For Your Eyes Only: Personal Information and Government Institutions
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Financial Management Institute’s Public Sector Management Workshop
June 13, 2011
Edmonton, Alberta
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
Introduction
Thank you for inviting me to this conference. It is a most welcome opportunity to chat with financial professionals from the public sector, considering both the sensitivity of the information you manage and the vulnerability of the new platforms that hold the information.
Privacy is something we’re all concerned about in our personal lives. As public servants, we should be just as concerned about it in our professional lives. The government holds the greatest amount and the most sensitive information about all of its citizens. It is our duty to protect this information and how well we do it is a matter of public trust.
The duty for government, and in particular, for financial officers, to protect personal information is not new. And yet, it seems to have taken a completely new dimension. Why?
Because data breaches have unprecedented consequences—not only for those who see their data exposed, but also for the organizations that were entrusted with protecting that data.
A 2010 study by the Ponemon Institute on the cost of data breaches found that the average cost of a single breach for a US company was $7.2 million, an average of $214 per compromised record. In relation to the seemingly endless series of attacks against Sony, the loss is estimated at over $170 million. And this is without mentioning the loss in public trust, which is the currency of public institutions.
As financial officers, you understand the magnitude of these numbers, and what it could mean for your organizations.
So to address this topic today,
- First, I will say a few words about privacy legislation and the role of the Office of the Privacy Commissioner of Canada.
- Then, I will give you some practical examples of the privacy risks we have observed through our work in the public sector.
- I will end by offering suggestions on how government institutions can better protect personal information, and tie these recommendations to the theme of this workshop: integrity, innovation, and intelligence.
The OPC and privacy legislation in Canada
I will begin now by giving you an overview of the legislation in place to protect privacy in Canada, and of the role of the OPC in this context.
There are two federal acts overseeing personal information in Canada: one aimed at the private sector and the other, at the public sector.
The Personal Information Protection and Electronic Documents Act,or PIPEDA, regulates the collection, use and disclosure of personal information by federal works, undertakings and businesses, and by private-sector organizations in provinces that do not have their own provincial legislation over the private sector.
At the present time, that means all provinces and territories except Quebec, Alberta and B.C., who have their own private-sector privacy laws.
The other piece of legislation is the Privacy Act, which protects the personal information held by 250 departments and agencies of the Government of Canada.
The mandate of the OPC is to oversee compliance with these two acts. We exercise our mandate through six well-defined functions:
- We respond to information requests — over 11,000 a year;
- We receive and investigate complaints — over 200 a year against the private sector and over 600 against the public sector;
- We review privacy impact assessments (or PIAs) submitted to us by federal organizations about their programs or activities which may entail the collection of personal information;
- We audit the personal information management practices of organizations subjected to either act;
- We perform and support research and public education activities; and
- We support Parliament by commenting on bills and amendments that touch on privacy issues.
Risks
As public servants, you are aware of the volume and sensitivity of personal information held by the government. Whether applying for a passport, collecting pension benefits or filing income tax returns, individuals are generally not in a position to object to the collection and use of their personal information by the government.
The data is often highly sensitive and its unauthorized disclosure could have severe consequences: people’s privacy, the integrity of their identity, their economic circumstances and even their personal safety are on the line.
A survey of our work over the past few years paints a vivid picture of the risks involved in managing personal information in the public sector.
Week after week, through breach notifications and complaints, we see the pitfalls of holding sensitive personal information: technological glitches, mishandling of records, or even malice. Let me give you a few examples.
Weak infrastructure – Agriculture Canada suffers attack from a hacker
The first and most obvious risk to government data is weak security. The Government of Canada is the single biggest repository of personal information of Canadians and, for the most part, citizens don’t have much choice but to hand it over. And as I was saying a minute ago, the data collected by governments at all levels tends to be sensitive—often very sensitive.
The consequences of such information falling into the wrong hands can be grave.
Wherever there is data, there is the potential for a security breach. The breach uncovered in January that affected the Treasury Board, Finance and Defence R&D was quite spectacular. But the truth is we investigate on a number of incidents every year.
For example, in September 2008, an Agriculture and Agri-Food Canada system administrator discovered that an external party had hacked into two Linux servers and installed modified e-mailing software. The evidence trail pointed to a “script kiddie”—an amateur who uses easily available software to attack computer systems and networks, usually for sport.
Though quite simple from a technical standpoint, the breach nevertheless threatened approximately 60,000 personal data records of farmers who were recipients of a federal loan guarantee program. As financial officers, you understand the impact of the breach.
In their enthusiasm to adopt new devices and technologies that enhance productivity, organizations sometimes forget to take a step back and ensure these powerful new technologies won’t leave the door open for massive security glitches.
John Pironti of ITArchitecs said recently that when it comes to network security, throwing more money and more technology at a problem is rather pointless if you’re not using the technology you already have efficiently. This is often the most important lesson that comes out of the breaches we are notified of, our audits and investigations: most of the security gaps we find could be fixed by simply using the existing technology a little bit smarter.
For example, in our audit of the use of wireless devices in the federal government, issued last fall, we found that most of the federal agencies we examined did not ensure their staff had strong passwords, had not done a thorough threat and risk assessment of the technology, and had made a patchy use of encryption.
Human error – Mailing, faxing, filing and other pitfalls
And speaking of being a little smarter, some of the risks we have witnessed are the cause of human errors being committed without the assistance of technology.
Here are some examples of incidents that came to our attention during 2009-2010:
- In one incident, as a result of a filing error, Canada Post inadvertently released 36 pages of medical information of a retired employee in response to an access to information request. The information had been held by a disability management provider and was released to another Canada Post employee by the same name.
- In another case, a technician overseeing a mass mailing at the Quebec processing centre of Human Resources and Skills Development Canada noticed at the outset that some forms were being folded and inserted in duplicate into envelopes. He recalibrated some equipment settings and allowed the job to continue. He did not make use of mechanisms to detect duplicate documents, and did not notify management. As a result, at least 44 people received forms destined for other people in addition to their own. The forms contained the names of applicants for the supplement (and the name of their spouse, where applicable), their addresses and Social Insurance Numbers.
- And there are errors whose consequences are compounded by technology: in a recent incident, the competency evaluation of one senior public servant was mistakenly e-mailed to 375 co-workers from the same Department.
Going back to John Pironti’s point: the solution here is not technological or financial; just make sure staff are properly trained to use the current technology.
Ethics – Snooping at CRA
Year after year, we are troubled by the fact that general mishandling of personal information remains an important risk factor. We are also troubled by the fact that every year, we uncover examples of flat-out wrongdoing.
For instance, we launched an investigation a few years ago in the wake of allegations that personal tax information of several high-profile sports figures was being posted to an Internet chat group by a Canada Revenue Agency employee.
We found that a former employee had posted personal information of this nature to the chat group, information which he appears to have collected over his years with the agency. We further confirmed that other CRA employees in various tax centres, likely motivated by curiosity, also inappropriately accessed the tax information of these athletes.
Accessing people’s personal tax information without authorization and for purposes unrelated to the employee’s duties constitutes a breach of the Privacy Act. Even if the information is never communicated to a third party, even if the information is about a celebrity or someone you know personally, even if you technically have access rights to the database—accessing people’s personal information without a legitimate reason to do so is no way to spend your downtime.
But I’m sure no one here has ever been tempted to do so.
How government institutions should protect personal information
So how can government institutions alleviate these risks and ensure the personal information under their care is well protected? As it happens, it’s a matter of integrity, innovation and intelligence—the very theme of this conference.
Integrity – Personal and institutional
I spoke earlier of the ethical lapses of some government employees. Personal integrity is something that we all have to take very seriously as public servants. It is clear to us that practical measures to ensure individual integrity, such as regular training and maintaining an audit trail, are critical components of sound personal data management.
Institutional integrity is also critical in protecting the information entrusted to the government by its citizens. At the federal level, departments are required to perform privacy impact assessments, or PIAs.
As I mentioned earlier, a PIA is a process that helps determine whether initiatives involving the use of personal information raise privacy risks; it then measures, describes and quantifies these risks, and proposes solutions to eliminate or mitigate privacy risks to an acceptable level.
PIAs are then submitted to our Office for analysis. We base our analysis on the respect of privacy as a human right protected by the Canadian Charter of Rights and Freedoms. We review PIAs on the basis of a four-part test inspired by a human rights case heard by the Supreme Court in 1986.
This test measures the reasonableness of a potential intrusion into the privacy of Canadians according to these four questions:
- Is the proposed measure demonstrably necessary to meet a specific need?
- Is the measure likely to be effective in meeting that need?
- Is the loss of privacy proportional to the need?
- Is there a less privacy-invasive way of achieving the same end?
Our objective is to ensure integrity in the respect of privacy as a value that defines our society while allowing for the valid policy objectives of a government program or activity.
Intelligence – Fair information principles and good governance
Intelligence refers to both having information and understanding how to use it.
In the field of privacy, the collection and use of information is summarized in 10 fair information principles, which you can find as a schedule to the federal legislation governing the private sector and which we use in our review of privacy impact assessments, once the government has justified, under the four-part test, the collection of information.
Just as your generally accepted accounting principles guide you in preparing financial statements, the fair information principles guide organizations in ensuring they treat personal information according to fundamental standards.
These 10 principles ensure the general objectives of accountability, transparency, limiting collection to what is strictly necessary, and providing remedies for lack of compliance.
Of course, principles aren’t worth much if they aren’t properly applied. That’s where good governance comes in. Public institutions must integrate these principles in the decision-making process, take steps to integrate them at every level in the organization, and ensure ongoing compliance through a formal process.
Innovation – Established privacy principles in a new context
Let me move on to innovation.
Few fields are challenged by innovation as much as the protection of the right to privacy. Information technology introducing an electronic infrastructure to hold what used to be held under lock and key, social media to share what we used to share around a coffee table, smartphones that tell the world where we are, all change the landscape of privacy.
But the right to privacy does not change, and our attachment to it does not change—not for youth, not for the middle-aged women who constitute Facebook’s largest growing market, not for all the travellers who resign themselves to opening their bags at security every time they catch a flight.
The challenge is to innovate so that we continue to protect the right to privacy in a new context.
First, we must ensure that technological risks are addressed through technological innovation. I heard a story recently about a call centre that was flooded with complaints because an online form was missing its “submit” button.
Apparently, there was no “submit” button: the organization had decided that the best way to keep its online forms secure was to have people fill them out on screen, print them off, and mail them in. That’s not innovation.
Innovation means that we seize the opportunity to improve our service to Canadians while protecting their fundamental right to privacy. It means the protection of privacy itself must be innovative. Let me give you a few examples from public institutions:
- The e-passport—technologically innovative, it contains a chip that reproduces the information written on the passport; Passport Canada ensured that privacy is protected by equally innovative technology that ensures the chip cannot be read from a distance, by another reader than the government reader.
- The anti-spam legislation: it addresses a new phenomenon—identity fraud, online fraud, unwanted e-mails. Industry Canada developed legislation that was just adopted in the last Parliament that innovates in establishing new rules, penalties and oversight against spam.
The first example shows technological innovation to protect privacy, the second shows normative innovation to protect privacy. In both cases, the protection of privacy was preserved through innovation to respond to a new context of risk to privacy.
And just as we have to innovate on the technological side, we also have to innovate in our service delivery in general, to ensure we can keep offering Canadians the highest level of service while protecting their fundamental right to privacy.
Closing
I hope to have given you a sense of the importance of protecting citizens’ personal information in your role as public servants.
What I hope to have illustrated today is how our duty, as public servants, to protect the personal information of Canadians is both immutable in principle and yet necessarily transformed in its application.
As modalities of public service change, we need to develop new modalities for protecting the personal information that citizens entrust to us. The theme of your conference strikes every challenge in this regard:
- Maintaining the integrity of our values, of the guiding principles that define public service, to ensure their integration in a new context, means keeping our eye on these fundamental values; it means upholding them in the face of new challenges so they remain intact. Privacy is one of these defining values.
- Intelligence is the quality that will allow us to translate these well-established principles to unprecedented challenges.
- And innovation is the action that will materialize this translation into new public service programs and activities that remain respectful of privacy.
I wish you luck in relation to this challenge and I assure you of our full support.
- Date modified: