Responding to Canadians’ Privacy Concerns

Remarks at the Canadian Access and Privacy Association Conference 2015

November 30, 2015
Ottawa, Ontario

Address by Sue Lajoie
Director General, Privacy Act Investigations

(Check against delivery)


Introduction

It is a pleasure to be here and a very welcome opportunity to speak to the community and provide an update on the activities of the Office of the Privacy Commissioner—a sort of overview of what we have been up to since the Commissioner spoke here at this time last year, just a few months into his mandate.

I'm sure the Commissioner would agree that it's been both a busy and an interesting year.

Just to give you a taste of what we’ve been up to in the last year.

  • We completed well over 1,200 investigations of complaints under the Privacy Act alone last year.
  • We’ve been closely engaged in what has been a remarkably broad public debate over the privacy implications of a number of legislative initiatives, including Bill C-51, the Anti-Terrorism Act, 2015.
  • We’ve reviewed and provided comment on Privacy Impact Assessments prepared by departments—many of these related to public safety and security.
  • And, as we are now required, we’ve reviewed data breaches reported by federal institutions.  At just over 250, they hit another record high last year.

Meanwhile, public opinion research and anecdotal evidence tells us that Canadians' concern for their privacy is also reaching new highs—the C-51 debate is just one example.

Certainly, we share Canadians' concern—and what we are doing to fully understand and ensure we can continue to respond effectively to their concerns will be the focus of my remarks today, including:

  • our strategic priorities;
  • how we are addressing specific trends that have emerged in terms of complaints and privacy breaches; and
  • what we are doing to better manage the growing yet still unpredictable number and type of complaints we are obliged to process. 

Priorities

As I am sure you are aware, processing complaints and many other things we do at the OPC are things we must do. Having said that, we do have some choice when it comes to some activities—which privacy audits we conduct; the subjects of our research activities; the compliance reviews we undertake; and the kinds of outreach we pursue.

In order to ensure the resources we invest in these kinds of activities are truly meaningful to Canadians, we initiated a major exercise last fall to determine the strategic priorities that will guide this work.

We consulted a wide range of stakeholders from the public and private sectors, academics, legal experts, consumer groups and others. We engaged Canadians directly through public opinion research and focus groups.

Based on what we heard from stakeholders and Canadians and additional research conducted by the Office, we decided on four priority areas that will be the focus of our discretionary activities over the next five years. 

I would like to start with the economics of personal information.

This is about more than typing in a credit card number to pay for a DVD on Amazon. We routinely surrender all kinds of personal information in order to access supposedly free service online services. That information could be as simple as our location—which we may not even realize we have revealed—but can include anything from our age and how many kids we have to our annual income and yes, our taste in movies.

This information, as we know, has value. It can be part of assembling detailed profiles of us as individuals.

In our focus groups, we found that most participants understood this exchange was taking place—but made the transaction rather grudgingly. As one participant told us, "I'm okay with profit, but tell me what's happening with my information."

Some stakeholders noted that consumers and society do benefit from these transactions. At the same time, we did see general agreement on one point: in the context of big data, the Internet of Things, and the mobile environment, it is becoming more and more difficult for an individual to provide meaningful consent for the collection and use of their personal information, let alone understand or control how it is used.

Our second priority deals with the body as information.

In our focus groups, we found few participants had even considered the privacy hazards involved in something as apparently benign as digital fitness trackers. These devices are streaming massive amounts of intensely personal information into the cloud every day. Who has access to this information? What are they using it for? How is it being protected?

These are just some of the questions being posed.

We have already seen examples of insurance companies accessing the results of genetic tests and using those as a rationale for raising individuals' premiums. A number of focus group participants said they worried that this kind of information would be used for something other than strictly medical purposes.

We heard suggestions that the appropriate uses of such information should be set out in the law. We also heard that privacy must not stand in the way of innovation as the data being collected has such tremendous research potential.

The third priority is reputation and privacy.

It's no secret that checking a potential employee's online persona is a very common practice. In our public opinion survey the Fall of 2014, more than three-quarters of Internet users expressed some level of concern about the different ways the information available about them online might be used by organizations.

It's not just that something we posted when we were 16 may come back to bite us when we are looking for a job 20 years later. It's also about what others may publish online about us.  What can we do about what others may post about us? What can we do as individuals to correct or delete information that is no longer accurate or never was accurate?

There is also the fact that virtually all of our online behaviour, from what we read to our search history can be tracked and used to categorize our interests—information that, without proper context, can lead to serious damage to one's reputation.

Some of those we consulted suggested the best response from the OPC is education—helping people understand the potential consequences of their online actions and letting them make their own choices. Others said that organizations bear some responsibility in helping individuals protect their reputations.

As a fourth priority, we will examine the question of government surveillance.

I've already mentioned the broad public debate—which continues—over legislative initiatives such as the Anti-Terrorism Act, 2015 and the Security of Canada Information Sharing Act that is part of that legislation.

In our focus groups, participants were generally fine with the idea of government surveillance for purposes of national security—but their level of comfort fell dramatically when it was suggested that this kind of surveillance could apply to them personally.

Among stakeholders, there was an overwhelming consensus that government surveillance should be a 
priority area for the OPC—and that the Office is in a unique position to hold the government accountable for respecting Canadians’ privacy.

We heard calls for greater transparency of government information sharing agreements in the context of national security activities, as well as warrantless access of telecommunications data. We were asked to advocate for more effective oversight of government surveillance activities—and this is something the Commissioner has been doing with considerable vigour, and with good reason.

The Security of Canada Information Sharing Act, for example, enables any federal department or agency to share any information they have collected about Canadians with any or all of 17 federal departments and agencies with responsibilities related to national security. The only condition is that the department doing the sharing must consider the information relevant to national security.

Of the 17 agencies authorized to receive this information, only three are subject to any kind of dedicated independent review or oversight.

However—like all federal institutions, they are subject to the provisions of the Privacy Act. And we will use our review and investigative powers to examine the collection, use and sharing practices of departments and agencies involved in surveillance activities to ensure that they conform with the Act. We will report our findings to Parliamentarians and the public, and issue recommendations for potential improvements to policies or legislation, as needed.

Trends in compliance activities

Privacy Act

Along with these strategic priorities, our activities are guided by any trends we see emerging in the type of complaints we receive.

For federal institutions, the number of complaints regarding time limits, access and compliance with Sections 4 through 8 of the Privacy Act (that is the sections dealing with the collection, use and disclosure etc. of personal information) are an ongoing concern.

Where time limits are concerned, if we look past the multiple complaints filed by a small number of individuals, the number of time limit complaints was down slightly last year, but several hundred is still far too many. For this reason, we have introduced new procedures for resolving time limit complaints.  While the changes are not radical, any institution that cannot provide a commitment date to respond to a request for personal information within 60 days of receipt of our complaint notification will be asked to produce a work plan, essentially justifying the need for more time.  If the work plan appears unreasonable or if an institution does not respond within the agreed commitment date, we will consider our options of pursuing the matter before the Courts. 

Time is also a factor in what is the most common type of complaint we receive—individuals who feel their information is being withheld unjustly; what we call "access" complaints.

It takes time for the institution to respond to a request for access. If the response leads to a complaint, that is more time. There may also be a court case and appeals.  In fact, an individual can wait years to get their hands on what is rightfully theirs: their own personal information. 

We know there are challenges, but I am hoping we can find ways to work together to do better.

Understandably, Canadians are upset when they are denied access to their own information. You can imagine how they must feel when it's improperly disclosed to someone else.

We receive each year numerous complaints alleging that information collected for one purpose is being used for another without first obtaining an individual's consent.

We have instances of unauthorized access—what might be called "snooping" by employees who do not have a need to know and therefore, should not have access to the information.

In fact, complaints relating to the improper collection, use or disclosure of personal information is the fastest growing category of complaints we receive.  And they are often the most difficult and complex to investigate. 

Then there are the data breaches.

As of May 2014, reporting of data breaches in the federal government is no longer voluntary—all material data breaches must be reported to the OPC and to the Treasury Board Secretariat. This may be one reason the number of data breaches reported over the last fiscal year reached another record high.

In any case, and as in past years, we found that about three-quarters of these were the result of human error. And, an alarming number involved portable storage devices—USB memory sticks, portable hard drives and the like. Our website offers detailed guidance on proper use of these devices in order to reduce the risk of this type of breach. Simple things such as a password and encryption can go a long way.

Every data breach reported to the Office is subjected to a thorough review to determine what went wrong and why, but also includes and whether appropriate measures were taken to mitigate the impact of the breach. That means, in most cases, immediate notification of the individuals affected for a start, along with advice and support in managing whatever risk may have been created by the breach—and, of course, advising them of their right to complain to the Office of the Privacy Commissioner.

I would like to take this opportunity to advise departments to double-check Treasury Board Secretariat’s guidance on what constitutes a "material breach." Many of the breaches reported over the past year do not fit that category, and thus were not subject to mandatory reporting.  Conversely, several privacy rich departments have reported nothing.

PIPEDA

Breaches are also a concern for the private sector. Bill S-4, the Digital Privacy Act, which received Royal Assent back in June, makes a number of important changes to PIPEDA, including a provision for mandatory reporting of data breaches. Mandatory breach reporting will come into force once Industry Canada develops and publishes regulations laying out the details.

Other changes included in Bill S-4 are already in effect—expanded language around consent is intended to clarify what constitutes meaningful consent, particularly when it comes to vulnerable individuals, such as children.

As for complaints under PIPEDA, they reached a record high of 402 last year—well above the average of 250 or so that has been the norm for the past number of years.

Happily, we are also seeing a trend toward faster resolution. The average treatment time for a PIPEDA complaint was 4.8 months last year—almost half what it was two years ago—so, we are seeing good results from our ongoing efforts to improve in this area.

Part of this is an emphasis on informal resolution when circumstances allow. Last year, we closed 180 complaints through the Early Resolution process, a third more than the year before.

The majority of private sector organizations we approach have been receptive to the early resolution process and show a real eagerness to resolve customers' privacy concerns as expeditiously as possible. It's a strong indication that more and more organizations are recognizing that taking their customers' privacy seriously is just good business.

Improving service delivery

Good business is also a priority for the Office of the Privacy Commissioner.

As you can tell from the numbers I've been throwing at you, the privacy business is booming, but our resources have not kept pace.

That is why we continue to work on reducing the time it takes to resolve complaints—emphasizing alternative forms of resolution, and seeking out and implementing efficiencies in our investigative processes.

Over the past year, we completed a Diagnostic Review of all our activities related to the Privacy Act, and are in the process of implementing an action plan based on the findings and recommendations.

A lot of the action plan deals with changes to the ways we do things internally, but it also includes a broader outreach to departments to support stronger compliance. Part of this will be working with departments to identify and address challenges that are leading to delays and incomplete responses to requests and breaches. Essentially, we are going to put a lot more focus on prevention—fewer complaints is better for us, better for departments and it is definitely better for Canadians.

With a new government in place—a government that has made it clear it intends to uphold Canadians' right to access the personal information held about them by government—we have some additional motivation to make real progress in this area. 

Conclusion

Taking all these things together—working to improve access under the Privacy Act, changes to PIPEDA, pursuing our strategic priorities and continuing to improve the efficiency of our operations—we should have enough to keep us busy in the year ahead.

Add in the fact that Canadians are clearly becoming more aware of both the risks to the privacy of their personal information and the remedies available to them, and I believe it is safe to say we can expect the coming year will be at least as busy as the year we've just come through.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: