Three Decades of Protecting Privacy in Canada

Remarks at the 3rd Annual Access to Information, Privacy and Security Congress

October 5, 2012
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

My Office's most recent annual report on the Privacy Act was tabled in Parliament just yesterday. Our over-arching theme was Three Decades of Protecting Privacy in Canada.

As we describe in our report, the evolution of privacy over the 30 years that have followed the passage of the Privacy Act in Parliament has been remarkable.

This afternoon I would like to focus on public sector issues and reflect on those three decades of experience – the good, the bad … and perhaps even the ugly. I'll also offer a few observations about the road ahead as we begin a fourth decade of experience with the Privacy Act.

First, a quick scan of the major issues as the decades have unfolded…

First Decade

We begin in 1982 – a year that marked a great leap forward for privacy rights in Canada with Parliament enacting the Privacy Act.

The lack of wrinkles on some of the faces out there suggests a refresher on 1982 may be in order.

1982 … Think big hair; big shoulder pads and leg warmers.

1982 was the year that Madonna made her debut and that Dustin Hoffman starred in Tootsie.

It was the year of the Falklands war; and it was the year that Queen Elizabeth proclaimed Canada's repatriated Constitution during a ceremony with then Prime Minister Pierre Trudeau on Parliament Hill.

This was also a time when most federal public servants were still tapping away at electric typewriters.

In fact, the Commodore 64 – that Model T of personal computers – was just coming to market.

We were still a couple of years away from the introduction of mobile phones in Canada. (And there were no Blackberries buzzing on nights and weekends!)

Visionaries were talking about something called the Internet.

The big office time waster back then was … (no, not Facebook … Mark Zuckerberg wasn't even born yet!) … no, people were mesmerized by a colourful plastic contraption called the Rubik's Cube.

In many respects, the 1980s were also simpler times for privacy.

A prominent cause for complaints to the Office of the Privacy Commissioner in those days were requests for people to provide a Social Insurance Number. (It was common to carry your SIN card in your wallet in those days.)

When the personal information of about 16 million taxpayers was stolen from a National Revenue office in 1986, the details were recorded in miniature on thin plastic sheets called microfiche.

We called it “the Chernobyl of privacy disasters.”

We were just starting to see concerns about more complex privacy issues begin to emerge – data matching, cross-border information flows, smart cards and genetics.

Second Decade

The Privacy Act's second decade, from 1992 to 2002, saw increased risks to privacy stemming from a rapidly changing society – more powerful computing technology; greater software sophistication; and the transformation of personal information into a commodity.

Then Privacy Commissioner Bruce Phillips made an eloquent plea that resonates just as strongly today about the need to construct an ethical foundation for new cyber technologies.

“Otherwise,” he cautioned, “we are conducting a technical exercise in a moral vacuum; molding our lives to fit technology, not making technology fit our lives.”

The capacity of new technologies to collect, analyze and store personal information in ways that were unimaginable during the typewriter era – as well as the resulting risks for privacy – were put in sharp focus in the late 1990s.

The Privacy Commissioner's Office revealed to Canadians that the federal government had created a “Longitudinal Labour Force File.”

Behind that bureaucratic name lay a database of files on 33.7 million people – more people than the Canadian population of the day because records were never purged.

Those files were drawn from income tax returns, provincial and municipal welfare rolls, national employment services, child tax credits, the Social Insurance master file and elsewhere.

It was the 1990s version of big data.

Outraged Canadians dubbed it the “Big Brother database.”

Fortunately, the government quickly announced the database would be dismantled.

Third Decade

Two developments at the end of the second decade of our Office's history would have a dramatic impact on our third.

First, was the extension of our mandate with the passage of federal private-sector privacy legislation – the Personal Information Protection and Electronic Documents Act, or PIPEDA.

The importance of that legislation continues to grow as the Internet plays an increasingly central role in our daily lives.

The second history-altering moment for our Office was September 11th, 2001.

Western governments responded to the terrible events of that day with a vast array of national security initiatives – many of which have involved the collection, analysis and cross-matching of more and more personal information.

Our role has been to work to ensure that these new measures do not unduly erode privacy rights.

These have included, for example:

  • The Anti-terrorism Act, which set the tone for creating a broader net for surveillance of organizations and individuals, and has had a significant impact on informational privacy rights in Canada.
  • As well, we have addressed privacy concerns related to numerous air travel initiatives such as the Passenger Protect Program, or no-fly list, and full-body scanners.
  • And we have flagged concerns about a long series of proposals to create “lawful access” legislation in Canada.

Hope and Concern

In sum, the challenges for privacy have grown exponentially since the Privacy Actwas enacted – and the trend continues to accelerate.

How have Canadians fared in the face of these growing risks for their privacy rights?

And how successful has their federal government been in addressing privacy concerns?

My message in this year's annual report begins with that celebrated line from Dickens – “it was the best of times, it was the worst of times….”

I take heart from some positive developments.

First and foremost, I am reassured by the fact that privacy remains a treasured value for the majority of Canadians.

This is what I hear consistently during my travels – even when I meet with younger Canadians sometimes accused of taking the concept of sharing too far – and this perception is backed up by polling commissioned by my Office.

In terms of the government's role in protecting privacy, I believe that the federal bureaucracy has generally become more attuned to privacy concerns over the years.

Three Phases of Privacy and Public Policy

Over the years, we have seen three distinct phases of privacy and public policy – and the trends would suggest we are headed in the right direction.

For far too long – the first 20 years of experience with the Privacy Act – privacy was incorporated only after a government initiative had put into action.

The Longitudinal Labour Force File was one of the most high-profile examples of a failure to consider privacy at the front end of an initiative.

PIAs are geared at prevention of problems – permitting departments to avoid privacy repairs that can be costly, cumbersome and highly embarrassing.

The Government of Canada has become a world leader in requiring federal institutions to undertake PIAs.

My Office has been consulted by many international organizations and data protection offices about our process for reviewing PIAs.

Over the years, we've received close to 600 PIAs.

Recently, we have been pleased to see a third trend in policy integration begin to unfold.

More and more often, federal departments and agencies are contacting us to discuss initiatives even before preparing a PIA.

We believe these advance consultations are likely to result in significant public benefits.

It means that privacy interests can be taken into consideration at the very earliest stages of policy and program development.

Outstanding Challenges

Unfortunately, some challenges for privacy remain.

The fact that the Privacy Act – born in the days of typewriters – has been appallingly outdated for many, many years hardly bears mentioning to this audience.

That remains a huge challenge.

Our latest annual report tells the story of our work with Veterans Affairs Canada over the last couple of years.

You'll recall that in 2010, we released the results of an investigation of Veterans Affairs that brought to light some extremely serious systemic issues.

In that case, we found that a veteran's sensitive medical and personal information was shared – seemingly with no controls – among departmental officials who had no legitimate need to see it.

Personal information even made its way into ministerial briefing notes about the veteran's advocacy activities.

We were so troubled by what we found that we launched an audit.

The audit is now complete.

Although it has been a long road to arrive at this point, I am pleased to be in a position to report that our findings paint an encouraging picture of a department now working to ensure that its practices comply with the Privacy Act.The department has undertaken significant efforts to address a number of deficiencies.

For example, it reviewed employee access rights to its electronic repository of veterans' records.

It wound up removing access privileges for some 500 employees and reduced access levels for 95 percent of remaining positions.

We made several recommendations in our audit and Veterans Affairs says it will implement all of them.

Our annual report also flags our concerns about consistently high numbers of complaints against certain institutions.

One of those is the Correctional Service of Canada, which has long been in a league of its own in terms of complaints.Since opening our doors, we have investigated over 11,000 complaints against the agency.

Of course, there are some obvious drivers for the high numbers – Canada's federal penitentiaries house some 13,000 offenders and information is a valuable commodity in a prison environment.

That said, I have to question why we keep seeing complaints about issues that, frankly, just should not be happening.

Our latest annual report describes an investigation into an inmate's complaint about the public posting of lists providing details about inmates' medical appointments – including times, offender numbers and medical information.

How could anyone think that was a good idea?

Canada Revenue Agency Audit

Another institution that is the subject of consistently high numbers of complaints is the Canada Revenue Agency.

In recent years, we have been concerned about a number of privacy breaches involving Agency employees inappropriately accessing taxpayer information.

The stakes involved are high. The Canada Revenue Agency holds over 30 million taxpayer files which contain highly sensitive information – for example, financial, employment, family and health information.

As a result of our concerns about the potential risk to all of that information, we have launched an audit of the Canada Revenue Agency.

Preliminary work is already underway and we expect to be in a position to announce our findings in 2013.

Privacy Trends in the Public Sector

That's just one of the issues that will be high on our agenda in the coming months.

Another ongoing concern flagged in our annual report relates to time delays.

As you know, this is a long-standing issue – with some access request delays stretching into years.

However, in 2011-2012, we saw a jump in denial of access complaints that deepens our concern.

We believe that greater media attention to privacy issues has increased awareness of access rights – and prompted more Canadians to seek access to their personal information.

While some federal institutions have seen a rise in access requests, the resources to handle those requests have remained the same or have even decreased.

This is an issue we'll be keeping an eye on.

We will also continue to focus on national security and public safety issues.

Those include the many initiatives expected to flow from the Canada-U.S. Perimeter Security plan.

We'll be focused on a number of planned initiatives that carry privacy risks.

Conclusion

I'd like to thank you for your attention during this look back at the road that has led us to this point – and also at what lies ahead.

Earlier, I spoke about some of the factors that provide me with some comfort in my role as Privacy Commissioner.

High on that list are dedicated, thoughtful people like you working in the privacy field – be it in the public sector or the private sector.

Remember that what you do is important. It matters very much to the lives of Canadians.

Thank you.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: