A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the 1st Annual Privacy and Information Security Congress 2010 organized by Reboot Communications
November 16, 2010
Assistant Privacy Commissioner of Canada
(Check against delivery)
Welcome back to a second day of discussions that I’m sure will prove to be just as scintillating and informative as yesterday.
Yesterday, as you may recall, Commissioner Stoddart kicked things off with an overview of the changing privacy landscape and the emerging challenges.
She then called on organizations in the public and private sectors to adopt a more proactive and systematic approach to privacy protection.
This morning I propose to describe what this means in one very important sphere – public safety and national security.
In that context, I am pleased to launch today the Office of the Privacy Commissioner of Canada’s reference guide to help policymakers and other practitioners integrate privacy into significant security initiatives.
The guide, which is available online and at our booth at this conference, is entitled “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century.”
As everyone in this room knows all too well, the public safety and national security landscape has changed dramatically in the past decade. The events of 9/11 did not so much create this new reality as they accelerated and amplified changes already unfolding across western societies.
Technological developments have also influenced the security domain. A new generation of mobile devices, remote sensors, high-resolution cameras and analytic software has revolutionized surveillance practices. Today, the collection, processing and sharing of data unfolds on a truly global scale.
No one is opposed to safer streets. But, at the same time, we have to acknowledge that law enforcement and security officials are entrusted with significant powers, many quite invasive, in order to keep the peace.
Engaging those powers can have serious consequences for individuals and society. For example, the unchecked accumulation of data about people’s movements, activities and communications will ultimately constrain their fundamental right to go about their business in anonymity and freedom from state monitoring.
Other important liberties are also at stake. Innocent people could be barred from travel on the basis of faulty information. They can be excluded from education, employment or other economic opportunities. Worse still, they can be imprisoned, stripped of their citizenship and even deported.
Why privacy matters
In that context, decision-makers, as well as citizens, need to understand why security and privacy are both essential in a free and cohesive society.
Social cohesion hinges on trust between citizens and their neighbours. It also presupposes a level of trust between citizens and the state.
Citizens, in fact, need to trust that the state will protect them – but not at the cost of other fundamental rights, including the right to privacy.
Privacy, in short, is more than a civil liberty or a legal entitlement. It is, in fact, a social good that is critical to Canada’s free, democratic tradition.
The goal must be to integrate these two equally valid rights.
Introduction to document
Toward this end, our Office took advice from experts in both privacy and security, drawn from academia and the legal community; civil society and community outreach; politics and intelligence; law enforcement and oversight.
With their input, we developed a reference document to help policymakers, practitioners and citizens think through the issues as they integrate privacy protections with new public safety and national security objectives.
The document comes at the challenge from both a theoretical and a practical direction.
It starts with an overview of the context I have just described to you. It then explores core legal concepts vital to any discussion of privacy and security.
For instance, what does “personal information” mean in the context of the myriad kinds of data that security organizations might collect on individuals today?
With reference to the views of Canadian courts, the document also explores what a “reasonable expectation of privacy” entails, when positioned against national security and public safety threats.
Building on those bedrock concepts, the reference paper then outlines the basic framework that an organization needs to think through to incorporate core privacy considerations into the conception, design, implementation and evaluation of a security program or policy.
I want to underline that this document is not simply prescriptive. In fact, our own Office draws on this four-stage analytical process when we evaluate a legislative proposal, audit a federal department, or investigate a government program.
The point is not to provide the right answers, which cannot be realistically predetermined. Rather, it is to raise the right questions, which must guide us all in protecting both safety and privacy.
We believe that this logical progression can aptly and usefully be applied by security agencies, policymakers or others in searching for that elusive equilibrium between public security and privacy rights.
Stage 1: Making the Case
Key to the effective integration of privacy into policymaking is to start early. As such, the first crucial step in privacy protection begins when a policy or program is first being conceived.
This stage, which we refer to as “Making the Case,” vets any proposed initiative against a “four-part test.”
The test is used by courts and legal experts to determine whether any law, program or exercise of power ought to be allowed to supersede or intrude on basic freedoms and rights such as privacy.
In this test, one would first consider whether a proposed initiative is truly necessary to achieve the stated purpose, understanding that the purpose must correspond to a pressing societal concern.
If it is, in fact, essential, then the next question is whether the program can be demonstrated as clearly effective in achieving the stated objective. This demonstration must be supported empirically, at the very least, in the cogency of its assumptions.
What I mean is that we cannot always know in advance whether a new measure will be effective, but our expectations in that regard must be robust, based on facts, not suppositions, and constantly rechecked.
The third question asks whether the intrusion on privacy can be viewed as proportionate to the purported security benefits. That means that authorities should not collect or use information beyond what is strictly relevant to support the security measure at hand.
And the final question is: Could there be other means to achieve the same ends, with less impact on privacy? We should always strive for the most minimal collection or use of information and, as a rule, avoid all privacy-invasive measures. Privacy should be invaded only under exceptional circumstances.
We acknowledge that privacy is quite moot in the absence of security.
We also recognize that secrecy and covert methods can be essential to protect public safety and national security. The contents of a threat and risk assessment are typically classified as well.
But while it may not be possible or advantageous to tell the world exactly how you carry out your analysis, the point of the exercise is to ensure it is carried out in as thorough and systematic a manner as possible.
Stage 2: Setting the Stage
Having established a rationale for the collection of personal information, the next step is about “Setting the Stage.” It’s about planning for the secure handling of collected data -- including how it is stored, used, linked and shared with others.
Fortunately, there’s no need to reinvent the wheel here. A set of internationally recognized standards already exists. Referred to as the Fair Information Principles, they guide commercial and government organizations in the development of initiatives where personal information is used. These ten principles, in fact, serve as the foundation for many countries’ data-protection laws, including our own private-sector Personal Information Protection and Electronic Documents Act.
I won’t speak to all of them now, but the principles deal with such important concepts as identifying the purposes for the collection of personal information, obtaining consent where appropriate, safeguarding the data, and limiting the collection, use, disclosure and retention of the data.
Stage 3: Running the Program
I know it sounds like a lot of planning when you’re anxious to get your initiative off the ground.
But, as they say in sewing and woodworking: “Measure twice, cut once.”
It is so much easier to spend the time at the front end – to take the necessary time to plot out the justification for your program, and to plan the architecture in a way that embeds all necessary safeguards. It also helps reduce risks to an organization’s operations, reputation, and public goodwill.
Stage three then elaborates on the internal policies and practices that are necessary to ensure that privacy will actually be respected, once the program is up and running.
Here again, no wheels require reinvention. Treasury Board Secretariat, for example, administers a comprehensive suite of policies, guidelines and best practices in this area, and our document provides references to all of them.
In brief, though, here are some examples of what we’re talking about:
- Designating a Chief Privacy Officer to ensure accountability and senior-level representation when matters related to personal information handling arise. For example, during the Olympics, we recommended that the Integrated Security Unit designate a Chief Privacy Officer and post his contact information on their website. They did this, thus offering a point of accountability for addressing privacy concerns.
- Making sure everybody’s roles and responsibilities for the handling of personal information are crystal clear, and that responsible personnel receive ongoing training in privacy issues. As we have seen in our recent investigations at the Department of Veterans Affairs, privacy must also be protected by a governance system that is designed to protect personal information.
- Documenting privacy policies and practices in plain language, and developing straightforward processes to handle errors or inaccuracies, public complaints, data breaches or other problems. An example of that safeguard is the Office of Reconsideration for the Specified Persons List, also known as the no-fly list.
- Detailing the sharing of personal information in proper agreements. An example of that are the restrictions around information sharing at the National DNA databank.
- Creating an audit mechanism to oversee such matters as data security and the transfer of information to others. For example, in relation to the Enhanced Drivers Licence, we obtained an assurance from the Canada Border Services Agency that the EDL database would remain in Canada.
- And, finally, some form of public access and reporting to bolster accountability.
On this last point, I often get a look of disbelief from security professionals. But, in fact, there are excellent precedents. For example:
- An online form on Transport Canada’s website lets people review their passenger travel information, even through this data feeds highly sensitive aviation security programs.
- And Public Safety Canada’s annual reports furnish detailed information on the use of electronic surveillance by federal officers – how many interceptions take place and for how many days, whether it was audio or video, and the number of arrests that resulted.
Stage 4: “Calibrating the System”
The fourth and final stage in the analysis we propose in this document relates to external review, oversight mechanisms, and redress. We refer to this stage as “Calibrating the System.”
Many inquiries and legislative reviews that have examined Canada’s national security regimes have zeroed in on the same problems, including poor information-handling practices, patchwork accountability mechanisms, and limited oversight.
Review mechanisms should include a systematic process for handling complaints and concerns from the public, as well as a method for appeal and redress when problems arise.
There could also be regular external oversight by Parliamentarians or other specially-mandated bodies. Our own Office ensures compliance through the investigation of complaints and by auditing federal institutions.
So why is all this important?
Because privacy is key to a free and democratic society.
Because personal information is sensitive, in that it can be used against us.
And yet, public security programs invariably collect and use a great deal of personal information, much of it highly sensitive.
These tend to be extraordinary powers – broad and discretionary. In a democratic society, invasive measures by the state must be held in check by effective oversight mechanisms – be those judicial controls on authorization or rigorous administrative checks and balances.
To be effective, oversight needs to be independent, properly resourced, and equipped with powers commensurate with those entrusted to the security program it is overseeing. The oversight mechanism must, moreover, serve as a credible avenue for redress, a place where citizens can turn if they feel their privacy rights have been violated.
So that is a quick overview of our new reference document aimed at helping policymakers and others find a viable equilibrium between the right to public security and the right to privacy.
We will apply this analytical framework in our review of Bill C-51 and C-52 on accessing telecommunications.
As Canada’s federal privacy regulator, we cannot police the police. Nor would we want to.
Yet people in the security and public safety field have told us over and over again that they’re looking for guidance. They know there are rules, and they want to know what those rules say, and how to apply them.
Essentially, our objective in issuing this reference document was to structure the debate in the reconciliation of privacy and safety concerns. It is an effort to ground the discussion in facts and in law, where fear and emotions too often dominate.
I welcome your feedback on this publication.
Thank you for your attention.
Report a problem or mistake on this page
- Date modified: