunals, an issue we have raised in our 2007-2008 Annual Report. We have developed guidelines with our provincial and territorial counterparts on this to properly balance transparency of the adjudicative process and privacy.

This increase in volume of written records and decrease in quality of records is problematic in itself because of the pressures they put on information management but all the more so in light of the security issues information technology brings.

The loss of one unencrypted laptop or USB key is enough to expose 80, 000 citizens. Cyber-attacks are difficult to counter, with hackers always a step ahead of security measures.

The Spring Report of the Auditor General, issued last April, raises concerns about the aging information technology infrastructure of the federal government – again this puts the private information it holds, at risk.

These two main pressures translate into two mains challenges for the public sector.  They were clearly brought home to us when, through the Public Policy Forum, we held roundtables of senior public servants on the current challenges regarding privacy protection in the public sector.  This is what we heard:

  • Public servants need guidance to reconcile privacy with other policy goals in this new context of threat, and
  • Information technology is developing faster than our policies to manage it.

In light of these fast evolving challenges, the OPC has implemented new strategies and new approaches.

III. OPC Strategies and Decisions

Let me start first with our administrative strategies, before I move to our substantive approaches and decisions.

1. OPC Strategies

I will summarize our strategies in five categories.

  1. First, we have chosen to identify the main threats to privacy at this time, and focus our efforts on those.

    We have identified 4 policy priorities, namely areas where we feel privacy protection is most at risk:
    • National security, because of the growing reliance of the government on personal information to ensure security;
    • Genetics,  in view of the technological developments that bring genetic information into play for a variety of purposes, whether it is the DNA databank to assist in criminal investigations, assisted reproductive technology which gathers genetic information or, in the private sector, direct consumer testing or testing for insurance or employment purposes;
    • Information technology, for the reasons I have mentioned before – we felt we needed to scope out exactly what the technological potential is for both the vulnerability of the personal information as well as for its protection;
    • Finally, identity management, as we see a proliferation of misuse of personal information through online dealings or the use of social networks.

    Having identified these 4 priorities means that we have aligned our efforts and resources to address them, whether in relation to research, public education. auditing or policy analysis.

  2. Our second strategy is to adopt administrative measures in lieu of the legislative reforms we had asked.

You may know that the Commissioner has put before Parliament a series of 12 Quick fixes to bring the Privacy Act to modern times.  While Parliament has recommended legislative reforms to the Privacy Act, the Government has chosen not to pursue them.

So we are moving forward with administrative measures that seek to modernize implementation of the Privacy Act . For example, while the Privacy Act has not been amended to reflect modern methods of collection of personal information to include electronics, we are assuming jurisdiction on the basis of the letter of section 3 of the Act which refers to information that is “recorded in any form”.    

  1. Our third strategy is to strengthen our compliance tools, namely
    • Increase the number of audits
    • Develop a three-year risk-based audit plan
    • Reframe Privacy Impact Assessment Reviews to ground them in human rights law  - what I mean is that we require federal institutions to address first, in relation to all their policies or programs that may have an impact on privacy, the four part test from the Supreme Court of Canada in the case of R. v. Oakes:
      • Why is the collection, use or disclosure of information necessary?
      •  How is it proportionate to that necessity?
      •  How is it effective in relation to that objective?
      • Are there not less privacy invasive alternatives?
    • We have started training of public servants on this new approach and we are developing an expectations document for public servants to address our concerns in the development of their privacy impact assessments.
  2. A fourth strategy, is streamlining our investigations process.

In this strategy, we seek both greater efficiency and greater impact.

For greater efficiency,

  • we have put in place a case management system that allows us to track complaints and monitor process as well as analyze trends;
  • we have increased substantive guidance from the Assistant  Commissioners to investigators as the investigation progresses;  
  • we have issued a policy to determine criteria to determine whether to pursue court action or not in the case of denial of access;
  • we have shortened response delays for departments to come back to us with representations, as the case may be; and
  • we have increased our interaction with departments, particularly those holding most personal information and being subject to most risk.

For greater impact, we have adopted a more systemic approach:

  • we negotiate with complainants the possibility of withdrawing their complaint where there are many and we feel one Commissioner initiated complaint would better address the systemic issue at hand – for example, in the case of the EKOS survey of the Gun Registry;
  • having brought both Inquiries and Investigations and Audit and Review under my responsibility, we have brought together the compliance arm of the OPC; this will allow us to identify follow ups and audits on the basis of complaints as well as allow us to address complaints in the systemic issues they raise.
  1. Finally, we are significantly increasing our education activities

In this regard, we have significantly increased our speaking engagements as well as publications.  Just last year, we have delivered 159 speeches, and we have implemented 40 public education initiatives, ranging from publications, guidelines or a video contest on privacy in high schools.

In conclusion, this is what you can expect from the OPC at least in the in the near future:

  • Increased guidance for Parliament, policy-makers as well as for Canadians on how to reconcile privacy protection with other public policy goals,
  • A more assertive approach based on human rights law on privacy rather that a purely technical concern with data protection, and
  • A stepped up compliance function with more audits, deeper PIA reviews and more Commissioner initiated complaints on systemic issues.

I look forward to discussing these with you and answering your questions.

Date modified: