Privacy’s rising prominence

Remarks at the Canadian Access and Privacy Association (CAPA) Conference 2014

December 8, 2014
Ottawa, Ontario

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Let me start by expressing my thanks to the Canadian Access and Privacy Association for the opportunity to be part of this conference. It is a pleasure to speak to people who are passionate about privacy.

As I am sure many of you are aware, I was appointed as Privacy Commissioner in June of this year.  My appointment has come at a time when privacy issues are front and centre within the media, before Parliament as well as the courts.  More and more, respect for privacy is a measure of organizational accountability and therefore citizen and consumer trust, and I look forward to discussing some of these key issues with you today. 

As this is my first speech to access and privacy practitioners, I’d like to start by talking a little bit about my background.  Most importantly, I have a passion for human rights and this has guided the direction of my career.

Indeed, human rights, was at the core of many of the issues I dealt with in my previous work in corrections, immigration and national security. And of course, it remains central to my work today as Privacy Commissioner.  As we all know, personal information is not simply data.  Rather, it is information that has an impact on people’s reputations and lives.

As a long-time public servant, I have lots of experience dealing with public sector issues—and I think this has served me well in commenting on legislation before Parliament this fall. I have less experience with the private sector but, of course, how that sector relates to consumers is equally important, and I intend to give these issues significant attention during my mandate.

Whether we’re talking about the private or public sector, this is an important time for privacy.

Taking advantage of the benefits of the information age while assuring the protection of our fundamental right to privacy is an ongoing challenge.

Privacy and national security

Perhaps nowhere is that challenge greater than in the realm of national security.

As the events of October 20 in Saint-Jean-sur-Richelieu and here in Ottawa on October 22 made clear, the threat to our security is very real. These events have shocked Canadians.

Canadians expect their governments to work to protect them from these kinds of threats, but they do not expect it to come at the expense of their right to privacy. Privacy is an enduring value.

This is in no way meant to minimize the importance of security. Security is essential to maintaining the democratic society we all enjoy.

At the same time, as the Information Commissioner of Canada and I, along with our provincial and territorial colleagues, stated in a joint declaration on October 28, the response to these events must be measured and proportionate, evidence-based and crafted so as to preserve our democratic values.

I would also want to ensure that any proposed changes take into account lessons already learned. 

Justice Major’s commission of inquiry into the Air India bombing, Justice O’Connor’s inquiry into the Maher Arar case, as well as Justice Iacobucci’s inquiry into the cases of three people removed from Canada and subjected to harsh treatment abroad—all of these emphasized the need to bolster information-sharing mechanisms with a healthy respect for privacy. Most certainly, there should be measures in place to ensure that the sharing of information does not result in the mistreatment or torture of individuals.

Further, any legislation that does establish additional powers for public safety, security and law enforcement agencies should include measures to provide effective oversight of the exercise of those additional powers.

Surveillance

When we look back to the events of October, we remain struck by the tragedy of these heartless attacks on innocent individuals, and shocked that our democratic institutions should be targeted.

These events were indeed tragic. Nevertheless, we live in a society governed by the rule of law.

Debates about policy choices and decisions taken by governments can be distilled in a forum governed by reason, to the ultimate benefit of our rights and freedoms. 

For example, let me turn to the discussion about lawful access to subscriber information held by telecom companies. This has gone on for decades, and been portrayed as a debate pitting security needs on one side and privacy rights on the other. And it is a debate that reached a significant milestone in a Supreme Court decision last June.

And indeed, R v. Spencer represents a significant step in protecting the right to privacy. The Court recognized that there is a reasonable expectation of privacy attached to information about telecom company subscribers—understanding that such information could be used to unlock sensitive details about an individual’s online activities.  While a phonebook can provide a name and address, the Court found that linking a name and address to an IP address is a very different thing and therefore worthy of constitutional protection. 

On a practical level this means that, absent exigent circumstances or a reasonable law, authorities need prior court authorization to obtain such information.

I am pleased to see that, since the decision, many organizations, including several telecommunication service providers, have followed up with actions to better respect privacy and increase transparency where the management of subscriber information is concerned. I would encourage others to follow suit.

RCMP review

Of course, the Spencer decision has important repercussions for the public sector as well.

In this regard, our recent review of the RCMP’s warrantless access requests to telecom companies was instructive.

The review sought to determine whether the RCMP had implemented appropriate controls to ensure its collection of subscriber data from telecom service providers without warrants was in compliance with sections 4 and 5 of the Privacy Act.

At the same time, we were hoping to provide additional transparency to the Canadian public by determining and reporting how often the RCMP was collecting subscriber data without a warrant and, when it did make this kind of request, whether it had appropriate justification under the Privacy Act to do so.

Unfortunately, the RCMP informed us that its case file management system was not designed for this type of monitoring and reporting.

Consequently, the only way to obtain the information would be to manually review every file in its primary record management system—a system that, in an average year, receives approximately two million new incident entries.

So, in the end, we weren’t able to shed light on the question we set out to answer, but our work did result in an important recommendation.

While this review focused on the RCMP, we will be asking other federal government organizations to follow our recommendation calling for proper record keeping around warrantless requests.

Certainly, Canadians understand that law enforcement and national security agencies have legitimate needs to collect personal information—but they expect these agencies to be accountable for the type of information that is collected, how it is collected, and how it is used and shared.

Without transparency, public trust in institutions declines and with it, their capacity to be effective.

Further, we expect that federal government departments and agencies will develop new processes to respond to the Spencer decision.  As I noted when I appeared before the Senate Standing Committee on Legal and Constitutional Affairs on Bill C-13 in November, several months after Spencer, Canadians are still in the dark about what may happen to their personal information. 

Trust and confidence

This lack of transparency and therefore, lack of knowledge and uncertainty, can only add to the concerns of Canadians about privacy, reflected by our public opinion research and rising complaint levels.

In 2013, our Office received 426 formal complaints under the Personal Information Protection and Electronic Documents Act. That was almost double the number of complaints received in the previous year.

Most of the increase in complaints related to one issue—Bell Canada's plan to ask its customers' to use their account information and network usage patterns to deliver advertising targeted to individual users. 

The number of complaints that idea generated reinforces the results of public opinion research we conducted a couple of years ago.

In that survey, more than 90 percent of respondents said they think Internet companies should have to ask their permission to track what they do online; close to 70 percent said they had chosen to not use a site or a service because they were uncomfortable with the terms of the privacy policy; and well over half said they had decided not to install, or to uninstall an app because of the amount of personal information they would have to provide.

We are now completing another survey of Canadians where we seek to explore further the connection between an organization’s respect for privacy and how it affects the choices made by individuals, and we look forward to sharing our findings in the coming months.

It will also be interesting to see what our next survey reveals about Canadians' confidence in the capacity of organizations to safeguard their personal data. There have been a number of high-profile data breaches in the private sector and we have also seen a steady increase in the number of incidents reported to our Office by federal departments and agencies.

The number of reports of privacy breaches from federal departments reached another record high this past fiscal year—although, as we have noted in the past, we can't say for sure whether the number of breaches is increasing, or if it's just that departments are becoming more conscientious about reporting them.

We expect to know more in the future, at least on the federal public sector front, thanks to the updates to the Directive on Privacy Practices issued by Treasury Board Secretariat in May of this year. The updated directive makes it clear that federal institutions are to report all material data breaches to our Office and to Treasury Board Secretariat. To add more certainty, we have worked closely with Treasury Board to develop guidance for departments on what constitutes a “material breach.”

While questions remain about the true impact and frequency of federal data breaches, the revised Directive will provide a greater level of detail, as well as increase accountability for agencies to report diligently, respond effectively, and, we hope, mitigate risks more strongly.

Privacy protection: a measure of organizations’ accountability

That is a key point, for privacy protection is an important measure of any organization's accountability—though I emphasize that our Office recognizes that perfection is difficult to attain. The risk environment is simply too complex and changing too quickly to reasonably expect data breaches to be eradicated entirely.

As you probably know, our Office had an incident of our own earlier this year when a hard drive went missing during our move to a new building. We have learned some valuable lessons from that.

Rather than judging organizations solely on the basis of incidents, we want to emphasize the importance of being responsive, and of identifying and mitigating risks to avoid incidents in the first place and, when incidents do occur, being prepared to responding diligently to minimize potential harm.

With regard to responsiveness, our Office needs access to timely information for investigations and for the resulting recommendations to be implemented effectively.

We also need a broader recognition that an essential part of mitigating risk is giving privacy more prominence at the beginning stages of any initiative using personal information. It is much easier and more effective to think about privacy from the start and build it into the design than it is to tack it on when everything else is done.

This is one of the most significant benefits of privacy impact assessments for federal government institutions and the Canadians they serve.  PIAs are an important tool and bring real value to departments because they help to identify privacy risks and develop strategies to mitigate those risks. As such, it is important that comprehensive and detailed PIAs be done, and that they be done at the right time.  In other words, they should help mitigate privacy risks from the conception of initiatives at an early stage rather than being a box to be checked to fulfill a process requirement.

Conclusion

In conclusion, let me talk a little about the importance of your role.

Many of you are access and privacy professionals and advocates, I am well aware that you are not simply purveyors of process.  You, in fact, can and should make an important strategic contribution to the course of your organizations.

In our increasingly information-based society and economy, privacy has never been so prominent.  As a result, privacy is becoming an increasingly important strategic consideration for organizations.

Whether it’s a business offering products and services, or departments and agencies proposing legislation or administrating programs and enforcement, demonstrating respect for privacy is increasingly fundamental to maintaining and building public trust and confidence.

And so, I encourage each of you to advise your management teams accordingly—to help foster a culture in which respect for privacy is regarded not as a burden, but a benefit to all.

Thank you. Merci.

Date modified: