Incorporating privacy into statistical methods – necessity and proportionality
Remarks at the United Nations Statistical Commission Side Event
March 3, 2020
New York, NY
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Thank you for that introduction and thank you to Mr. Arora for organizing this event.
It’s a privilege to be here today to participate in a discussion of the role of privacy in informing and possibly shaping the critical work carried out by Statistical Agencies.
Privacy rights, when respected, engender trust, and your work cannot be successful without the trust and social license of your citizens.
Statistics and Privacy
In a time when misinformation is widely disseminated, the work of Statistical Agencies has never been more relevant.
At the same time, I hear that Statistical Agencies are being pushed to find new ways to make use of the massive volume of data produced by the digital economy - drivers like declining survey response rates and rising costs only amplify this push.
These are challenging times on the privacy front as well.
For both good and bad, data-driven technologies are a disruptive force.
They open the door for innovation, economic growth and better government services, but they have also been demonstrated to be harmful to rights, including privacy and democracy.
Everywhere, there is evidence of eroding trust in public and private institutions in terms of privacy.
Clearly, privacy is important to the work of Statistical Agencies.
To paraphrase Canada’s Chief Statistician, “without trust, statisticians are unable to do their job”.
However, it is not always clear how to incorporate privacy into statistical methods and practices – in part, I am told, because statisticians always want to get their hands on more data, and because privacy can be viewed as an abstract concept.
So it may not be clear on what principled basis privacy should work to limit Statistical Agencies’ tendency to collect as much data as possible, which they equate with better statistical products.
A good starting point is to define privacy broadly:
Privacy is nothing less than a prerequisite for freedom: the freedom to live and develop independently as a person, away from the watchful eye of a surveillance state or commercial enterprises, while still participating voluntarily and actively in the regular (and increasingly digital) day-to-day activities of a modern society such as socializing, getting informed or simply buying goods.
This does not mean governments are not entitled to collect and analyse the personal information of individuals, including for statistical purposes, but they should do it in accordance with privacy principles, including necessity and proportionality.
Working in accordance with necessity and proportionality means organizations should only pursue privacy-invasive activities and programs where it is demonstrated that they are necessary to achieve a pressing and substantial purpose and where the intrusion is proportional to the benefits to be gained.
To help guide organizations in this task we ask them to frame their analysis with the following 4-part test:
- Is the measure demonstrably necessary to meet a specific need? Is it rationally connected to a public goal that is pressing and substantial? Is there empirical evidence in support of the initiative?
- Is it likely to be effective in meeting that need? Was it carefully designed to achieve the objective in question?
- Is the loss of privacy proportional to the need? The more severe the impact on privacy, the more clear and important the goal should be.
- Is there a less privacy-intrusive way of achieving the same end? Have reasonable steps been taken to ensure that the minimum amount of personal information is collected?
To illustrate what this means in practice I will walk you through our recent investigation of Statistics Canada and two of its Administrative Data collection projects.
In 2018 media reports revealed that Statistics Canada had collected detailed credit information, and was proposing to collect detailed financial information, about millions of Canadians from private sector companies.
These projects were part of a modernization initiative aimed at using new public and private sources of administrative data.
We launched our investigation of these projects in response to complaints we received – over 100 in total, which is a large volume for a given issue, and was indicative of a high level of expressed public concern.
The Credit Information Project collected credit data, going back as far as 2002, associated with 24 million individuals, approximately 2/3 of Canada’s population.
The Financial Transactions Project aimed to measure household expenditures but did not reach the implementation stage.
It was to involve the collection of financial transaction and account balance information of 500,000 individuals per year directly from financial institutions.
The project proposed to collect the date, value and descriptions of all transactions for each individual in their personal accounts.
Clearly, both projects were privacy-invasive.
The personal information at issue had the potential to paint an incredibly detailed portrait of an individual’s lifestyle, consumer choices and private interests, including lawful choices individuals would not want the government to know about.
Although there was some provision for notice to affected individuals, neither Project involved obtaining the consent of individuals.
Due to the old age and inadequacy of Canada’s laws to deal with 21st century privacy issues, our investigation did not find legal violations.
However, we found that the two Projects as originally designed did not meet the principle of necessity and proportionality, which is not part of Canada’s federal law currently but is adopted as government policy and, of course, is a legal principle in many jurisdictions across the world.
In our view, all parts of the four-part test were not satisfied, but in particular:
- Statistics Canada described the objectives of the two projects in terms that were too general to satisfy the first part of the test. For instance, they referred to their legal mandate and the drivers behind the need to adopt new means of data collection, as opposed to demonstrating a specific and pressing public policy purpose.
- Because the objectives were not defined with sufficient specificity, we were unable to determine that all of the personal information Statistics Canada sought to collect (including the intrusive line by line financial transaction information requested) was necessary.
Given the lack of specificity with respect to the objectives and the intrusive nature of the information to be collected, it was also not possible to conclude that the Projects were proportional (the third part of the test).
We also assessed whether less privacy-intrusive approaches had been given sufficient consideration.
To help us understand these issues, we considered how other Statistical Agencies around the world are approaching the benefit/risk calculus for administrative data sources.
Our international benchmarking revealed other potential approaches to accessing administrative data sources in a privacy protective manner.
These included using aggregated data, bringing the algorithm-to-the data, and civic data sharing models.
In Europe, Article 89 of the General Data Protection Regulation 2016/679 (“GDPR”) sets out the safeguards that controllers must implement in order to further process personal data for research or statistical purposes and specifies that organizations must put in place “technical and organizational measures” to ensure respect for the principle of data minimization.
In general, the NSOs that we consulted have conveyed that they are cautiously exploring the collection of credit and financial information.
They are doing so with active public engagement in order to better understand cultural values and attitudes regarding the collection and use of such sensitive personal information.
They have also conveyed that their approach is being carried out with the view to ensuring and maintaining public confidence in their agencies’ collection processes, analytical methodologies, and statistical products.
To address the issues identified by our investigation we made a number of recommendations.
With respect to necessity and proportionality, we asked Statistics Canada to work with our Office to redesign the projects.
Not only did they agree but we are now working together to develop and implement policies and procedures aimed at incorporating necessity and proportionality more broadly into the Agency’s statistical methods.
We are in the preliminary stages of this endeavor and we anticipate challenges along the way for issues that are complex and novel in the statistical realm.
But we also look forward to the innovative solutions that will emerge, demonstrating how privacy can strengthen statistical products that support evidence-based programs and policies for the benefit of citizens.
Why this Matters
Now while our investigation was about Statistics Canada, we are speaking today because of its potential relevance for every Statistical agency around the world that shares these data challenges and opportunities, as well as responsibilities to respect citizens’ privacy rights.
Although contextual factors like legal requirements, public opinion, stakeholder interests, technological considerations, and political will may vary across jurisdictions, I suggest that all Statistical Agencies share the contemporary obligation to incorporate privacy into their program design.
Failure to do so not only presents a risk to privacy but can also erode the public trust that Statistical Agencies require to do their work.
So, as you consider using the vast data available in today’s data-driven world, I invite you to direct careful thought toward the need for the collection and whether its impacts are in proportion to its purported benefits.
Report a problem or mistake on this page
- Date modified: