Expanding privacy literacy – we all have a part to play
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the PIPA Conference
October 13, 2011
Toronto, Ontario
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Introduction
Good morning. I am pleased to be with so many people who focus on the important subject of privacy in business.
In a moment I am going to speak with you about a concept which is likely to become increasingly important to you – the idea of privacy literacy.
Federal–provincial cooperation
But, first, I also want to say how delighted I am to once again join Elizabeth Denham and Frank Work, my privacy counterparts in British Columbia and Alberta. You could say that we three focus on the business of privacy, which includes privacy in business, of course.
Our respective offices have worked very closely together for some years in offering what we hope is consistent guidance to organizations about various privacy concerns and in conducting joint investigations, where appropriate, into complaints over the handling of personal information in the private sector.
For instance, the Alberta Commissioner and my Office both initiated investigations following a large–scale breach of the customer databases of U.S–headquartered retailer TJX which operates Winners and HomeSense stores in Canada. Our three offices have also issued guidance on the collection of information from driver’s licences in the retail sector, presenting photo ID and the use of street–level imaging technology. Quebec also participated in the latter guidelines.
The products of this productive collaboration includes an online self–assessment checklist that lets you evaluate your organization’s arrangements for securing personal information.
I believe these and other examples demonstrate that, when it comes to the protection of personal privacy, it can be very useful to deploy the expertise and resources of both the federal and provincial levels of government in a co–ordinated fashion. I commend Alberta and BC for the outstanding work that they’ve done on these initiatives.
The prominent political scientist Janice Gross Stein has given a more complex version of this approach the somewhat intimidating name of "networked federalism." I prefer to think of it as joining one another in the frontline trenches.
Frank Work Tribute
So let me take this opportunity to salute someone who has long been in those trenches, Frank Work who will shortly retire as Alberta’s Information and Privacy Commissioner.
Frank has been a tireless defender of privacy and access rights in Alberta. He is a man who shoots from the hip – you never have trouble understanding what Frank is thinking! I suppose that’s why I read in the Edmonton Journal that Frank has not been on the Government of Alberta’s Christmas card list for some time! Frank, you will always be on my list – I have long admired your commitment and your passion for both privacy and access.
Privacy Literacy
And now I’d like to turn to the subject of privacy literacy – a phrase that might be new to some here.
Literacy today encompasses a lot more than simply deciphering words on a page – or on a smart phone screen or tablet for that matter. Canada uses the definition of literacy from the Organization for Economic Co–operation and Development: "The ability to understand and employ printed information in daily activities at home, at work and in the community – to achieve one’s goals, and to develop one’s knowledge and potential." A leading advocacy group in Canada, ABC Life Literacy, adds that literacy means having the skills to "engage fully and confidently in life’s activities and opportunities."
And so, by extension, "privacy" literacy could mean having the skills to engage fully and confidently in the digital world, without compromising your own personal information or that of others. This implies that both individuals and organizations need to have a much better grasp of privacy obligations and their importance.
Why do I say this when there’s no denying that many Canadians already display sophisticated online skills? We spend an average of 43–and–a–half hours online every month – making us the biggest Internet users on the planet. We are also among the world’s most enthusiastic online social networkers. Roughly one in two Canadians is on Facebook.
More generally, four out of five Canadians over the age of 16 are now online. That number is probably also high for younger Canadians, but there are no reliable recent statistics.
However, in the United States, a qualitative study by the Joan Ganz Center in New York found that more than two–thirds of children with access to the Internet use it on any given weekday and, astonishingly, at the age of three, about one–quarter of children go online daily.
We’re also quick to embrace the latest developments in the digi–sphere. TD Canada Trust recently found that about one in five Canadians aged 18 to 34 are using banking aps from smart phones, largely because they’re most likely to have a smart phone.
Yet while Canadians may be early adopters of new technologies, I worry that we are not doing as well when it comes to privacy literacy in this brave new digital world.
OPC Poll
Canadians are undoubtedly concerned about the protection of their personal privacy.
In a survey of 2,000 Canadians aged 18 and older conducted for my Office earlier this year, four in 10 felt that computers and the Internet pose a risk to their privacy. That’s up from one–quarter in a similar survey just two years ago.
Six in 10 said their personal information enjoys weaker protection than it did a decade ago and they pointed particularly at business, with only one in seven (14 per cent) saying that businesses take seriously their obligations to protect privacy.
Despite such professed concern, many Canadians aren’t taking an active hand in the protection of their personal information:
Half the survey respondents said they rarely or never (25 per cent each) read the privacy policy on websites they visited.
Four out of five said they had never sought information about their privacy rights, such as contacting an organization, visiting a web site or reviewing a publication.
Only four in 10 people said they use password locks or adjust their settings to limit the sharing of personal information on their mobile devices.
Many people simply don’t know that they’re leaving a potentially troublesome trail of digital bread crumbs when they click their way through websites and from website to website. They don’t know those crumbs don’t disappear – that they are stored, analyzed and are accessible.
And there’s more. Other examples where individuals need to be privacy literate to engage confidently in the digital world include:
- understanding how to use privacy settings on social networking sites;
- realizing that personal information they place online may wind up being used in ways they never imagined, such as being fired from jobs or not even getting a job interview in the first place;
- respecting the rights of others, for example not posting photos of them without permission – especially embarrassing ones;
- securing home wireless networks, which might have avoided some of the fallout from the Google WiFi story;
- penetrating the very complex world of what happens behind your computer screen, such as online tracking by advertisers.
Public education efforts
On this last point, my Office is today launching a new fact sheet about behavioural advertising aimed at increasing individuals’ understanding of this practice. This joins other similar fact sheets for individuals published this year, such as ones on cloud computing and web tracking through cookies.
And there’s still more on the educational front.
Just last month, my Office unveiled a tool that helps teachers and community leaders talk with younger Canadians about taking advantage of the benefits of the online world, without running the risk of having privacy regrets later. The free online package, called Protecting Your Online Rep, includes a PowerPoint presentation with detailed speaking notes for each slide, along with class discussion topics.
In addition, just a few weeks ago we launched the fourth annual video contest for students aged 12 to 18 under the title My Privacy & Me. The students create one–to–two minute videoes on the privacy issues associated with social networking, mobile devices, online gaming or cyber–security. Previous contests produced some truly moving and effective public service announcements which you can check out at our special youth website youthprivacy.ca. At the same place, you can scan our youth privacy blog.
Also in the works is what’s now called a "graphic novel" on the theme of protecting personal information (you may know these as comic books!).
As well, my Office is exploring ways to help the privacy literacy of groups who are new to the online world, such as immigrants and seniors.
This sort of effort to cultivate privacy literacy among individuals is vital in an era when people freely post vast amounts of information about themselves and others – an activity largely outside the scope of PIPEDA.
Business privacy literacy
Equally important is boosting the privacy literacy within organizations.
Businesses need to ensure that their employees understand how personal information should be used and handled in the context of privacy values. And continued training is the best way to make people stop and think about the need to protect personal information.
Privacy training can save an organization a lot of grief. An employee who has spent some time thinking and learning about privacy is less likely to leave a laptop containing personal information on the front seat of a car. She’s also less likely to allow her curiosity to prompt her to pull medical records or tax records that she has no business seeing.
It’s not only data protection authorities who believe this.
Companies like General Electric and IBM are now routinely carrying out privacy impact assessments, according to a recent article in the Wall Street Journal. The assessements for IBM operations in 90 countries world wide are carried out by a team based in Canada.
Yet a recent poll conducted for my Office found that only 37 per cent of businesses provided privacy training for employees.
This is disturbing because, under PIPEDA, organizations are required to be accountable for their personal information handling practices – and this includes training, among many other things.
My Office is placing a greater emphasis on accountability requirements – and I think it’s fair to say the same could be said of our counterparts in BC and Alberta.
The three of us are currently collaborating on guidance about accountability, about what we will expect to see in the privacy management frameworks of organizations. We aim to release those joint guidelines early in 2012.
There’s still more on the way to help organizations improve privacy literacy.
Two of the fact sheets which I mentioned for individuals – on behavioural advertising and cloud computing – will also soon be issued in versions intended for business.
As well, we offer an online tool specifically targeted at small businesses, which generates five things: an information audit; consent provisions required specifically for the business; a security plan to protect personal information; a sample privacy brochure for customers; and a training needs assessment.
All that from just a 30–minute exercise!
I hope my remarks are convincing you that privacy literacy isn’t just some new fad phrase, but rather a valuable concept that you’ll want to see embedded in your homes, your children’s schools and your business organizations.
Now, in the few minutes remaining, I’d like to bring you up to date on several other important developments affecting privacy in business.
Breach Notification
Two weeks ago, Bill C–12 was given first reading in the House of Commons. This is essentially the "daughter of C–29" – the legislation updating PIPEDA, which died when Parliament was dissolved for the federal election.
The recommended amendments date back to the first mandated review of PIPEDA back in 2006–2007.
With C–12 now before Parliament and also the prospect of the second mandated review of PIPEDA starting within a few months, I will refrain at this point from offering detailed comments regarding the adequacy of PIPEDA’s framework.
However, I have numerous times in the past underscored the importance of mandatory breach reporting, something which already exists in a slightly different form in Alberta and which will be included under the C–12 amendments.
Anti–spam Legislation
Other important amendments to PIPEDA were already passed in Parliament last December, as part of legislation to curb the amount of deceptive electronic communications, or spam, circulating in Canada.
Under the new law, my Office has more discretion to refuse or discontinue complaint investigations. This will enable us to concentrate our investigative resources where they will have the most impact.
The new legislation also allows us to share information on spam and other privacy issues with our domestic and international counterparts. In these days of global data flows – meaning also digital data crumbs globally – this new power to collaborate with other enforcement authorities is essential.
The main thrust of the legislation, however, relates to electronic spam and the many scams that often come with it. My Office will share enforcement responsibilities under this new law with the CRTC and the Competition Bureau. We look forward to taking on our share of that effort.
Toronto Office
Last year’s opening of our Toronto office demonstrated our desire to reach out to stakeholders. By setting up shop in Canada’s business centre, we will forge more meaningful ties with regulated industries. Through outreach, consultation and guidance, we believe we can promote better privacy habits among Canadian enterprises. It is always better to encourage organizations to avoid problems in the first place, than ferret out and address wrongdoing after the fact.
We have established collaborative networks to support public education and outreach programs in the area. We also sponsored information sessions with businesses and privacy practioners in the GTA which covered systemic privacy issues and showcased tools and information products from my Office.
There is much more which I could mention – such as the handbook we produced aimed specifically at helping lawyers with privacy matters in their day–to–day operations – but I’d like to leave a bit of time to answer any questions you may have.
- Date modified: