Government Information Sharing and Improved Service Delivery: Embracing the Wind of Change without throwing Caution to the Wind
Remarks at the Government of Canada Data Leads Group
September 27, 2017
Address by Patricia Kosseim,
Senior General Counsel and Director-General, Legal Services, Policy, Research and Technology Analysis
(Check against delivery)
Good afternoon and thank you for the invitation to be here today. You have asked me to speak about the privacy renewal agenda in a context of increasing expectations to use data to deliver results and improve services to Canadians. That ‘context’ includes:
- Prime Minister’s focus on Results and Delivery
- Greater Accountability
- Push towards Innovation
- Open by Default
- An engaged citizenry
- Improved services to Canadians and Tell us Once approach
All of this takes not only more data, but also better use of data, sharing of data, open data, interactive data, and big data.
- It is worth noting at the outset, that privacy protection is not an anathema to access. Privacy is about protecting personal information, which includes being transparent about governments’ personal information management practices; it is also about providing access to one’s personal information. After all, we are the privacy commission, NOT the secrecy commission. We too really like data to the extent that it helps promote government accountability and transparency to the people that we serve. Examples:
- We have been calling for mandatory transparency reporting of government access requests, consistently through our Privacy Act reform recommendations, recommendations to Bill C-13 (on lawful access) at the time, and our submission to the Public Safety Green Paper on National Security.
- Results of phase 2 of our Review of information sharing under the Security of Canada Information Sharing Act (SCISA) – just published in our Annual Report last week - found significant procedural deficiencies in systems or processes for monitoring and recording information exchanged under that Act. Not all disclosures or receipts of information under SCISA were recorded as we believe they should have been and we called for improvements in that regard.
- This story is reminiscent of another review we conducted in 2014 of warrantless access requests of ISP subscriber data by the RCMP, where once again, we were not able to conduct a full review of the extent of the practice because of a sheer lack of records. To this day, we are still waiting for data to be publicly reported, and we describe our ongoing follow up efforts in our most recent Annual report as well.
So with that context, and my preliminary remarks, let me now outline four areas I’d like to discuss with you today, and their privacy implications:
- greater information-sharing across government departments;
- social media monitoring;
- open access to government datasets; and,
- direct interaction with Canadians.
1) Greater information-sharing across government departments
No more working in silos! This is a clear expectation of government, as per the Prime Minister’s mandate letters, the annual report of the Clerk of the Privy Council, and the explicit objectives of recent legislative and policy initiatives, like:
- Canada’s Digital Interchange involving several federal departments and all provincial and territorial governments, to coordinate the sharing and verification of Canadians’ basic identity information in real time for the purpose of administering certain online services and benefits as seamlessly as possible. This avoids Canadians having to repeat same basic identification information to umpteen different government departments at various levels each time a baby is born or a loved one dies, in order to be issued a certificate, or register for certain benefits, for example. (the “tell us once” approach)
- Another example is the roll-out and expansion of Canada’s entry-exit initiatives to collect not only entry, but now exit information, of all outbound travellers from Canada. CBSA could share exit information not only with the US government to strengthen the security of the Canada-US border, but also with multiple other federal departments for a broad range of purposes, such as: to monitor movement of high-risk travelers and fugitives, respond to amber alerts, prevent export of drugs and illicit goods, oversee compliance with visa conditions, residency requirements and immigration enforcement activities, administer duty and tax exemptions, and ensure the integrity of various social benefit programs etc. Bill C-21 that would allow this 3rd phase of entry-exit initiatives is currently making its way through the legislative process.
- A third example of information-sharing at a whole new level is SCISA which I mentioned earlier. SCISA allows any government department to disclose Canadians’ personal information, on request or at its own initiative, to one or several of seventeen (17) designated government departments if it considers it relevant to the recipient institution’s mandate in respect of activities that undermine the security of Canada. That’s more than 250 government institutions and agencies that can share personal information with 17 named national-security-related departments, which means (if my math is correct) more than 4,000 different sharing possibilities! SCISA amendments are currently being contemplated through Bill C-59.
I think we all agree that information-sharing could be a good thing, if it helps keep Canadians safer, provides them with improved and more efficient services, helps streamline their communications with government, etc. If you asked them, Canadians might even support information-sharing for certain purposes, and under certain conditions. The operative words here being ‘purposes’ and ‘conditions’. The problem is however, that the ‘purposes’ are often lacking in rigor and transparency, and the ‘conditions’ may be lacking altogether.
This is partly due to a woefully outdated statutory framework that fails to require otherwise. The Federal Privacy Act (PA) was adopted 35 years ago when government data were predominantly paper-based files, and when the scope, scale and sophistication of these kinds of digital information-sharing initiatives were never contemplated, let alone, even imagined.
The old silo’d approach to physically organizing files and the sheer practical difficulty of sharing them used to be – believe it or not – an inherent form of privacy protection in itself. Today, government departments are being urged to break down these silos and think and work horizontally within and across governments to tackle complex and multi-faceted policy challenges.
And yet, while silos come crashing down in the name of modernization, the pillars of privacy protection that once accompanied them are not being replaced by anything nearly as modern. This is not exactly fertile ground for enabling innovation nor is it reassuring from a privacy perspective. It’s no wonder that a culture of non-sharing has set in among nervous and hesitant bureaucrats.
Our Office has long advocated for strengthening privacy protections in the Privacy Act – not with a view to stopping information-sharing in a context of modernization and innovation. Rather, with a view to enabling responsible sharing – where legally justifiable and socially acceptable to do so.
Three simple, yet powerful changes we have long recommended be part of a privacy renewal agenda could assist in effectively protecting Canadians’ personal data. Elevating these to explicit legislative requirements, rather than just policies, would bring rigor among departments to take them much more seriously:
First, is clarifying the Privacy Act to reflect what government says is its intention behind section 4 and what it requires of departments as per TBS policy, and that is an explicit necessity threshold for collection of personal information.
Second, is the mandatory use of privacy impact assessments (PIAs) – not as a routine, check list exercise, but rather, an effective risk-mitigation measure that departments should adopt in a systematic way to anticipate and address potential issues before deployment of a new program or initiative.
Third, is our call for information sharing agreements – not for each individual instance of sharing – but as umbrella agreements to set out the terms and conditions of regular information-sharing. These should be in writing and define the specific purpose for the sharing; set limits on secondary use and onward transfer; build in the necessary safeguards, retention periods and accountability measures.
2) Social Media Monitoring
Governments are not the only ones sharing data. Individuals too are increasingly sharing their personal lives on social media, discussion forums, and online networks. Never before has it been so easy to data mine these “non-traditional” sources of information. While it may be tempting to cull data from these sites for recruitment, performance management, law enforcement or security related purposes – not to mention out of sheer curiosity – these are not lawless zones!
In fact, departments continue to be subject to the same limits respecting collection and use of personal information in the online world as in the “offline” one. While engaging in public tweets or posting messages on public-facing social media pages may sometimes modulate their reasonable expectation of privacy, individuals do not necessarily lose all privacy interests in public in both the physical and virtual sense – as the Supreme Court of Canada reminded us in R v. Spencer. Just because information may be posted online, does not necessarily mean that individuals have ceded all privacy interest in it, including their interest in remaining anonymous.
In a rush to mine gold from these new sources of information, it is too easy to overlook your organizational obligations to collect only what is necessary for your program or activity, collect it directly from the individual about whom the data relates (whenever possible) and ensure the information collected is accurate, up-to-date and complete. The public availability of personal information on the Internet does not render this information ‘non-personal’; PA restrictions on collection still apply.
An interesting example is TBS’ new employee security screening standard that includes “Open source inquiries”. This entails Internet-based searches for user-generated content in web-based communities, social networking sites, video-sharing sites, wikis and blogs of current employees and job applicants. The unions are currently challenging the constitutionality of this and other parts of the new standard, as well as its compliance with the PA. So the jury is still out on that one.
Another recent example of government’s sanctioned use of publicly available information is in Bill C-59. It is our understanding that the general prohibition against CSE directing its surveillance activities at Canadians would not prevent it from acquiring and using “publicly available information”, broadly defined as: information that has been published or broadcast for public consumption, is accessible to the public on global information infrastructure or is available to the public on request, by subscription or by purchase.
Considering the power of aggregation and the broad availability of data sold through data brokers, or available through credit reporting companies, and so on. The scope of this surveillance can be very broad indeed, and far surpasses what Canadians would intuitively think is publicly available – or at least intended as such. This will no doubt be the subject of some interesting debate as the Bill heads to Committee or Committees.
3) Open Data/Open Government
A major objective of the current government is to move towards an “open by default” model for government records. The recent introduction of Bill C-58, phase 1 of ATI reform, is intended to start moving in this direction by, among other things, proactively releasing data instead of responding to individual access to information requests and continuing to tax an already overburdened system.
As further evidence of government’s commitment to open data, Canada has recently agreed to take on the role of co-chair of the Open Government Partnership, the world's largest multilateral organization dedicated to open, transparent, and accountable government.
There are indeed some extraordinary success stories of open data initiatives. The City of Edmonton for example has become a world leader with its open data portal providing public access to real-time maps on traffic disruptions and current road construction projects; daily bus schedules; tree species in various neighborhoods; properties for sale; and city park usage breakdowns. They also promote open analytics allowing citizens to explore schools in various municipalities on attributes such as average grades, school board and enrollment size. Dashboards measure the performance of city road maintenance workers and Edmonton police and simplified budget breakdowns help citizens ‘follow their money’.
As exciting as all this sounds however, there are privacy risks involved – perhaps not for roads, buses or trees, but certainly for people! Despite the best government intentions, two cautionary tales of unintended re-identification from publicly released data believed to be anonymous illustrate my point.
The first is the experience of the US National Institutes of Health that had begun publicly posting whole genome sequences from publicly funded research studies in order for others to use and benefit from – on the long held presumption these had been effectively anonymized. Until, that is, Yaniv Erlich, a computer scientist from Columbia University, who later became known as the ‘Genome Hacker’, demonstrated in an article published in Science in 2013 that you could actually re-identify individuals by profiling parts of the Y chromosome and querying recreational geneaology databases publicly available on the Internet that provide additional data such as surname, age and state. NIH immediately pulled the whole genome sequence data off its website.
And it’s a good thing they did, when they did, because scientists today have found a way of combining whole genome sequencing technology with machine learning, and by looking for specific, miniscule parts of a person’s entire genome – without anything more – can now rebuild a composite sketch of a human face with remarkable accuracy.
The government of Australia, also a strong proponent of open data, experienced its own ‘oops’ story. Vanessa Teague, from Melbourne University, showed it was possible to decrypt service provider IDs from publicly released data of Australia’s Pharmaceutical and Medicare Benefits scheme. The Australian Information and Privacy Commissioner conducted an investigation into the matter, and the Attorney-General of Australia introduced an amendment to its Privacy Act that would make it a criminal offence for anyone to re-identify individuals from anonymized government databases, as a way of promoting the benefits of open government data while decreasing the risks to privacy.
You may be interested to know that the Canadian Internet Policy and Public Interest Clinic (CIPPIC), at University of Ottawa, completed a research project funded by our Office, entitled ‘Open Data, Open Citizens’ which recommends a series of measures for mitigating privacy risks in the pre-release and release stages of Open Data initiatives.
Also, you’ll be interested to know that our Office has recently announced, as part of our newly issued consent report that we intend to develop guidance on de-identification methods and risk mitigation strategies for publicly released datasets. We hope to work with Stats Can on this. Expertise in privacy enhancing technologies, re-identification risk and disclosure control will be in very high demand in the very near future.
4) Direct Interactions with Canadians
Another interesting direction being encouraged by government, is to interact directly with Canadians as part of promoting an engaged citizenry and healthy democracy – very laudable objectives and very innovative at that!
Two recent examples highlight, however, the importance of building in privacy protections from the outset particularly if you wish to engage Canadians online and keep them engaged in the long term.
First is My Democracy.ca website launched by the Privy Council Office (PCO) in early December 2016 as part of a national dialogue on electoral reform (for more info see our Annual Report). This was a prime example of government wanting to embrace innovation and use modern technologies as a way of increasing connectivity with Canadians and leveraging social media to engage their views and opinions.
On the promise of anonymity, Canadians were invited to participate in a survey and provide their opinions on a range of issues related to electoral reform. After completing the survey questions, participants received a voter profile or “Archetype” (Guardians, Challengers, Pragmatists, Cooperators or Innovators). The website encouraged participants to share their results with friends using social media.
Following receipt of a complaint, we conducted an investigation and found no evidence that PCO was using measures to identify individual participants in the survey or to track individual responses to the survey questions. However, we did find that the MyDemocracy website, by virtue of the way it was technically designed, was resulting in the disclosure of IP addresses and other web browsing information to third parties such as Facebook, as soon as the MyDemocracy home page was loaded—before a user specifically opted to share results on social media. In some cases, this information could be linked to specific individuals and thus could constitute a disclosure of their personal information without consent, thereby increasing the risk that users’ interaction with the website would not be truly anonymous.
Indeed an IP address can, in combination with other information, be used to build comprehensive profiles associated with an identifiable individual, and can be quite revealing about an individual’s Internet-based activities, as research indicates. As a matter of government policy, IP addresses are considered to be personal information.
Based on our technical analysis, a different design of the website could have avoided this premature disclosure of information by loading third party components only when a user actually opted to initiate a social sharing action, after having had the chance to learn about the website’s practices and make an informed choice about whether or not to engage.
We made several recommendations to PCO and were pleased with their response, including their commitment to undertake PIAs on the design and privacy implications of any such projects, going forward.
An example where PCO did do a PIA and submitted it to our office for comment, was in respect of the Appointment process for the PM’s Youth Council. (You could also read more on this in our Annual Report.)
The call for applications to be on the Prime Minister’s Youth Council, requested interested youth (aged 16-24) to provide biographic and contact information, education and work experience, and to describe, in a detailed fashion, their personal experiences which, according to the application, could include stories of immigration, mental or physical health conditions, addiction issues or interactions with the justice system.
In response to our recommendations, PCO:
- ceased using an open-text field for collecting potentially sensitive personal information in the first part of the application process.
- revised the privacy notice on its website to more clearly inform potential applicants of the privacy implications of having personal information stored on servers of private sector companies hired to manage the application process.
- revised the PIA to detail security measures and retention timelines to protect personal information collected during the application process;
- no longer asks for extensive personal information from backup candidates, unless they have been selected for further evaluation,
- clarified that application information held on private servers will be segregated and viewable only by required PCO staff, and
- updated agreements with private sector contractors to include written confirmation that personal information collected has been purged once no longer required for the purposes for which it was collected.
That’s a positive example of a win-win situation where PIAs in consultation with our office, can support innovative approaches, while also enhancing privacy protective measures as co-enablers of the government’s ultimate, long-term objectives.
And on that positive note, I’d like to conclude by saying that my main message is that privacy and transparency can co-exist. Privacy and innovation can co-exist.
These are exciting times to be in public service in a context that encourages more open, novel and modern approaches for conducting age-old government business. All we are saying is that privacy protective measures also need to be modernized!
By anticipating potential privacy risks before they occur and taking necessary mitigating measures, you can prevent – or certainly reduce – their occurrence and potential harm that can come from them.
Through smart and responsible innovation, in a manner that respects the boundaries Canadians place around their personal information and their sense of ‘private life’, government will build and sustain the public trust it needs to thrive and position Canada globally for an exciting future.
We are but temporary trustees charged with executing our respective mandates as best we can for the common good; but to truly do good, the public’s trust in us must endure long after we will have tried.
- Date modified: