The Principles of Data Protection – A Quiet Revolution
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Seminar of the Association francophone des autorités de protection des données personnelles
September 19, 2011
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
This afternoon I would like to talk about the application of the principles of data protection in both the public and private sectors, but I will deal with each one separately.
In Canada, unlike in European countries, for example, we have two separate pieces of legislation; one is applicable to public institutions and the other is applicable to commercial enterprises. An examination of how the two acts came to be reveals the political choices that led to this duality. One can summarize the factors at play as follows:
- Our act applicable to the public sector was passed in 1983 at the same time as our access to information act, so that the two separate but complementary pieces of legislation would provide for a fair balance between access to information held by the government and protection of personal information held by the government;
- The act applicable to the private sector was passed almost 20 years later in response to the government’s concern about the increasing vulnerability of personal data held by the private sector in electronic form.
There is another difference between the Canadian approach and that of several other countries: whereas several national laws apply only to the collection of data, be it on paper or in digital format, in Canada our mandate is larger in scope and includes both physical and informational privacy.
This difference came to mind in a conversation with Mr. Lo last year at our seminar in Paris, when he explained that the Senegalese Commission did not exert its authority over the body scanners since there was no collection of personal data.
This position is perfectly logical, but it does not correspond to our Commission’s mandate to protect “privacy,” including one's physical or international privacy, and not just personal information. This difference in the scope of our mandates affects the way the principles at play are applied.
These principles apply to both private enterprise and public institutions in that they represent what is immutable:
- the right to privacy as an essential factor in personal integrity;
- its importance for democracy; and
- the protection of the collection, use, disclosure and retention of personal information is based on the principles set out by Mr. Lo, namely legitimacy, purpose, accuracy, transparency, confidentiality and security.
- In Canada we would add the principles of responsibility, consent, access and recourse.
I will look more closely at these main principles and then examine the drivers of change that are forcing us to adapt the means of protecting personal information so as to preserve the basic principles.
Today, personal data protection must absolutely take into account the new reality. The digital age is shifting data from the opacity of paper to the transparency of the Internet. At the same time, it is transforming the way the principles of privacy protection are upheld.
These principles are timeless and transcend the public and private sectors.
First of all, at a time when digital giants are saying one after another that privacy no longer exists, it is important to remind ourselves that the right to privacy is a fundamental right, on which depends freedom and consequently democracy.
Respect for personal privacy, integrity and dignity is the basis of trust between the citizen and the state, between an enterprise and its client. The right to live in peace and anonymity, away from the prying eyes of the state or one's fellow citizens is one of the pillars of the social contract in any society.
With that in mind, I would like to look more specifically at the principles that govern privacy in Canada.
The principle of legitimacy or necessity
The state needs personal information to govern, to provide its citizens with the services and the protection they rightly expect. Enterprises also need personal information about their clients to serve them and maintain the business relationship.
The balance between our right to control what the state or an enterprise knows about us and what they need to know to serve us lies, Mr. Lo has said, in a series of well-established principles.
Our Office noted some shortcomings in the private and public sectors in this regard. For example, we conducted an investigation last year following a complaint by an employee of Canada Post. The employee complained that when he asked for leave to look after an ailing relative—leave that was provided for in his contract of employment—Canada’s postal service required him to provide an excessive amount of personal information about himself, as well as very specific medical information about members of his family.
Canada Post demanded to know (i) his relationship with the ailing relative, (ii) the person’s illness, (iii) why someone else could not look after the sick person—in short, a series of personal and even sensitive information about a third party with which Canada Post had no relationship. Canada Post’s rationale for collecting the information was that it needed it to curb abuse of this sort of leave. We concluded that even if the objective was legitimate, the data collection was excessive.
A second case—one of the most significant that we dealt with in the past year—concerned the use of personal information by Veterans Affairs Canada, the department responsible for the care and reintegration into civilian life of persons who have served in the Canadian Forces.
We received a complaint from a veteran alleging that his personal information had been widely distributed within the department with no apparent control.
Our investigation revealed that very sensitive information, including information about the complainant’s health and financial situation, had been included in briefing notes to the Minister. The notes had been prepared because the complainant, a former member of the Canadian Forces who is now a veterans’ advocate, was going to appear at a press conference to discuss veterans’ issues. In addition to information on the complainant’s advocacy activities, the briefing note contained diagnoses, symptoms and prognoses, frequency of appointments, recommended treatment plans, the chronology of his interactions with the department as a client, and the amounts of financial benefits he had received.
This highly confidential information, which should have been used only to provide services to the former member of the Canadian Forces, was circulated within the public organization: it went from the policy unit to communications and media relations and finally to the minister’s political staff—people who had no need whatsoever to be apprised of the information to do their work.
The minister responded immediately to our concerns by putting into place an action plan to correct the shortcomings we had revealed. For our part, in light of what we discovered during our investigation, we have decided to conduct an audit of the department’s management practices in the winter of 2012 to confirm that proper policies and procedures have indeed been put into place.
The principle of accuracy
Inevitably, the state and now private enterprise as a result of Internet transactions collect an enormous amount of personal information. For example, in carrying out their duties, police officers collect information about people, their activities, associations and movements. This is necessary to maintain law and order. Online search engines store search files to make subsequent searches easier for the user. But the need to retain this information must be demonstrated, and even if there is such a need, the length of time the information is kept must also be justified by necessity. In addition, the information must be accurate.
In 2008, we did an audit of the exempt banks of the Royal Canadian Mounted Police (RCMP). In principle, exempt banks exist to prevent public access to the most sensitive information affecting national security and criminal investigations.
The departments and agencies that control such data banks will refuse to confirm or deny that they have such information if an access request is made—which is perfectly legitimate and necessary. People whose names are in the RCMP’s exempt banks could suffer serious harm: they may have trouble getting the security clearance needed for a job, or getting across the border. In our 2008 audit, we found that this large data bank contained tens of thousands of files that should not have been there. For example, we found a seven-year-old file on a man whom a resident of a rooming house had reported to the police, because he suspected the man was involved in a drug deal. The man was standing in the street smoking a cigarette.
A police investigation revealed that the man in question was simply finishing a cigarette before getting into his car, after he had dropped his daughter off at a nearby school. In short, there was no reason whatsoever that his file should be in a secret data bank.
We conducted a follow-up audit this year to make sure that the RCMP had indeed fulfilled its commitment to re-examine the relevance of keeping certain files in the exempt banks.
We were very happy to note the remarkable results: the number of files in the national security bank dropped from 5,288 in March 2008 to 190 in March 2011, while the criminal information bank had been purged of nearly 60,000 files.
The principle of accountability
A more recent investigation in the private sector involving Google illustrates the principle of accountability. We discovered that when implementing its Street View program, Google had captured and stored personal information that was being exchanged over Wi-Fi networks.
An engineer from Google had developed a code that enabled them to locate Wi-Fi networks. The risk was that the content of Wi-Fi communications could be intercepted, but no one checked. There is no procedure or governance structure that systematically controls the repercussions of Google’s innovations on privacy. We gave Google one year to strengthen their governance structure in order to bolster its accountability and avoid such errors.
The principle of consent
An unusual investigation in the private sector recently illustrated the principles of security and consent.
We received a complaint against the use of video surveillance in a daycare centre. For a monthly fee, parents had access to a video feed to their own computer to see what their children were doing during the day.
This certainly raises new dilemmas about children’s privacy, but we have to limit ourselves to the provisions of the existing legislation.
With respect to consent, we noted that all the parents and the daycare employees had given their informed consent to the video surveillance.
As for the principle of security, we did a rigorous technological test of the electronic equipment. We made many recommendations to ensure the security of the personal data, that is, the video surveillance images recorded. For example, the images are not retained, the system is secure, and the parents agree not to distribute any image or they will lose their right to the use of the daycare service.
The principle of transparency
The last principle I would like to illustrate using our recent investigations is the principle of transparency. In this case, I am referring to the Facebook investigation.
In fact, the allegations could be made against most social media: their privacy settings and application are complex, difficult to use and difficult to understand.
Since the essence of privacy is the individual’s ability to control their personal information, the principle of transparency is crucial to maintaining the right to privacy: an enterprise or public institution cannot collect, store or use personal information without ensuring that its objectives, personal information management and security measures are transparent.
We are nevertheless continuing our dialogue with Facebook and other social media to make sure that the transparency of their policies and settings are in keeping with the technological complexity of the digital age.
As for the principles of access and recourse, I will simply say that they protect a person’s right to access their personal information and provide recourse if their privacy rights are infringed.
Having described the immutable principles, I would now like to examine some of the challenges ahead. I’ll call it a sea change.
The sea change
Any discussion of the right to privacy has to take into account the digital revolution, which has fundamentally altered the way humans interact.
New communication technologies, digitization and information networking have had an effect on humanity comparable to that of the printing press. It is a full-scale revolution. In the title of my talk, I call it a quiet revolution, first because the term describes a pivotal moment in Quebec history, and second because it seems to me to aptly describe the almost insidious shifts the digital age has brought.
In the 1960s, we in Quebec threw off the yoke of the strict rules that were dominating us and became a more enlightened society. In a mere two or three years, a social sea change occurred—without upheaval or a clear break—which relegated to the past a series of traditions that prevented us from moving forward. As during that historical moment in Quebec, the advent of information technologies has quietly upset our social contract, our ways of doing business and governing and our approach to privacy.
The revolution has sent shock waves throughout the whole of civilization and has had a profound effect on the collection, use and communication of personal information.
The new information technologies have a special impact on the principles of security and confidentiality. The technology for managing personal information is powerful, but it is also vulnerable: it can be used to protect information or to make it more accessible and revealing. The information holder, therefore, whether it be a commercial enterprise or a public institution, has an obligation to manage personal information differently.
From the opacity of paper to the transparency of the Internet
The first example of the need to adapt the management of personal information to the digital age is the shift from the opacity of paper to the transparency of the Internet. I would like to illustrate this through the issue of reconciling the principles of the transparency of the administration of justice with the protection of privacy.
The fair and transparent administration of justice is a central principle of democracy. Until recently, such transparency was assured by making public the decisions of the courts and tribunals.
Internet has changed that. The natural balance between the principle of a public hearing and the right to privacy—which was based on the “practical obscurity” of paper—has now been lost.
Before the Internet, anyone who wanted to consult a file had to go in person to the court registry, identify themselves and ask to see the specific file.
Now it is open season for personal information on the Internet—and the decisions of administrative tribunals can become a breeding ground for all sorts of abuse.
The online court records system in British Columbia, a Canadian province, is a good example. The online system makes it possible to consult information on any civil or criminal proceedings. When the new system was launching in the spring of 2009, there was so much traffic to the site that a virtual line-up formed. A privacy advocate pointed out that she had never seen a line-up at the court registry to consult the same files.
The increasingly voracious appetite among members of the public for personal information about others hides, at best, an unhealthy curiosity, and, at worst, criminal intent.
We have received many complaints about administrative and quasi-judicial tribunals from people who were frustrated to find out that information about them—information they thought was confidential—was posted on the Internet for all to see, including their neighbours, friends and colleagues.
Pension applications and workplace grievances, for example, popped up when their name was entered into a search engine. This went far beyond what was justifiable by the pubic interest.
We responded by issuing guidelines for tribunals within our jurisdiction and by urging all tribunals in the country to make the decisions posted on the Internet anonymous.
Another driver of change is Internet surveillance.
From human surveillance to electronic surveillance
Behaviour changes online. People feel obliged to join all sorts of virtual networks based on supposed friendships, because they are afraid of being left out, ostracized. Social life now depends of the use of technology—a technology whose architecture is often public by default.
Some of our daily activities that were once anonymous—reading the paper, talking to friends, window shopping—now leave a trace.
What’s more, following others online and keeping a digital record of their comings and goings, far from being socially unacceptable, has become a social activity in itself. There is a growing wealth of information about us, and it is becoming increasingly easy to find it. Business has found a whole new potential for advertising and sales.
Another illustration of the blurring between public and private life is what happened following the Vancouver riots this spring.
After their hockey team lost the Stanley Cup final, some Vancouverites took to the streets to create havoc. Others rushed to capture their every move on iPhones and Blackberries and to post the images on the Internet.
More recently, in Great Britain, we saw how the police obtained access to social media and mobile telephone networks to find rioters and bring them before the courts.
We have almost no more secrets from our fellow citizens—and even fewer from the enterprises with which we do business.
Our Internet and cell phone service providers can know absolutely everything about us.
In conclusion, I would like to leave you with the words of the Prince of Salina from Giuseppe Tomasi di Lampedusa’s The Leopard. The aristocrat, who was both hesitant about the unification of Italy and conscious of the invincibility of the movement and what he had to do to maintain his status in the new political landscape, said, “If we want things to stay as they are, things will have to change.”
Such is the case with privacy in the face of the quiet revolution of the digital age: we must change how personal information is protected, if we want the basic, immutable principles to stay the same.
Report a problem or mistake on this page
- Date modified: