Protecting Privacy in the Digital Age
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at a Meeting of the Canadian Club of the Yamaska Valley
September 12, 2011
West Brome, Quebec
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Thank you for that kind introduction and also for inviting me to be here to speak with you about the growing importance of privacy and personal information protection.
Whether you run a small, home-based business, surf and shop online or keep in touch with out-of-town friends and family on social networks, privacy protection is important.
This afternoon I would like to focus on how we can all contribute to this important goal.
Provide brief overview of OPC
I thought it might be helpful to begin by explaining what my Office does.
Our mandate is to oversee compliance with two laws governing the collection, use, and disclosure of personal information in Canada.
The Privacy Act covers federal organizations.
The Personal Information Protection and Electronic Documents Act – better known as PIPEDA – covers the private sector.
As Privacy Commissioner, I can investigate complaints, conduct audits, pursue court action and publicly report on organizations’ privacy practices.
In addition, my Office supports research examining - and promotes public awareness of – important privacy issues, including:
- the implementation of new national security measures;
- the increasing use of genetic information;
- the rising risk of identity theft; and,
- the growing use of information technology and the Internet, which will serve as my primary focus today.
Why privacy matters more and more in the digital age
The Internet is no longer a tool we use, but a public space where we shop, stay connected with friends and family, make new friends and even look for love.
This has led to an explosion of new services and businesses – be they home-based eBay auctioneers, or new corporate giants like Google and Facebook.
It’s developments like this, which prompted former European Commissioner for Consumer Protection, Meglena Kuneva to observe that:
"Personal data is the new oil of the Internet and the new currency of the digital world."
In short, personal information is in great demand and very valuable.
It means businesses want to exploit it.
It means fraudsters are enticed to steal it.
And it means all of us; business owners, public policy officials and citizens; need to take steps to ensure that personal information is protected and privacy rights are respected.
Individuals – measures to take
First, let me start with the individual.
In the complicated, technical online world, it’s not fair to say that protecting privacy is all on your shoulders, but it definitely starts with you taking some relatively simple measures.
For example, you should equip your computer with antivirus software and ensure that it – along with your operating system and all other applications on your computer – are kept up to date.
Everyone should also make the effort to establish strong passwords that aren’t obvious and which contain letters and numbers.
This may be obvious to many of you, but research we conducted and reported on last month found only four in 10 Canadians said they were password-protecting their mobile devices.
A further way to protect your privacy is to avoid opening spam.
You should never open an attachment from a stranger or from an email that comes from a friend, but seems out of place.
Doing so can infect your computer with spyware which a fraudster could use to seek-out sensitive information in your files, leading to identity theft.
New anti-spam legislation
Some of you may have heard that the federal government has passed a new anti-spam law.
Once in force, companies will need to have or gain consent in order to lawfully send you electronic messages – be they emails or text messages – for commercial purposes.
While this law will be helpful, empowering the CRTC to impose heavy fines against violators; when it comes to spam, there’s no magic bullet solution.
Much of the spam sent today comes from underground – and sometimes offshore – operators. They have no interest in complying and will be very hard to track down.
All told, the new law is positive for privacy protection, but won’t realistically mark the end of spam and we’ll all have to continue being very careful in checking our messages before we open them to protect ourselves.
Privacy needs to be up front
Unquestionably, spamming is an online activity that shows complete disregard for privacy.
And there are examples of other common activities, which fall into a grey area.
For example, when we’re online, cookie files are downloaded onto our computers to track our web travel, helping online marketers determine our interests, and what ads to target us with.
Some email service providers even scan our messages for keywords to do the same.
Some of you may see that as a fair trade-off for browsing websites or having email access at no financial cost.
Others may find it disturbing.
Frequently, privacy policies are written in less than plain language. In fact some can be extremely lengthy and legalistic, deterring people from reading them.
It’s the position of my Office that privacy policies should be made understandable for the average reader.
After all, people need to be told, clearly and up front, what they’re trading in for a so-called “free” service.
The same goes for privacy settings on social network sites.
Some of you may have heard about our Office’s work a few years ago concerning Facebook.
Our investigation dealt with many issues, including the unreasonable difficulty users faced in finding – and understanding – the site’s privacy settings.
In the years following our investigation, Facebook has made many changes to make their privacy settings more user-friendly.
For instance, in changes announced in August, they’ve changed the term “everyone” to “public,” a clear description of exactly who you are sharing your information with.
In addition, from now on, when someone tags you in a photo, you have to provide permission before your name will be connected to it on the site.
Previously, you would have to remove the tag after the site notified your friends – and maybe others – that the photo was online.
This change is especially positive in light of Facebook’s new facial recognition feature.
Although it’s yet to be unrolled in Canada, friends in the US, for example, will still receive suggestions from Facebook to tag you in past photos.
But thanks to the recent changes, you will have to provide permission.
While measures like this provide more control up front, you would still be wise to review your account privacy settings to find out what you may be sharing with whom.
On that note, I have a handout here which will walk you through the steps you need to take.
Privacy and your home-based business
Moving on now, I know that quite a few of you here today run home-based businesses.
And I want you to know that privacy protection isn’t just a concern or obligation for the Mark Zuckerbergs of the world.
It’s not just a legal requirement. It truly is good business.
First, it should be written in plain language so it’s easy for clients to understand how you will collect, use and disclose their personal information.
Next, make sure that you’re only collecting information that’s necessary for you to conduct your business.
For example, in order to bill someone, you need to keep their address on file, but you don’t need their Social Insurance Number.
In addition, don’t file accounts by phone numbers as it weakens the confidentiality of your records.
It’s also essential to gain a clients’ consent upfront if you’re going to be sharing their information with a third party, and if you will be storing any of their information outside of Canada.
A few years ago, this wouldn’t have been such a prime consideration for a home-based business.
But it matters more so today, with the increased use of external document management services such as Microsoft and Google’s cloud services.
When personal information is transferred to a third party, you are responsible for ensuring, through contractual or other means, a level of protection comparable to that which you must maintain under Canadian law.
Next, if you’re dealing with sensitive information, consider developing a protocol for sharing it by phone.
In other words, establish a way to verify your clients’ identities, through, for example, security questions to which only they would know the answer.
On top of this, you need to allow customers to see what information you have about them on file and let them make changes if it’s inaccurate or incomplete.
If you happen to have employees, make sure they are trained on, understand and actually follow your privacy policies.
And perhaps most importantly, ensure you take appropriate steps to secure the information you store.
This means keeping files under lock and key and, of course, ensuring your home computer or network is protected.
And on this point, I’m pleased to say that I have a handout which provides some guidance, which will be helpful whether you have wireless Internet at home for business or personal use.
Advancing privacy protection
I certainly hope that I’ve provided you with some helpful information.
But before I finish, I’d like to let you know how you might help me, too.
In my remarks, I’ve demonstrated the importance of privacy protection and how, in our increasingly information-based economy and society, it’s never been more threatened.
As Privacy Commissioner, part of my job is to advise the Government on changes needed to better meet this challenge.
And in order to better fulfill my role, it’s become clear that there are some important changes that need to take place.
For one, as I noted earlier, more and more personal data is flowing online and the threat of hacking is growing.
As it stands, when serious data-breaches occur, some companies voluntarily report them to my office. Instead, this needs to be made mandatory in law. This in turn would encourage companies to inform their customers of such incidents faster.
I am deeply troubled by the large number of major data-breaches we are seeing.
Too many companies are collecting more personal information than they are able to effectively protect.
As a result, I have concluded that the only way to get some corporations to pay adequate attention to their privacy obligations is by introducing the potential for large fines that would serve as an incentive for compliance.
In order to make these changes, the Government needs to amend PIPEDA, which is scheduled for review this year – and if you want to see stronger privacy protection, I encourage you to voice your opinion.
I urge you to do the same for another important issue, as well.
Right now, it’s widely-expected that the Government will bring forward so called “lawful access” legislation early in the coming Parliamentary session.
Previous versions of this legislation have sought to force telecom companies to install intercept capabilities to keep and store communications data such as emails and to comply with law enforcement agencies when they seek subscriber data without judicial authorization.
In short, such a law will make it easier for law enforcement agencies to essentially snoop on the public.
And while I understand the need for authorities to keep pace with the use of new technologies, the kind of powers being sought needs to come with appropriate oversight measures to prevent abuse and protect privacy.
Certainly, previous versions of the legislation didn’t account for this.
If this concerns you, I invite you to express your views to the Government.
Finally, the Privacy Act seriously needs to be modernized.
On one hand, the government argues that lawful access legislation is needed to move law enforcement tools into the 21st Century.
On the other, the Act which governs how federal institutions handle and protect personal information hasn’t been touched since 1983.
Since then, we have seen a massive increase in personal information on Canadians being shared across borders.
While the current Act says agreements should be reached to limiting that sharing for its intended purpose, there’s nothing stipulating they even need to be in writing.
And that means we really have no ability to verify they were met or even their terms.
On top of that, Canadians don’t have a right to ensure their information on file can be corrected.
These reasons are merely a few among many that the Government should make Privacy Act reform a priority.
In closing, please accept my thanks for the opportunity to speak here today.
If you’re interested in learning more about the work of my Office, please visit www.priv.gc.ca.
And now, I look forward to answering your questions.
- Date modified: