The Use of Administrative Data for Census Purposes

Remarks at the Meeting of the National Statistics Council

November 7, 2013
Ottawa, Ontario

Address by Steven Morgan
Director General, Audit and Review

(Check against delivery)

---

Introduction

Thank you for the opportunity to speak to the National Statistics Council about privacy considerations associated with the use of administrative data for statistical purposes - in particular, for the national census.

The Privacy Commissioner of Canada, Jennifer Stoddart, extends her regrets that she can’t be here this evening. The Commissioner has always made time for meetings with important groups such as this Council. She is currently attending an event to honour her ten years as Canada’s Privacy Commissioner, as her mandate is coming to a close.

Internationally, our country ranks highly in so many regards due in large part to the development of sound public policy. And this sound policy requires good data. We take for granted that—the locations of our schools, funding for our social and medical programs, needs of the various communities in which we live—all depend on some form of information gathering and statistical analysis. As well, having spent more than a decade in audit, I recognize that one cannot manage what is not being measured.

Our organizations have interacted well in the past including our Office’s review of the 2016 census options.

We both have an important role in serving the public interest:

• Statistics Canada provides the expertise and resources to collect, analyse and manage the data necessary for effective public policies and programs;
• The OPC is seen as Canada’s privacy guardian.

We look forward to the keeping the lines of communication between our organizations open, so that Statistics Canada can demonstrate how it has taken privacy considerations into account in the design of complex processes.

Let me begin with a short description of what our Office does and how we do it, and then I will address the question of the use of administrative data.

The Role of the Office of the Commissioner of Privacy

Our mandate is to oversee Canada’s privacy laws that apply to the public and private sectors. Our mission quite simply is to protect and promote the privacy rights of individuals. We investigate complaints, pursue legal action before Federal Courts where matters remain unresolved, conduct audits, provide advice to business and government departments, and raise awareness of privacy matters.

The Commissioner is an Agent of Parliament, and she reports on these activities in annual or special reports to Parliament.

Increased Public Awareness of Government and other Personal Information (Big Data)

Events in the media – including the recent Snowden revelations –have contributed to an increased level of public awareness and concern about the personal information collected by government.

In addition, the advent and enormity of “big data” - which are largely undefined, unstructured collections of information generated from Internet searches, sensors, scanners, machine logs, mobile devices, GPS signals, etc. - presents a whole new set of opportunities as well as risks, including privacy risks, for organizations that use them.

As Commissioner Stoddart said at the 2012 Summit of the International Association of Business Communicators:

“Canadians place a high value on their personal information and don’t want it broadcast, bartered and bandied about without their knowledge and consent.”

So as the volume of information increases, the value Canadians place on their privacy also increases.

The Use of Administrative Data for Census Purposes

We recognize that Statistics Canada continues to face resource pressures. As well, with the demise of the detailed long form census, it has a need to find new ways to generate reliable information, efficiently and economically.

With so many sources of data being generated and readily available, it is not surprising that Statistics Canada would look to them to supplement or complement its census efforts.

In his 2011 report, Don Royce recommended that the government look at using other administrative data to help verify census data and keep the quality of the census high.

Most Canadians are probably unfamiliar with the fact that Statistics Canada has been using administrative data for statistical purposes since the inception of the Dominion Bureau of Statistics in 1918.

In 2012-13 alone, over 500 administrative files were used by Statistics Canada for a wide range of statistical purposes.

While we  understand that Statistics Canada has been careful to try to ensure that these initiatives do not compromise individual privacy, current public sensitivities about the collection and use of personal data warrant enhanced consideration of the use of administrative data, especially when “big data” could be added to the mix.

The public is becoming increasingly aware that as a result of the sheer volume of data generated, the sophistication of new data analytics processes, and the potential for the “mosaic effect”, their preferences and actions could be tracked for various purposes, and their personal privacy somehow compromised.

The Need for a Transparent Framework and Predictable Process

The main counter for these assumptions and fears is a transparent and predictable process that balances the importance of information collection and management with a citizen’s right to privacy.

At the federal level, there is a suite of Treasury Board policies and guidance dealing with Privacy Protection, Privacy Practices, Preparing Information Sharing Agreements Involving Personal Information, etc, and Statistics Canada has its own internal guidance such as the Directive on Record Linkage.

For our Office, an important analytical tool is the Privacy Impact Assessment (PIA). Simply put, the PIA is tool that enables an organization to assess the privacy risks associated with initiatives that involve the use of personal information.

The PIA process identifies, describes, and quantifies risks to personal information and proposes solutions to eliminate or mitigate these risks to an acceptable level. Our Office’s role with respect to PIAs is to observe and recommend, not to approve or enforce. The PIAs are conducted by the originating institution.

When reviewing PIAs, we look at whether the institution has answered the following four questions:

1. Is the measure demonstrably necessary to meet a specific need?
2. Is it likely to be effective in meeting that need?
3. Is the loss of privacy proportional to the need? and
4. Is there a less privacy-invasive way of achieving the same end?

We also look at the safeguards and controls in place, as well as how an institution can ensure accuracy.

The Privacy Challenges of Administrative Data versus Survey Data

Having set out the essence of the Privacy Impact Assessment process, let me now turn to the privacy challenges inherent in the use of administrative data as opposed to survey data for census purposes.

The most obvious difference is that survey data is transparent and personal - I know what information I am giving out and what it will be used for.

Administrative data is not transparent, not personal - it is already one or even more steps removed from the initial transaction from where the data was initially collected. In order to make greater use of administrative data, would it rely on consent as it did in 2006 to access income tax data, would it require some form of legislative amendment or would it require new regulations?

Whether it is immigrant landing data, health data, education data, employment data - individuals would have to be advised of the potential additional or new use of their personal information.

This would require a high level of communication, public education, and transparency that may not exist at present.

Another challenge is accuracy – ensuring that a John Smith in Mississauga is not the John Smith in Nepean or Moncton - there would be a need for some type of personal identifier.

Provisions would have to be made to anonymize the identifier to prevent abuses from data linking or data matching. 

Most of you, I am sure, are familiar with the ongoing debate in Canada over the use of a universal personal identifier.

Our Office and other privacy commissioners have long been opposed to using the Social Insurance Number (SIN) or similar identifiers for broader purposes.

In 2003, Interim Privacy Commissioner Robert Marleau appeared before Parliament and presented an extensive report on the reasons why Canada should resist adopting a national ID card.

We were pleased to note that the Statistics Canada 2016 Final Report on Census Options takes into account privacy concerns regarding the use of a personal identifier.

Marleau recognized that in the post 9/11 era, proponents of an identity card cited its potential to “combat terrorism, curb identity theft, and facilitate travel to the United States”.

One of the options presented by Mr. Marleau to facilitate travel to the U.S. was to use the existing Canadian passport - not necessary in 2003 for travel to the U.S.

And, in fact, this is what eventually happened because it was deemed to be a “less privacy-invasive way of achieving the same end” – Question four of our four part test.

I raise this example simply to show that it is not our Office’s intention to obstruct, but rather to encourage government institutions to be flexible and creative in developing alternate program solutions where necessary to protect privacy. And this flexibility was recognized in the 2016 report where Statistics Canada is examining the voluntary collection of survey data where there are major indications of burden and privacy intrusiveness.

* * *

The recent creation of the BC Services Card - which some see as a prototype for a Canadian ID card - has identified many security, privacy, and civil liberty issues.

In fact, existing legislation and regulations were seen as “inhibitors” to the proposed new card.

The B.C. government had to amend the provincial Privacy Act to allow for the “digitization, aggregation, collation, and exchange of personal information” across formerly discrete government databases.

Opportunities for fraud, internal security breaches - physical, technical, and human - and “function creep” are just some of the other concerns associated with a personal identifier.

And yet some type of personal identifier would be required to enter and validate administrative data.

Another possibility examined in the Royce Report was the creation of central population registers (CPRs) that would contain massive amounts of information on every Canadian without their knowledge or consent. There would also be a number of privacy concerns that would include how this registry could be used.

Current OPC Policy Positions

To reiterate the position of the Office of the Privacy Commissioner of Canada - and virtually all other provincial commissioners – we do not support a universal and mandatory personal identifier.

We would expect any use of administrative data for national census purposes to go through a rigorous Privacy Impact Assessment.

We do not support the creation of central population registers without an assessment of privacy impacts.

For any use of administrative records, we would expect to see early and ongoing notifications to citizens on how their information would be used.

Any data linking or data matching and other practices and possibilities associated with the use of administrative data subject to the provisions in the Statistics Act would have to be reconciled against the requirements of the Privacy Act.

The Challenge to Statistics Canada

As I said earlier, our Office can only observe and recommend.

Statistics Canada already has authority under Section 13 of the Statistics Act to obtain information from governments and businesses.

With the current mood of Canadians towards the collection and use of personal information by governments, it might be beneficial to better explain the reasons for data collection, the real benefits to Canadians, and some idea of how the information will be used and by whom. While conducting research for this speech, I was surprised by the extent of administrative data already used by Statistics Canada.

I think Canadians would benefit from knowing more about the use of administrative data including the implications and the benefits.

A challenge will be to find an acceptable alternative to a personal identifier that paints an accurate and representative picture of Canada.

Increased public dialogue would not only serve to inform the public, but would also help to begin determining what is acceptable to the public from a legal, regulatory, and operational standpoint.

I can’t emphasize enough how important the Privacy Impact Assessment process will be for identifying and mitigating risks at the front-end, as well as providing guidance for both the management and communications of any new initiatives.

But privacy should not be seen as an obstacle in itself - rather just one more public interest consideration that must be taken into account in program design. And when privacy considerations are addressed, what we observe tends to be more public support for a particular initiative, because trust has been maintained.

Conclusion

Information is a critical factor of production in today’s world.

Our challenge is to find ways to convert information - whether administrative data or “big data” - into a public asset without compromising private rights and values.

As I said, there is a need to be creative and flexible in developing new methodologies.

Statistics Canada and our Office have worked together in the past - for example on the issue of the release of historical records - and we should continue that supportive relationship.

But, our clients – the Canadian public – need to be informed as well.

An open and transparent process will greatly enhance public trust in meeting the challenges you face going forward.