Promoting Transparency and Protecting Privacy: What Better Government and Public Trust Mean in a Digital Era

Address given to “Preparing for the Future of Data-Rich Environments in Canada” Conference organized by Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC) and Statistics Canada

Ottawa, Canada
December 5, 2016

Address by Patricia Kosseim
Senior General Counsel and Director-General, Legal Services, Policy, Research and Technology Analysis Branch

(Check against delivery)


Good morning, it’s a pleasure to be here today to talk about some of the privacy implications of conducting government activity in an increasingly data-rich environment, and more specifically, in a context that promotes: 1) Information-sharing across government departments; 2) use of social media tools; and 3) public release of government datasets in a world of ‘bigger’ and ‘bigger’ data.

Information Sharing Across Government Departments

In his most recent Annual Report to the Prime Minister, the Clerk of the Privy Council emphasizes how much service to Canadians has changed today, from where it was even two years ago:  ‘Canadians expect more frequent and meaningful communication with government’ and they ‘expect us to work across departments and with other governments, to listen to them and to serve them better’.

Long before these government priorities were articulated, an early example of information-sharing across departments became known as the ‘Snowbirds case’.  The case challenged the discretion of the Minister of National Revenue to share personal information collected by individuals via a traveller declaration card with the then Canada Employment Insurance Commission.  These E-311 forms containing traveller's name, date of birth, postal code, purpose of travel, and dates of departure from, and return to, Canada, were being shared with the Commission to identify employment insurance claimants who failed to report that they were outside Canada while receiving benefits, and to recover overpayments from them and/or impose penalties, where appropriate.

The decision of the Federal Court of Appeal, affirmed by the Supreme Court of Canada, was that the Minister’s enabling legislation afforded him with sufficiently broad discretion to authorize this information-sharing arrangement with the Commission and therefore fell within the exception of paragraph 8(2)(b) of the Privacy Act that permits disclosure without consent where authorized  by law.

Since this example, dating back almost 17 years, the scope, scale and sophistication of information-sharing across government departments have ‘come a long way’.  As examples:

  1. Canada’s Digital Interchange is a strategic initiative involving several federal departments, as well as all 13 provincial and territorial governments, to coordinate the sharing and verification of Canadians’ basic identity information in real time for the purpose of administering certain online services and benefits as seamlessly as possible.  This ‘Tell Us Once’ approach would aim to improve Canadians’ experience and avoid them having to repeat the same basic identification information to umpteen different government departments at various levels each time a baby is born or a loved one dies, in order to be issued a certificate, or register for certain benefits, for example.  
  2. Another example is the roll-out and expansion of Canada’s entry-exit initiatives to collect not only entry, but now exit information, of all outbound travellers from Canada.  Beyond the simple bilateral arrangement we saw in the Snowbirds case between two government departments, this initiative contemplates information sharing at a much broader scale.  CBSA would share exit information not only with the US government to strengthen the security of the Canada-US border, but also with multiple other federal departments for a broad range of purposes, such as: to monitor movement of high-risk travelers and fugitives, respond to amber alerts, prevent export of drugs and illicit goods, oversee compliance with visa conditions, residency requirements and immigration enforcement activities, administer duty and tax exemptions, and ensure the integrity of various social benefit programs.   
  3. A third and timely example of information-sharing at a whole new level is Bill C-51 which enacted the Security of Canada Information Sharing Act (SCISA).  SCISA now allows any government department to disclose Canadians’ personal information, on request or at its own initiative, to one or several of seventeen (17) designated government departments if it considers it relevant to the recipient institution’s mandate in respect of activities that undermine the security of Canada.  Relevance, if you notice, is a much lower threshold for information sharing than the ‘strict necessity’ test currently required under section 12 of the CSIS Act. 

    Our Commissioner and his provincial counterparts across the country had lots to say about this threshold and other issues in their submission to Public Safety’s Consultation on National Security.  But for today’s purposes, suffice to point out just how unprecedented SCISA is when you consider that more than 250 government institutions and agencies can now share personal information with 17 named national-security-related departments, entailing (if my math is correct) more than 4,000 different sharing possibilities!

I think we all agree that information-sharing could be a good thing, if it helps keep Canadians safer, provides them with improved and more efficient services, helps streamline their communications with government, etc.  If you asked them, Canadians might even support information-sharing for certain purposes, and under certain conditions. The operative words here being ‘purposes’ and ‘conditions’.  The problem is however, that the ‘purposes’ are often lacking in transparency, and the ‘conditions’ may be lacking altogether. 

This state of affairs is partly due to an absence of requirements to do otherwise.  As you have heard our Office and many others say many times, our Federal Privacy Act (PA) has fallen woefully out of step with modern reality and is completely ill-equipped to allow governments to embrace technological innovations while also protecting Canadians’ privacy.  The PA was adopted thirty-five years ago when government data were predominantly paper-based files, and when the scope, scale and sophistication of these kinds of digital information-sharing initiatives were never contemplated, let alone, even imagined. 

The old silo’d approach to physically organizing files and the sheer practical difficulty of sharing them used to be — believe it or not — an inherent form of privacy protection in itself.  Today, government departments are being urged to break down these silos.  As per the Clerk in his most recent Report to the PM: “It will be important never to return to a time where policy was developed in splendid isolation from the operations and services that implement it, or the people affected by it. Nor should policy be developed in silos and stovepipes. All of the important issues facing Canada are broad and multi-faceted.”

And yet, while silos’ come crashing down in the name of modernization, the pillars of privacy protection that once accompanied them are not being replaced by anything nearly as modern.   This is not exactly fertile ground for enabling innovation nor is it reassuring from a privacy perspective.  It’s no wonder that a culture of non-sharing has set in among nervous and hesitant bureaucrats.  Frankly, I too would be worried about sharing personal data, in an antiquated legal environment that relies on vague concepts like ‘consistent use’, with no protective safety net to guard against potential misuse or accidental data breach — the kind that results in public backlash, with the unfortunate scapegoating that sometimes follows, significantly affecting citizen trust and setting progress back for years.

Our office has long advocated for strengthening privacy protections in the Privacy Act — not with a view to stopping information-sharing in a context of modernization and innovation.  Rather, I would argue, with a view to enabling responsible sharing — where legally justifiable and socially acceptable to do so, and with appropriate risk mitigation strategies to effectively protect Canadians’ data.   Two simple, yet powerful tools, could assist in that regard.

The use of privacy impact assessments (PIAs) in consultation with our office, is more than just a routine, check list exercise — it is one of the most effective risk-mitigation measures departments can adopt to enable responsible information-handling practices.  PIA’s require institutions to think about privacy protection in a more disciplined and systematic way.  They are intended to carefully map out information flows; rationalize the need for collection of data; identify privacy risks involved with its use and potential disclosure; and develop strategies — physical, organizational and/or technological — as well as appropriate governance structures to mitigate those risks effectively.   So essential are PIAs we think, that we have recommended the PA be amended to make them mandatory, along with consultation with our Office.  We have also long called for departmental ATIP offices to be adequately resourced and supported from ‘the top’ to conduct PIAs in a timely way, that is, before deployment of a new program or initiative or a major change thereto.

A sister requirement we believe should likewise be elevated to a legal requirement is the information-sharing agreement.  As another proposed amendment to the PA, the Commissioner has called for ISAs to be developed in consultation with our Office — not for each individual instance of sharing — but as umbrella agreements to set out the terms and conditions of regular information-sharing.  More specifically, we have recommended that information-sharing agreements be in writing and define the specific purpose for the sharing; set limits on secondary use and onward transfer; build in the necessary safeguards, retention periods and accountability measures.  We have also recommended our Office be notified of all new or amended agreements and be given explicit authority to review and comment.  While we may not be able to provide detailed comments on all of them, we could — resources permitting — provide comments on those that pose the highest risks to privacy, just as we currently do with PIAs.  And in the name of greater transparency, we have also recommended that the existence and nature of these ISA’s (short of their actual content) be publicly disclosed.

Non-Traditional Information Sources

Government’s objective of being more nimble and responsive to the needs and expectations of Canadians is playing out in a data-rich context nurtured by individuals who are increasingly exposing their personal lives on social media, discussion forums, and online networks.  Never before has it been so easy to data mine these “non-traditional” sources of information.  While it may be tempting to cull data from these sites for recruitment, performance management, law enforcement or security related purposes — not to mention out of sheer curiosity — these are not lawless zones! 

In fact, departments continue to be subject to the same limits respecting collection and use of personal information in the online world as in the “offline” one.   While engaging in public tweets or posting messages on public-facing social media pages may sometimes modulate their reasonable expectation of privacy, individuals do not necessarily lose all privacy interests in public in both the physical and virtual sense — as the Supreme Court of Canada has recently reminded us, a point to which I will return in a minute.  

In a rush to mine gold from these new sources of information, it is too  easy to overlook your organizational obligations to collect only what is required for your program or activity, collect it directly from the individual about whom the data relates (whenever possible) and ensure the information collected and used is accurate, up-to-date and complete. 

A relevant example of how easy it is to give into this temptation was described in our 2012-2013 Annual Report.  In it we describe our investigation into a complaint launched by Cindy Blackstock, a prominent activist for the rights of First Nations children, who at the time was involved in a human rights lawsuit with the Federal Government.   This case involved government officials from Aboriginal Affairs and Northern Development Canada (AANDC) and Justice Canada monitoring Ms. Blackstock’s personal Facebook page and compiling personal information about her, her friends’ list, her personal views, etc. that was not directly related to legitimate government business.  We found in that case that “the public availability of personal information on the Internet” did not render this personal information about her ‘non-personal’ and therefore, PA restrictions on collection still applied. 

More recently TBS has introduced a new employee security screening standard that includes “Open source inquiries”.  This entails Internet-based searches for user-generated content in web-based communities, social networking sites, video-sharing sites, wikis and blogs of current employees and job applicants. The Professional Institute of the Public Service of Canada Union (PIPSC) is currently challenging the constitutionality of this and other parts of the new standard, as well as its compliance with the PA

In another court application by the Union of Correctional Officers, the Federal Court of Canada recently held that credit checks can be conducted under section 4 of PA as being directly related to the purpose of verifying the reliability of prospective correctional officers given their potentially exposure to pressures from prison inmates and others on the outside, and that such verification is a reasonable search under section 8 of the Charter.  However, we still await the Court’s decision in the PIPSC union applications dealing with public servants more generally, and with respect to other parts of the standard, including Open source enquiries. 

Even trickier privacy issues arise when data is partly out there, but not so open that governments need to find little bits and pieces of additional, seemingly innocuous information about persons in order to ‘nudge’ it open.  Here I am speaking of situations where governments knock on the doors of private sector actors, ISP providers mostly, in order to seek access to subscriber information, IP or other meta data in order to be able to connect it with other information about online activity they do have. 

In a seminal decision of R. v. Spencer, the Supreme Court of Canada held that the nature of informational privacy includes not only the right to confidentiality and control over one’s personal information, but also the right to anonymity, particularly important in the context of internet usage.  Just because information may be posted online, does not necessarily mean that individuals have ceded all privacy interest in it, including their interest in remaining anonymous.   A reasonable expectation of privacy must be considered not only in respect of the small piece of the puzzle government is seeking access to, but also in connection with any other personal information that piece is capable of revealing about an individual.

In this case, police were trying to identify an individual using an IP address suspected of possessing child pornography and were seeking access to the subscriber information linked to that IP address.  The Court held that the information being sought was more than simple white pages information about the name and address of an individual — it was more like a digital fingerprint tying the individual to their entire online activity.  Therefore, in the absence of exigent circumstances or a reasonable law providing otherwise, police needed judicial authorization to get this information. 

One of the issues raised in Public Safety’s Consultation Paper on National Security which I referred to earlier, is whether or not legal rules around accessing subscriber data or other forms of metadata should be relaxed in order to fight sophisticated forms of cybercrime, and whether a legal amendment might help police get easier access to this information through a more expedient administrative scheme with a lower evidentiary requirement.  In his submission, the Privacy Commissioner, while acknowledging the need for more modernized law enforcement tools, has held steadfast to the principle that, absent compelling justification, the right to privacy must continue to be preserved through judicial authorization and not give way to pressures of convenience.

Open Data/Open Government

In his mandate letters of November 2015, which most of you can probably recite by heart, the Prime Minister instructed his Ministers to ‘accelerate and expand open data initiatives and make government data available digitally, so Canadians can easily access and use it.’  A major objective of the current government is to move towards an “open by default” model for government records to, among other things, facilitate access by taxpayers to whom governments are accountable, enable informed decision-making by an engaged citizenry in a healthy democracy, promote innovative solutions and economic development through release of digital data in re-useable format, reuse data and share the benefits of publicly-funded research to accelerate discovery, and alleviate stress on an over-burdened administrative system by proactively releasing data instead of responding to individual access to information requests.

There are indeed some extraordinary success stories of open data initiatives. The City of Edmonton for example has become a world leader with its open data portal providing public access to real-time maps on traffic disruptions and current road construction projects; daily bus schedules; tree species in various neighborhoods; properties for sale; and city park usage breakdowns. They also promote open analytics allowing citizens to explore schools in various municipalities on attributes such as average grades, school board and enrollment size. Dashboards measure the performance of city road maintenance workers and Edmonton police and simplified budget breakdowns help citizens ‘follow their money’.

As exciting as all this sounds however, there are privacy risks involved — perhaps not for trees, but certainly for the people involved. These risks are re-identification and profiling. Re-identification risk arises when piecing together bits of information that can either alone, or in combination with other bits, identify an individual. Profiling draws inferences about people based on personal characteristics, behaviour patterns, or other circumstantial data, with both positive and negative outcomes.  

In an article entitled “Privacy and Open Government”, University of Ottawa Law Professor, Teresa Scassa warns that ‘the reidentification and profiling risks related to open government data are only likely to intensify as governments at all levels diversify and amplify the information they collect’. She then goes on to describe two controversial examples from south of the border of what can happen when seemingly arcane public registry data kept in the deep bowels of some government archive can come to life with wholly different significance when combined with modern geolocation interfaces and publicly disseminated on the Internet. The first involved the creation of online maps showing the exact name and location of registered gun owners (and by deduction, non-gun owners) in two New York counties. These maps were based on public gun registry data accessible through an access to information request, combined with a Google map application.

Another case involved an online interactive map marking the specific names and addresses of individuals deduced to be homophobic based on their election campaign contributions in California which are released as a matter of public record. This data was gathered not in the context of a general election, but a referendum on Proposition 8, a proposed amendment to the California constitution that would ban gay marriage.  

Admittedly, these examples involve release of nominative data in a US context that tends to be much more open with public registries. In Canada, you might say, this could never happen since we are much more careful about ensuring we publicly release only anonymized data. Well, maybe yes, maybe no, despite the best of intentions.

Two cautionary tales of unintended re-identification from publicly released data thought to be anonymous illustrate my point.  

The first is the experience of the US National Institutes of Health that had begun publicly posting whole genome sequences from publicly funded research studies in order for others to use and benefit from — on the long held presumption these had been effectively anonymized. Until, that is, Yaniv Erlich, a computer scientist from Columbia University, who later became known as the ‘Genome Hacker’, demonstrated in an article published in Science in 2013 that you could actually re-identify target individuals by profiling short tandem repeats (or STRs) of the Y chromosome and querying recreational geneaology databases publicly available on the Internet that provide additional data such as surname, age and state.   NIH immediately pulled the whole genome sequence data off its website.

And it is perhaps a good thing they did, when they did, because scientists today have found a way of combining whole genome sequencing technology with machine learning, and by looking for specific, miniscule parts of a person’s entire genome — without anything more — can now rebuild a composite sketch of a human face with remarkable accuracy. Imagine! A Ted Talk by data scientist, Riccardo Sabatini, can show you how they do it.

More recently the government of Australia, also a strong proponent of open data under its newly elected government, recently experienced its own version of a similar story.  Vanessa Teague, from the Department of Computing and Information at Melbourne University, showed it was possible to decrypt service provider IDs from publicly released data of Australia’s Pharmaceutical and Medicare Benefits scheme.  The Australian Information and Privacy Commissioner is now investigating the adequacy of the Department of Health’s process for de-identifying data and the Attorney-General of Australia has recently introduced an amendment to its Privacy Act that would make it a criminal offence for anyone to re-identify individuals from anonymized government databases.  The move is intended to promote the benefits of open government data while decreasing the risks to privacy.

Finally, you may be interested to know that the Canadian Internet Policy and Public Interest Clinic (CIPPIC), at University of Ottawa, recently completed a project funded by our Office, entitled ‘Open Data, Open Citizens’ which recommends a series of measures for mitigating privacy risks in both the pre-release and release stages of Open Data initiatives — measures somewhat less blunt than creating a criminal offence.

Conclusion

With that, I’d like to conclude by saying that my purpose in speaking to you today, is not to spook you into not innovating for fear of unintended privacy risks.  Rather, my message is to innovate smartly.  These are indeed exciting times to be in public service in a context that encourages novel and modern approaches for conducting age-old government business.  By anticipating potential privacy risks before they occur and taking necessary mitigating measures, we can prevent their occurrence and potential harm that can come from them.

Through smart and responsible innovation, in a manner that respects the boundaries Canadians place around their personal information and their sense of ‘self’, government will erect the solid pillars of public trust it needs to thrive and position Canada for an exciting future.  

For if, as the Prime Minister instructed in his mandate letters, it is time for government to break down information silo’s, become more modern in its approach and set a higher bar for openness and transparency to earn the trust of the people it serves, then why in the world would we undermine that trust by throwing caution to the wind with their personal information at play?   “Open by default” does not mean “Open to a fault”.   “Data Rich” should not mean “Privacy Poor”.

Thank you for your attention.

Date modified: