The Path to Proactive Privacy

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the 1st Annual Privacy and Information Security Congress 2010 organized by Reboot Communications Ltd.

November 15, 2010
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

It is my pleasure to be opening this inaugural Privacy and Information Security Congress here in Ottawa. And if Reboot Communications’ past 11 Annual Privacy and Security Conferences in Victoria are any guide, we can look forward to a jam-packed, engaging and thought-provoking program over the next two days.

Indeed, as I look over the agenda, I see everything from biometrics, cloud computing and child exploitation, to identity management, electronic health records and cyber warfare – a diverse range of issues and challenges, to be sure.

But what all these topics have in common is that they signal a dramatic shift in the landscape, even in just the past 10 years. And with this change have come equally dramatic new challenges to privacy and data security.

Challenges of such scope and magnitude that we are unlikely to solve them over the next two days…. two years …. or perhaps ever.

But, if nothing else, then I hope we will at least come away from this event with a better understanding of the issues and the roles that each of us must play in addressing them.

Changing privacy landscape

When I took over as Privacy Commissioner seven years ago, Facebook didn’t exist, Googling wasn’t a verb, and dates were sparked in bars, not online.

Parliament, for its part, was wrapping up debate on the Public Safety Act, part of a suite of responses to what was then a new and frightening post-9/11 environment.

Today, national security pressures, evolving social norms, and the rapid pace of change in information technologies remain three of the most compelling challenges characterizing the privacy landscape.

Consider, for example, how much people’s behaviours and expectations have changed. They’re posting, blogging, tweeting, Skyping, banking, shopping and gaming online. They’re e-filing their taxes, applying for government services online, and taking virtual tours of Paris. They have GPS tracking capabilities in their smart phones, their cars, and even their golf bags.

Canadians today expect the world to be at their fingertips – on their terms:  Anytime, anywhere, on any sort of integrated, multi-functional device.

One result is an explosion of data that is easily shared, across town or around the world. Another result is that our movements and behaviours, in both the real and the virtual worlds, are more likely to be monitored and tracked.

Rewards and risks

For business, all this activity opens tantalizing opportunities.

Government, too, is embracing the digital revolution, within its workforce, in its relations with Canadians, and as a tool to maintain public safety. 

But the flip side to all these technological and societal developments is that they pose risks to privacy and personal information.

We worry about swindlers, identity thieves and other security threats, of course – how could we not?

But it’s more than that.

The staggering volume of personal information that is gathered about individuals, that is processed and shared, often without their knowledge, raises troubling questions about people’s capacity to control their own identities and to live freely and in anonymity.

Regulatory challenge

In the face of these challenges, what is the correct response for privacy regulators?

We can and will continue to use the tools at our disposal – tools such as complaints investigations and audits, and recourse, where we have it, to the courts to enforce compliance.

Those tools have usually proven very effective in carrying out our mandate, and I’ll remind you in a moment of a few recent successes.

But, going forward, it may be time to enlarge the tent.

To think of privacy as everybody’s responsibility, engaging public- and private-sector organizations right from the start.

And we must become more anticipatory and proactive, in order to maximize the impact of our compliance efforts.

Let me give you a few examples of how I see that evolution unfolding:

Facebook

One of our most significant achievements in recent years was to draw the words “social networking” and “privacy” into the same thought.

When we launched our investigation into Facebook’s policies and practices in 2008, skeptics wondered about the meaning of privacy in social networking. After all, wasn’t the very point of the exercise to “put it all out there”?

Nonetheless, we went ahead and did our investigation. We issued a report. We followed up with Facebook. We launched another investigation. More discussion.

And where are we today?

Facebook – in Canada and around the world -- is now a platform where privacy has some meaning. There are privacy settings that are easier to understand. Users talk about privacy; in fact, they get thoroughly involved whenever the site proposes a change to the collection, use or disclosure of personal information.

Is everything perfect now? Probably not.

But what we can say is that we helped to reshape the conversation. We showed that privacy does matter, even online.

And that users are a key part of the equation. They don’t just want the power to safeguard their personal information, they demand it.

Google Wi-Fi

After that gratifying outcome of our investigative efforts, we made waves again just last month with the release of our preliminary investigative report on Google’s collection of Wi-Fi data by its Street View camera cars.

Our investigation determined that Google had vacuumed up data on perhaps thousands of Canadians. Much of it was highly sensitive: In just one sample, we found complete e-mails, usernames and passwords, and a list of people suffering from certain medical conditions, along with their telephone numbers and addresses. 

This was groundbreaking stuff, later prompting Google to retreat from its assertion that only fragmentary data had been collected.

Even though we traced the collection back to a careless error, we concluded that Google had violated provisions of PIPEDA, the Personal Information Protection and Electronic Documents Act.

We have directed the company to change certain internal policies and procedures, and to immediately destroy all payload data not required for litigation purposes. They have until February 1st to implement all of our recommendations.

Veterans Affairs

On the public-sector side, our investigations under the Privacy Act have also helped further the privacy rights of Canadians.

You may recall last month that we published our findings in an investigation into the Department of Veterans Affairs’ inappropriate disclosure of sensitive medical and other personal information belonging to a Gulf War veteran who was also an outspoken critic of the department.

Our investigation determined that the veteran’s sensitive medical and personal information was shared – apparently with no controls – among departmental officials with no legitimate need to see it.

The information then made its way into a ministerial briefing note about the man’s advocacy activities, something I deemed to be entirely inappropriate.

Audits

Indeed, so disturbing were the findings that we will launch a wider audit of departmental privacy policies and practices.

Last month, we also published our findings in two public-sector audits.

One turned up significant shortcomings in the way government institutions dispose of surplus computers, with many still containing sensitive data. We also discovered that documents are shredded by private contractors without the necessary degree of government oversight.

A second audit of the use of wireless networks and mobile devices of five federal departments and agencies uncovered numerous gaps in policies and practices that could put the personal information of Canadians at risk.

In June, we also published our findings in an audit on the private-sector side. It was triggered by a string of serious data breaches among Ontario mortgage brokers that compromised the personal information of thousands of Canadians.

Our audit raised concerns about data security, the haphazard storage of documents containing personal information, inadequate consent by clients, and a general lack of accountability for privacy issues.

Proactive privacy

In the past statutory reporting period for each of our two acts, we closed a total of 1,741 complaints cases and completed three full-scale audits.

But, as concepts of privacy evolve and new threats emerge, it is becoming increasingly plain that we cannot chase after every situation with a full-on investigation or audit.

Nor should the protection of privacy be left solely to the regulatory sphere. It shouldn’t just be about carrots, sticks and finger wagging.

Instead, it has to start with the organizations we regulate. We need organizations in the public and private sectors to be on board. To think about what they do, how they do it, and what they plan to do next. And how, more importantly, privacy fits into it all.

If that’s a more practical approach for us, it’s surely also of benefit to the organizations we regulate. And I can tell you that my Office is already well along this more inclusive, systematic and proactive path to privacy.

For instance, in a submission to the Government of Canada’s consultation on a Digital Economy Strategy for the country last July, we called for a holistic view that fosters a privacy culture in both business and government, from the design of an initiative through to its implementation.

And, at an international meeting of data protection authorities in Jerusalem a couple of weeks ago, I co-sponsored a resolution, put forward by my colleague from Ontario, Dr. Ann Cavoukian. It called on organizations to embed privacy considerations as the default into the design, operation and management of information technologies and systems.

Google Buzz

That privacy-protective measures must be the default was also a key message that I, along with nine fellow data-protection authorities from around the world, delivered to Google and other tech leaders in an open letter last April.

The specific point of the letter was to condemn what we saw as a cavalier attitude toward privacy in Google’s launch of its Buzz social networking site.

But the takeaway message was broader. It urged technology companies to think about privacy before launching a new product or service, rather than leaving it to the lawyers to mop up afterwards.

I want to underline that none of this should impede innovation.

On the contrary: The more people can trust a business to safeguard their personal information, the more successful the enterprise will be.

Four-part test

This front-end focus on privacy is vital in the public sector too, as more and more government information, services and activities move online.

That is why, particularly through our Privacy Impact Assessment process, we are honing a process by which new measures may be analyzed and justified while still in the gestational phase.

We ask institutions contemplating a new initiative involving the collection of personal information to explain -- to us and to the public at large -- why they think the initiative is necessary, and how it would be effective in achieving its promised ends.

We ask them, further, to demonstrate that any privacy intrusion is proportionate to the benefits to be derived, and that no less privacy-invasive alternatives exist.

Guidance documents

This four-part test is now a prominent feature of a set of guidance documents that my Office is preparing in our four policy priority areas – the first being in the national security field. The others will focus on genetic technologies, information technologies, and the protection of personal identity.

Again, the idea is to weave privacy considerations directly into the fabric of an initiative.

The documents will help decision-makers understand privacy as a fundamental right that must coexist with other rights and priorities. A standardized methodology then sets out the nuts and bolts of creating a privacy-sensitive initiative.

Assistant Commissioner Chantal Bernier will have much more to say about our inaugural document, and the process that led us there, when she speaks here tomorrow morning.

Future measures

As we look toward the future, my Office will continue to move in this proactive direction.

Just recently, for example, we published a draft document summarizing what we heard in our landmark consumer consultations on the impact of emerging technologies and business practices on privacy.

In Toronto, Montreal and Calgary earlier this year, we listened as a broad range of stakeholders and individuals explored such topics as cloud computing, children’s online privacy, and the online tracking, profiling and targeting of consumers by marketers and other businesses.

The point was to better understand the evolving privacy landscape, and to consider what organizations can do to incorporate privacy-protective measures into their activities.

Right now we’re looking for further feedback on our draft document.  I encourage you to check it out on our website during the comment period, which wraps up on the 26th. More research, public outreach, guidance documents and continued work with stakeholders will follow down the road.

We also formally opened an office in Toronto last month, and I am encouraged by the enthusiastic response this decentralizing initiative has garnered in business, academic and legal circles.

With this new presence in the business heart of Canada, we are bolstering our interactions with regulated industries, to drive home the importance of privacy and the protection of personal information. 

Conclusion

To sum up, we are in a turbulent time, with extraordinary pressures on privacy. The challenges are big, they’re complex, and they’re always changing.

The consequences, moreover, are not always foreseeable.

And so we need to be sharp, to get ahead of the curve. Whether in government or the private sector, whether as consumers or as citizens, we need to ask ourselves the tough questions:

Why does this piece of personal information need to be collected? Who’s using it? Is it being shared, traded or sold? Who’s looking after it, and for how long?

We all need to ask these questions, and we all need to answer them.

Because, for all the turbulence, these are also galvanizing times of promise and opportunity.

And yet we can only reap the full benefits if we work together, as a society, to uphold people’s right to privacy.

With that, I wish you an informative and stimulating conference.

Thank you.

Date modified: