Privacy, Security and Records Management in the Age of Government 2.0

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Saskatchewan Access, Privacy, Security, Information and Records Management Forum

September 29, 2010
Regina, Saskatchewan

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

I understand your focus for this conference is on the access-to-information and privacy laws that apply to the public sector in Saskatchewan. At the federal level, the public sector falls under the jurisdiction of the Privacy Act, while the Personal Information Protection and Electronic Documents Act, or PIPEDA, applies to the private sector – including here in Saskatchewan and to federal works, businesses and undertakings.

Ideally, all these laws work together and complement each other, because, when it comes to the protection of personal information, we all share many of the same challenges –

– Challenges related to the sheer volume of electronic data, the potential for data breaches, and the pivotal role of good record-keeping in providing timely access to personal information.

Not to mention the tough decisions we all face on disclosure:

And so it stands to reason that we ought also to share our knowledge and experience, to discuss what works, and to learn from each other at a forum such as this.

Statutory context

Commissioner Dickson has called the privacy law in Saskatchewan an Edsel -- an 18-year-old clunker. I can sympathize, because if yours is an Edsel, ours, at least in the public sector, is a Model T, widely sold and good value at the time, but now largely obsolete.

The Privacy Act came into force 27 years ago, as the Challenger shuttle made its maiden flight, and it’s never been significantly updated since. Meantime, the pressures on privacy continue to grow with the rapid evolutions in technology, national security priorities, and other challenges.

At my office we areadopting some administrative measures that we hope will cover over some of the rust, even as we continue to hope that Parliament will modernize the law.

For now, the Privacy Act is the law we have at the federal level, and it directs institutions to apply all the fundamental principles of good data management that you yourselves are familiar with. . .

  • Collect only the personal information you need, try to collect it directly from the individual, and make sure it’s accurate.
  • Collect it only for an acceptable purpose – typically an operating program or activity of the government.
  • Use this personal information only for the purpose you collected it for, or one that is consistent with that original purpose.
  • Give the subject of the personal information access to it, but share it with others only under stringent conditions.
  • And, lastly, protect it while you have it, hold onto it only for as long as necessary, and dispose of it properly.

Further guidance

Over the years, fortunately Treasury Board policies and guidelines have fleshed out aspects of the law.

For instance, because the Act gives people a right of access to their personal information, Treasury Board developed a Directive on Recordkeeping that sets out rules on the retention and disposal of data.

There are also guidelines on notifying my Office in the event of a data breach.

And departments and agencies are required to prepare Privacy Impact Assessments when they are designing or significantly modifying a program or service.

Treasury Board is also working on rules for social networking by government employees, which can be a tricky minefield.

Age of Big Data

When it comes to protecting personal information, today’s biggest modern challenge is that there is just so much of it. We are deluged by electronic information. Some people are calling this the “Age of Big Data,” and throw around such unthinkably large units such as petabytes, exabytes and zettabytes.

A related challenge stems from today’s awesome computing power, which makes it possible to collect, sift, match, mine and store data in limitless ways. It is thought, for example, that Google processes about one petabyte of data every hour.

The processing of data creates more information, and more records – and the cycle continues.

The Government of Canada is the single biggest repository of personal information of Canadians and, for the most part, citizens don’t have much choice but to hand it over.

The data collected by governments at all levels tends, moreover, to be sensitive – often very sensitive. Think only of health files, prison records, tax information, refugee claims – as well as the state’s suspicions about an individual’s links to terrorism or other crimes.

The consequences of such information falling into the wrong hands can be grave.

We could be talking about cabinet confidences or national security secrets. There could be damage to an individual’s reputation or dignity. There can be economic costs. The abuse of personal data for criminal purposes can even threaten public safety.

Security threats

Wherever there is data, there is the potential for a security breach.

Last year, for instance, we reported on a breach of an Agriculture and Agri-food Canada computer that exposed 60,000 records of farm producers who had used a federal loan guarantee program.

And this was by no means a sophisticated attack. It appears to have been the work of a “script kiddie,” an amateur who uses off-the-shelf hacking software– usually just for kicks!

The loss or theft of data storage devices constitutes another risk.

Last June, for instance, an unencrypted computer memory stick was stolen from a health system employee’s purse, exposing the medical files of 763 surgical patients at three Toronto hospitals. This in spite of the fact that Ontario guidelines since 2007 call for the encryption of patient information carried on mobile devices.

I would, at this juncture, also applaud the Saskatchewan Information and Privacy Commissioner’s Office for their excellent online reference guide on the secure use of mobile devices. The publication offers a comprehensive overview of the issues, as well as solid best practices for safeguarding personal information carried about on mobile data storage devices.

Human risk

Too often, though, the risks to personal information are not technological at all, but of the basic human variety.

At this very moment, there’s a chance a government worker here or in Ottawa is sending a fax or an e-mail to the wrong destination…or stuffing the wrong document into an envelope…or leaving a briefcase full of papers on a bus.

All we can do is reissue reminders on the need for training to sensitize public servants about attentiveness in the handling of the personal information of Canadians.

But there’s another risk that Commissioner Dickson underscored in a powerful commentary in his latest annual report – the deliberate and unlawful accessing of personal information by public servants entrusted to hold it secure.

Here in Saskatchewan, there were cases in which health system workers looked up the medical records of other people. Some of these workers had been specifically trained in the health information protection law, and one was even responsible for training other staff in the use of patient information computer systems.

Worse, when they were fired, an arbitration panel excused the breaches on the grounds that the worker had been motivated more by curiosity than malice or financial gain.

As Gary Dickson pointed out, and I quote, “it is cold and empty comfort to the violated patient whose information has been collected, used or disclosed unlawfully to be advised that the perpetrator was not an identity thief.”

My own next annual report, due out next week,will describe a similar case involving tax records.

And last year we reported on a case in which personal information about a Canadian citizen held in a foreign jail was leaked to the press. Upon investigation, we discovered that more than 1,200 Department of Foreign Affairs employees had access to the database in question.  Disturbingly, there was no audit trail to reveal who accessed the records, and no mechanism to restrict access to particular files.

We recommended various changes to the management of records, which I understand the department has implemented.

Access to personal information

Protecting data from unauthorized access or disclosure is one compelling reason for good records management.

But there are others – like the capacity to retrieve them again, as required under privacy law.

My Office receives hundreds of complaints every year from people encountering difficulties and delays in gaining access to the personal information that the government holds on them. Often it’s a problem of poor recordkeeping.

Indeed, we have found situations of appalling disorder in government files, hopelessly frustrating efforts by individuals to gain access to their own personal data.

Good records hygiene also allows the government to verify the appropriate use and disclosure of personal information.

A few years back, for instance, an audit we conducted of Canada’s passport operations turned up deficiencies in storage and disposal of personal data required for passport applications. Again, as with the Foreign Affairs Department leak, there was no audit trail to record when, why and by whom records were accessed.

Identifying purposes

Proper recordkeeping is also about clarifying the reasons for collecting and using personal information -- an important bulwark against ‘function creep.’

By that I mean collecting information for a specific purpose, but eventually succumbing to the temptation to use it for other additional purposes.

Police, for instance, might use cameras to collect surveillance or licence plate data to address a specific issue, such as speeding or vehicle theft. But then they may want to hold onto it – just in case they find a use for it in future.

And those future uses may not always be about fighting crime.

In the United Kingdom, for example, powers originally provided under anti-terrorism laws were eventually used to investigate petty offences such as underage smoking, parking fines – even the failure to pick up after a dog.  

Limiting collection

The objective must be to limit the collection of personal information to what is necessary and effective to achieve the identified purpose. But it’s not always easy to draw the line.

The federal money laundering and terrorist financing law, for instance, requires some 300,000 organizations – financial institutions, real estate brokers, casinos and many others – to file reports containing sensitive personal information to the Financial Transactions and Reports Analysis Centre of Canada.

That agency – FINTRAC -- sifts through this data for evidence of wrongdoing.

In an audit last year, we observed instances in which reporting entities were turning over far too much information to FINTRAC. Many were no doubt motivated by a desire to do the right thing, but the law also contains heavy sanctions, including jail time, for a failure to report.

And so we called on FINTRAC to place more stringent curbs on the type of information it will accept from reporting entities.

Privacy Impact Assessments

When it comes to ensuring that personal information is collected only for valid and defensible purposes, an excellent mechanism is the Privacy Impact Assessment process.

I know you use this approach in Saskatchewan. While it is not a statutory obligation, organizations are quite properly encouraged to undergo these kinds of in-depth analyses of the privacy impacts of proposed initiatives.

At the federal level, Treasury Board policy obliges departments and agencies to submit Privacy Impact Assessments to my Office for review.

We, in turn, look for evidence that the institution is limiting its collection of personal information to what is necessary and proportionate for the identified purpose.

For example, we were troubled by a proposal from the Public Service Commission of Canada to monitor media outlets, personal websites and social networking sites for evidence of inappropriate political activity by federal government workers.

After we raised some red flags, the Commission promised to narrow the scope of the initiative and to submit a new Privacy Impact Assessment on the modified approach by the end of this year.

We still have some serious reservations about this approach to monitoring political impartiality, and we hope we can influence some positive change.

In the case of the new full-body airport scanners, we were able to persuade CATSA, the federal organization responsible for air travel security, to build in mechanisms to minimize the privacy intrusions of this technology.

Among other things, we extracted a commitment that the image would be transitory, and that no record of it would be kept.

Annual report and audits

More details on these and other initiatives will be available soon when my Office tables our annual report to Parliament next week on the Privacy Act. The report will also describe specific complaints and data breaches we have investigated, as well as measures we have taken to drive home the importance of good recordkeeping in the Government of Canada.

As well, the report will summarize our findings in a privacy audit that we are publishing at the same time – one that I think will be of particular interest to you.

It looked at federal government privacy policies and practices related to the disposal of paper documents and surplus computers.

A second audit that will be released at the same time looked at the use of wireless networks and handheld devices, such as BlackBerrys and smart phones, within selected federal institutions.

Conclusion

In sum, I think it is safe to say that, when it comes to the protection of personal information, the challenges are complex and plentiful, and growing more daunting all the time.

In the face of these challenges, there can be no single solution or approach.

However, our privacy laws at the federal and provincial levels are there to set the direction – to underscore the value of personal information, and to provide the framework for protecting it.

Then it is up to institutions to act in a way that respects both the letter and the spirit of the laws.

It is up to them to resist the impulse to gather more and more personal data, or to use, share or hold on to it beyond what the laws prescribe.

To resist the impulse today – and, more importantly, tomorrow.

Because technology will take us in only one direction: There will never be fewer records, less data. There will only be more.

So the need for safeguards and a healthy respect for personal information will become ever more pressing as time goes by.

Thank you for your attention and for inviting me here. I wish you the best, each and everyone, in your ongoing information rights work.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: