Protecting Privacy in Changing Times

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Canada Post Privacy Awareness Day

October 21, 2011
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

I am pleased to be here today to speak about privacy, a topic that is clearly near and dear to my heart. I am particularly delighted to see so many staff and managers of Canada Post taking the time to listen to what I have to say.

For, indeed, privacy is a matter of vital importance to all Canadians, and never more so than now. Privacy is under siege today as never before. Some of the challenges are apparent and in your face; others more subtle, perhaps even invisible.

But what we do know is that personal information has become a red-hot commodity. Everybody wants it – governments, marketers and identity thieves, to name just a few.

Many people will part with it – either willingly, by posting their personal details online…

…. or inadvertently, through technologies such as surveillance cameras, GPS location devices, browser tracking cookies and so forth.

But what I suggest to you is this:

Even in this era of digital sharing, privacy remains a cherished Canadian value.

Even in the face of staggering technological encroachments, personal information is worth protecting.

And you, as employees of Canada Post, have a pivotal role in protecting it.

Context

It used to be that the post office moved only letters and parcels. And you certainly still do that, to the tune of 11 billion or so pieces every year.

In this electronic age, however, you do so much more – indeed, you’re effectively in the data-moving business.

Consider your many new online products and services, such as Comparison Shopper, CentrSource and myBackCheck. Far from a stodgy government institution, Canada Post has evolved into an entrepreneurial purveyor of information.

From a business perspective, it makes tremendous sense to branch out, and you are to be applauded for responding with such agility to changing times and consumer appetites.

But, from a privacy perspective, it is imperative that you never lose sight of your responsibility to safeguard the personal information that passes through your organization.

And the blunt truth is – the more you collect, the greater the risk.

The risk is of a privacy breach, a breach that can be damaging to your customers, and catastrophic for an organization founded on the trust of Canadians.

It is in that context that I welcome the opportunity to speak with you today.

Canada Post and privacy

First some background: Canada Post has been subject to the Privacy Act since the law came into force in 1983. Data privacy is certainly important to your organization --- the fact that you organized this event is a testament to that.

You also offer online tools, such as the Smart Data Cleaner, that are all about minimizing the risk of personal information getting into the wrong hands.

But it’s bigger than that: Five years ago, Canada Post created a “Privacy Leader” role, charged with developing an overarching privacy management framework to govern your organization’s collection and use of personal information.

Indeed, privacy and the protection of personal information are priorities for your general manager, Amanda Maltby. She has been a vocal and longstanding champion of privacy laws, and I hope that my comments today will help reinforce her leadership in this area.

So, how has that concern for privacy influenced the day-to-day operations of Canada Post?

I can tell you that, in a typical year, we receive a couple of dozen privacy complaints about your organization, which represents about two to four percent of all the complaints we receive.

Many of these complaints are lodged by employees, but some relate to other matters.

We’ve heard, for example, about letters that arrive opened. We’ve been asked why you request Social Insurance Numbers or other personal information for specific online services, such as mail holding and forwarding, and address changes.

And sometimes, as with last July’s misadventure involving the Cancer Care Ontario reports, your organization finds itself in a very discomfiting media spotlight.

As a result of that incident, Ontario’s Information and Privacy Commissioner recently ordered Cancer Cancer Care Ontario to discontinue its practice of transferring screening reports containing personal health information to physicians in paper format.

Risks and challenges

By its very nature, the business of Canada Post involves risk. That is inevitable, given the sheer volume of personal information you handle, much of it sensitive.

And, for most part, people have no choice but to furnish it—personal data is the currency that buys the services they need.

To add to the complexity, the personal information you handle flows through a highly decentralized network of more than 6,500 postal locations across the country. Nearly half of those are independently owned franchises, operating under contract in drug stores, card shops or other retail outlets--where people who are not Canada Post employees often handle the mail and collect personal information for Canada Post services.

And that’s not counting mailboxes on every other street corner. The privacy and security challenges are self-evident.

In fact, one of the more common issues that my Office encounters with respect to Canada Post is decidedly low-tech: People’s passport applications go missing in the mail.

And those are just the old-fashioned paper problems. Online, the products and services you offer to consumers, advertisers, businesses and other clients are becoming ever more numerous and sophisticated. Many vacuum up significant amounts of personal information, some of it highly sensitive.

In addition to basic name and address data, Canada Post routinely collects and stores financial data, unique identifiers of various sorts, photographs, signatures and passport information.

Indeed, with new services like myBackCheck, you’re verifying people’s identities for criminal record checks.

Proactive privacy

So, what do I mean by proactive privacy?

Whenever an organization considers an activity that involves the collection, use or disclosure of personal information, it should think of privacy as the default position.

Privacy must be built into the very design of a program, product or service.

But that’s not all; privacy considerations have to pervade the entire life cycle of the initiative--its implementation, ongoing operation, evaluation and even its eventual conclusion and dismantling.

Building privacy into an initiative means many things.

It means attention to IT and physical security.

It means making privacy the responsibility of everyone in the organization, from the Chief Privacy Officer on down to the counter clerk who accepts a letter or a parcel.

This requires training, and the training has to be ongoing. That’s all the more vital for an organization as vast and decentralized as yours, where so many people, all across the country, handle personal information as part of their routine duties.

And finally there are the governance and operational safeguards that need to be taken into account. I’m referring here to a range of accountability mechanisms specific to your enterprise, such as protocols for the collection and use of data, and detailed agreements for the sharing of information.

Strategic value of PIAs

From my perspective as Privacy Commissioner, one of the most valuable tools to support such a proactive approach is the Privacy Impact Assessment process.

Treasury Board directs federal departments and agencies to submit Privacy Impact Assessments to our Office for review. The idea is to document the potential impact on privacy of a new or substantially modified program or service, along with measures that would mitigate privacy risks. These Privacy Impact Assessments are required before an initiative is implemented.

To be candid, this is an area for improvement for Canada Post.

But I can assure you that the assessment process can be a very valuable exercise. It’s a way to highlight gaps in standard operating procedures, as well as training opportunities for employees.

And we’re there to help. We can provide expertise on privacy, on risk, and on mitigating measures. We even have an in-house IT unit that can review technical aspects and security features.

But, in the end, it’s your project. It’s your chance to think strategically.

To explain—to yourselves and all Canadians—why it’s essential that you collect their personal information, and how you’re going to minimize risks to their privacy.

Four-part test

Over the years, my Office has accumulated a lot of experience on what makes a good Privacy Impact Assessment. Earlier this year we brought it all together in a new guide, available on our website and in bound hard copy, that sets out our expectations.

A well thought-out Privacy Impact Assessment should, for example, begin with a rigorous four-part analysis to justify any potential intrusion on privacy.

An organization starts by demonstrating that the specific collection, use and disclosure of personal information is really necessary for the particular initiative it is proposing. If an initiative requires personal information in order to operate, we want to see that it fulfills a compelling public need or goal.

We also ask for a specific explanation of how the proposed collection or use of personal information will meet the purported need. It’s not enough to collect or hold on to data “just in case” some future use might present itself.

Third, we expect any privacy intrusion to be proportional to the benefit to be derived from the proposed measure.

And finally, we ask entities to consider using other, more privacy-friendly methods or sources of information to meet their goals.

Fair information principles

Once the proposed collection and use of personal information is justified, we then look for evidence of the proper stewardship of that personal information.

Useful for this exercise are the 10 universal privacy and fair information principles for the protection of personal information. These principles, referred to as the “Model Code,” trace their origin to a 1980 OECD agreement on the protection of privacy.

The principles require an organization to designate a person to be accountable for the personal information under its control.

The institution is also obliged to identify and document the purpose for which personal information is being collected, and to limit the collection to what is necessary for the identified purpose. Another principle calls for limits to the use, disclosure and retention of personal information.

The principles also address matters of informed consent, transparency, ensuring that any collected data is accurate, and giving people access to their personal information.

And they call for security safeguards and mechanisms to enable public complaints and redress.

Beyond these fair information principles, we expect institutions to come up with an action plan to make sure nothing falls between the cracks. The action plan becomes a component of the organization’s overall Privacy Management Framework.

One last point about Privacy Impact Assessments: They are meant to be evergreen. They should be revisited and updated regularly as the initiative progresses, evolves or winds down.

Conclusion

To sum up, Canada Post is all about public confidence. People entrust you with their letters and gifts, their passports and paycheques, their online shopping intentions and their criminal background checks.

You have unparalleled access to people’s personal information, but they trust you with it because they have faith that you will deliver their goods in a secure and reliable way, whether through the mail system or through cyberspace.

But that faith hinges on things going right. It hinges on the identification and management of risk, along with airtight safeguards for personal information.

Getting it right isn’t easy, but it is imperative.

Why?

Because these are the standards that Canadians have chosen for themselves.

And because it’s the cornerstone of public trust in Canada Post.

Thank you.

Date modified: