Mapping a course for greater protection: Determining and operationalizing the OPC’s strategic privacy priorities
Remarks at a Heads of Federal Agencies luncheon
October 15, 2015
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
During time today, I will focus on our Office’s exercise to establish and implement our strategic privacy priorities, which will help to guide our work over the next five years.
I want to share with you :
- the process we used for determining these priorities, which included engaging stakeholders and the public;
- what we heard;
- the priorities we selected;
- the activities we are undertaking as a result; and
- the strategies we will employ to achieve our goals.
I will also touch on the measures we are taking under the priorities and what we are doing to ensure that we have our resources aligned to support them.
Thus, I hope this discussion will offer some insight on our Office’s proactive work in the years ahead and that it will also give you a sense of the public’s concerns about privacy.
Our exercise began with a central and guiding objective: To increase the control Canadians have over their personal information. In fact, this was the vision I defined at the very beginning of my mandate in June of 2014.
Consequently, I felt one of my first tasks should be to consult Canadians, to identify their most pressing privacy concerns and where they felt they needed to regain some measure of control.
It goes without saying that technology has advanced profoundly within the last decade, and privacy protection efforts need to keep pace.
Consider for a moment this fact alone: In 2007, Apple’s iPhone was born. By 2015, more than 1.4 million apps had been developed for the device.Footnote 1
During the same time, the number of mobile subscribers increased from just more than 19 million to nearly 29 million in Canada.Footnote 2
Another fact: 90 percent of the data in the world today has been created in the last two years.Footnote 3
What we heard
For our priorities exercise, we reached out to individuals across the country by conducting focus groups.
We also held round table discussions in five cities across Canada, speaking to 155 stakeholders from the public and private sectors, academia, civil society organizations, and consumer groups.
On this note, let me thank some of the institutions here today— namely, the Competition Bureau, CRTC, FINTRAC and the Financial Consumer Agency of Canada—for taking part.
We wanted to know which privacy issues were the most important to participants and why, and what specific actions could be taken to achieve maximum impact and by whom—be they individuals, organizations, regulators or legislators.
The exercise broadened our understanding of concerns and provided us with a better sense of where we should focus our efforts to make the best use of our resources.
Let me now share some of the key themes that emerged from these discussions.
Canada’s privacy laws are rooted in the ability of individuals having control over their personal information—and this ability hinges on the quality of consent.
During our exercise, many expressed concerns about consent. Many saw company’s privacy policies—those which you read while clicking “I accept”—as long, legalistic and incomprehensible. Obviously, these people want to be better informed about how their information will be used and by whom.
Sometimes policies are effectively unclear because they are crafted with the intention of protecting organizations rather than informing individuals. But this is not the only factor at play.
Sometimes, the information provided to individuals is insufficient because the organizations collecting the personal information do not know, at the point of collection, all the ways the data may be used tomorrow.
This is especially relevant given the rise of Big Data. In fact, in an age where analytics and algorithms identify new possible uses for data not yet even conceived or imagined, many participants – especially those in the private sector - questioned whether it was realistic to seek one-time consent in exchange for personal information.
Another prominent concern emerging from discussions with individuals and stakeholders was government surveillance.
Individuals generally accepted some government surveillance for protecting national security and preventing crime.
But, when asked about surveillance being applied to their personal communication, many said they were preoccupied about being profiled without their knowledge and were concerned about how surveillance might infringe on rights and freedoms.
Many called for more transparency on the part of authorities to provide reassurance and build public trust.
Participants also encouraged us to take a strong leadership role on these issues and in particular on Bill C-51, which has now become law.
Participants also shared various concerns about the borderless nature of today’s digital economy.
Individuals expressed discomfort with their personal information leaving Canada, perceiving laws elsewhere as less protective.
Organizations meanwhile shared their concerns about the lack of harmonized privacy legislation internationally – and the burden they face from being regulated by several agencies across the world.
Many experts raised serious concerns about privacy risks tied to new technologies, such as medical and wearable devices meant to monitor our physical activity.
They stressed that, thanks to emerging, powerful analytics, this most personal data could be harnessed for numerous secondary purposes, including insurance, and several others yet to be imagined.
Right to be Forgotten
Participants also highlighted the challenges and consequences of having a digital past.
Several stakeholders called on us to delve more deeply into questions surrounding the Right to be Forgotten.
We also heard from both stakeholders and during our focus groups that some groups of people are at particular risk from privacy threats.
- young people face enhanced reputational risks as a result of the nature and vastness of the personal information they share online; and
- seniors, who are quite often newcomers to using digital technologies.
What we decided
After analyzing and considering what we heard, we decided on four strategic privacy priorities:
- the economics of personal information;
- government surveillance;
- reputation and privacy; and
- the body as information.
The first is the economics of personal information, which refers to the commoditization of personal information and the new business models being developed around the use of Big Data, the Internet of things and mobile technologies. Our goal here is enhancing privacy protection and trust, so individuals may confidently participate in an innovative digital economy.
- In the short term – that is next spring – we will produce a discussion paper outlining the various challenges associated with the current consent model.
- We will explore potential solutions, such as industry codes and other forms of self-regulation; greater accountability, which some suggest would place responsibility more on those who are able to assess risk; and enhanced regulation, including the definition of no-go zones where personal information should always be protected.
- In the medium term, we will identify what improvements could be made to enhance the current model, we will apply the solutions that are within our jurisdiction and, where appropriate, we will recommend legislative changes.
Under government surveillance, we will direct significant resources towards compliance activities to ensure that information sharing made possible under new laws duly respects the Privacy Act. We will report our findings to parliamentarians and the public, and if we find there are problems or short comings, we will issue recommendations for potential improvements to policies or legislation.
- Our ultimate goal here will be contributing to the adoption and implementation of laws and other measures that demonstrably protect both national security and privacy.
Under reputation and privacy, we will work to enhance digital literacy among vulnerable populations. We will also examine the Right to be Forgotten and other recourse mechanisms. All told, our goal will be creating an environment where people can use the Internet to explore their interests without fear of their digital trace leading to unfair treatment.
Under the body as information, our goal will be promoting respect for the privacy and integrity of the human body as the vessel of our most intimate personal information.
- A key task in the short term is to conduct an environmental scan of current and emerging health applications and digital health technologies, such as fitness apps and heart rate monitors.
- We plan to test some of these new products in our own technology lab to better understand their privacy implications.
- This initiative will support our medium term objective of developing guidelines for Canadian digital health technology companies, app developers and others on how to build privacy protections into new products and services while avoiding certain “no-go” zones.
How we are proceeding
In order to make progress on these priorities, we will focus our activities around five cross-cutting strategies:
- Exploring innovative and technological ways to protect privacy;
- Enhancing accountability and promoting good privacy governance;
- Taking into consideration the fact that privacy knows no borders;
- Enhancing our public education role; and
- Paying special attention to vulnerable groups.
These new priorities and strategies will concretely define the course our organization is charting to reach the overarching goal I set out earlier: to increase the control Canadians have over their personal information.
The various branches of our Office are working on specific projects under each priority with short, medium and longer term objectives for which senior management will be accountable. We intend to achieve concrete results for Canadians.
To ensure that support for this work is sustainable, we are reviewing branch budgetary allocations; ensuring that activities supporting the new priorities are adequately funded. This will mean realignment as required.
Operationally, the priorities will guide decisions we make about the proactive work we undertake.
This means they will influence what Commissioner-initiated investigations we take on, the public education and research activities we conduct, and the audits we launch.
In closing, I wanted to tell you about our priority setting exercise today to give you a sense of our strategic directions and key operational actions for the next five years.
For anyone interested in finding out more about the exercise and what we learned, I invite you to visit our website, where we posted a report in June of this year.
I also wanted to emphasize that our direction is being guided by the concerns not just of our Office but a wide range of public and private sector stakeholders, civil society, along with individual Canadians.
Having made an effort to find out what people think about privacy, I can tell you that Canadians are clearly very concerned about—and value—their privacy.
In our information-based society and economy, privacy issues and concerns have never been so prominent.
Whether it’s a tech start-up developing a new mobile app, or a federal agency devising a new program, demonstrating respect for privacy is increasingly fundamental to maintaining and building public trust and confidence.
A major data breach or misuse could hurt any organization. But remember that Canadians provide their personal information to federal institutions out of necessity rather than choice.
Consequently, the government’s duty of care is seen by many as higher, and so the risks of reputational damage brought on by such incidents are often elevated for federal institutions.
As a result, privacy is an increasingly important strategic consideration for organizations like yours. Respecting it is becoming more and more fundamental to building and maintaining public trust and confidence.
Report a problem or mistake on this page
- Date modified: