Privacy and Technology
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Notes for an Address to Federal/Provincial/Territorial Social Services Information Technology Managers
April 24, 1997
Director, Issues Management and Assessment
(Check Against Delivery)
Before I deal with the issue of privacy, an issue which has emerged as one of the hot buttons in the debate over the electronic highway, I thought I'd give you first a glimpse of what our current law says about privacy, what consumers are telling us about their concerns over new technologies and individual privacy, and finally how my office is approaching the notion of privacy in an electronic world.
But in order to talk about privacy, we must first attempt to define it. I say "attempt" because the issue of privacy is far more complex and touches our lives in far more ways than you might imagine. Most people don't really think much about their privacy until they lose it. And once lost, it is gone forever, you can't get it back.
Perhaps the classic formulation of privacy, "the right to be let alone", is at the essence of what Canadians seek to preserve, what might be called the core content of privacy. But in 1997, such a phrase can only emphasize how quaint that expectation is in a society where information and communications technologies have changed the very context of our lives and have the power to strip us of any sense of personal privacy.
So perhaps a more useful definition (from American Professor of Law, Alan Westin) is that privacy is the "claim of individuals to determine for themselves, when, how and to what extent information about themselves is communicated to others". This claim of informational privacy assumes that all information about an individual is fundamentally his or her property to communicate or withhold as desired. It is based on the democratic notion of self-determination or autonomy which, in the case of information, dictates that no one should have more control over your information than you.
But the more that can be known about a person, the less that person's autonomy. And these days, in an information society, our individual autonomy and our sense of control are on the line. That is the heart of the privacy problem and that is why privacy is such an emotionally-charged issue.
I should also point out here that there is a common fallacy that "privacy" equates to "security", and that it all comes down to the same thing, safeguarding the "confidentiality" of information. Some think, therefore, that we can deal with growing public concern about privacy in interactive electronic systems simply by promising confidentiality. If it ever was, it is no longer that easy.
Privacy, security and confidentiality are three separate and distinct issues and to address them, we have to recognize and understand their inherent distinctions.
As mentioned, privacy, in an informational context, concerns an individual right. It is simply our right as individuals to control the flow of information about ourselves, the right to fair, reasonable and confidential information practices.
Confidentiality, on the other hand, is a third-party obligation, the obligation of a custodian to protect the personal information with which it has been entrusted. A promise of confidentiality is, in essence, a fiduciary duty, a duty of care to maintain the secrecy of the information and not misuse or wrongfully disclose it. It is confidentiality that establishes a bond of trust between the individual and the custodian.
And, finally, security. Security is a process, it is the manner of assessing the threats and risks posed to information and taking the appropriate steps to protecting that information against unintended or unauthorized access, use, intrusion, or such other dangers as accidental loss or destruction.
So, the distinctions are dramatic: privacy concerns an individual right; confidentiality, an obligation of an organization; and, security, the process of protection. The three are inextricably interlinked, but it is the right of "privacy" that drives the consequent duty for confidentiality and the attendant responsibility for security. It is "privacy" that has to be respected and addressed as the issue, before we deal with the ensuing notions of confidentiality and security.
Let me tell you how the federal government has attempted to deal with that issue. In 1983, the federal government enacted the Privacy Act, a somewhat misleading name. Privacy Commissioner Bruce Phillips once joked that it might be more accurate to call it "an act respecting the protection of personal information in the hands of Ottawa bureaucrats". It is essentially data protection legislation similar to most of those in effect in major Western nations.
At its heart, the federal Privacy Act is basically an "information handler's code of ethics". It is designed to control the information collection by government to only what is necessary and relevant. It recognizes the inherent right of ownership of the information by the people from whom it was taken. It requires government to collect data directly from those people and to tell them why the information is needed and how it will be used. It outlaws unrelated uses and disclosure of the data. It gives individuals the right to have access to information held about them by government. And finally, it puts in place an independent ombudsman (the Office of the Privacy Commissioner) to resolve problems and oversee compliance.
In short, the Act holds government accountable. No longer can government act as if it owns outright the personal information under its control.
Under the Act, the Privacy Commissioner is an independent Officer of Parliament, which is to say that he reports to no minister or department, but directly to the Speakers of the House and the Senate. This is to certify his independence both from the government as well as from the bureaucracy.
This past year, our office conducted over 2000 investigations of complaints against government and handled more than 10,000 inquiries from citizens wanting to know more about their privacy rights. We also attempted to monitor federal legislation and new information technology to foresee where the next privacy threats would emerge. So we're a busy place.
And what we've noted is that dramatic advances in telecommunications and information technology change the relationship between individuals and government. New technologies are able to deal with personal information faster, new electronic highways will deliver that personal information more extensively and cheaper than ever before.
And what has happened is that the vulnerability of the information and the consequent loss of privacy have been seen by some as the inevitable trade-offs against this greater speed, efficiency, and cost-effectiveness. Privacy is often at the top of the list of rights to be traded off for other perceived benefits, usually because it's not recognized as an issue until it's lost. But, as mentioned, once lost, there is no remedy, you can't get it back, its gone.
So while we are tempted with technology's benefits, we often overlook its vulnerabilities.
In these circumstances, the Privacy Commissioner sees as one of his most pressing duties to do what he can to inform Parliament and the public about the impact of these technologies on personal privacy, and to make suggestions about the defences that are needed if we are to enjoy the undoubted benefits of all these marvellous new inventions without casting away values and rights built up over centuries of human experience - frequently at great cost - and which are fundamental to our concept of a decent social contract.
This is not a duty imposed formally by the Privacy Act. Many of the issues that technology poses were only dimly perceived - if perceived at all - at the time the Privacy Act was written.
And what of that social contract? How does, for example, the Canadian public view the notion of privacy. As some of you know, a comprehensive 1993 Canadian survey of public attitudes towards privacy revealed a "pervasive sense that personal privacy is under seige", 52 per cent were "extremely concerned", and about 90 percent were at least moderately concerned over their personal privacy. In other worlds, as a contemporary issue, it is right up there with such issues as unemployment and the environment, and actually ahead of national unity.
But what the survey revealed most dramatically was the existence in the public of a deep sense of unease: an awareness that advanced technologies are impinging on their lives in ways they don't yet understand; and a desire to know more and to have much more control and personal involvement in the decision-making process.
Even more on point is a recent Gallup survey conducted for Andersen Consulting. Entitled "What Canadians think about the Information Highway". To quote from the survey:
"Notwithstanding the strong interest in the information Highway, Canadians have a high level of concern as to how it may effect their privacy. ... 83.7 per cent described themselves as very concerned or somewhat concerned".
There is also a developing consensus amongst various consumer groups examining the highway. Among the issues they have identified as priorities are: privacy, integrated legislation or national standards, and public education.
What seems to be clear is that the major problems that will arise will not be related to the technology itself but with how well we are able to consider the implications of the technology on those human values such as privacy. It will also determine whether the public will be willing participants, or will mount the barricades.
Let me illustrate what can happen to the introduction of new technologies when the appropriate human consideration, strategic planning, and public consultation do not take place, by giving you the example of the debate some years ago over smart cards as part of the US health care reform plan.
A smart card is basically a credit-card sized device containing one or more integrated circuit chips which perform the functions of a microprocessor. It is, in other words, a credit-card sized computer, capable of storing, retrieving and processing information stored on the chip.
And here's what happened in the States. During his campaign, then-Governor Clinton, in response to critics who said that job growth while he was in office had been mostly low-tech, cited the fact that AT&T manufactured smart cards in Arkansas. And one of his campaign platforms was the commitment to "provide everyone with smart cards coded with personal medical information". His proposal was that people would be assigned a smart card at birth which could then be used throughout their lives for storage of medical information and claims processing, a sort of "cradle to grave smart card".
This was the first that many Americans had ever heard about a smart card and the response from the American Civil Liberties Union and others was swift and negative. They cited concerns that Americans' privacy would be diminished, that private health information would be read by everyone and that the cards raised the spectre of a national ID card. They implored the administration to drop the idea. Once the story hit the front pages, that concern became a genie that would not go back into its bottle. The idea was withdrawn.
So what happened here? First, you have to be struck by the evidence, if more was needed, that the expectation of privacy is expanding and that technologies or initiatives which are perceived to undermine it are in for heavy weather.
Second, it is apparent from the controversy that most people, including the critics, do not understand the new technologies. It's particulary ironic in this case because smart cards, when properly used, are potentially one of the most powerful tools to enhance individual control over personal information.
But what is most apparent is that the Clinton administration had to drop the technology from its agenda because it had underestimated the public's concern. It failed to put all the issues before the public for discussion, failed to get input from all the affected parties and failed to explain the technology or to extol its privacy pluses. It proved an expensive lesson and one we must learn from.
This need for public information and understanding, and public support, has grown enormously. Recent political events in this country have spelled out clearly that Canadians will no longer simply accept what's fed them. That need to know and understand will grow so long as technology continues its mind-bending onward rush.
And finally, this example also illustrates the privacy issues that arise as we revamp our systems for delivery in the new electronic world. This audience does not have to be told that electronic delivery represents a qualitative change in the environment of government information practices. The walls are coming down. Linking existing networks into a vast, fully connected and interoperable system will inevitably join in one system the information holdings of the public and private sectors. But what will these changes mean for privacy and why should we be concerned?
We now know that the changes will be accompanied by three main features:
The administration of government programs will be consolidated not only across departments but also across jurisdictions. It is not cost-effective for one department to proceed to develop electronic delivery mechanisms by itself. Therefore, because of economies of scale and scope, electronic systems may lead to the walls coming down between government agencies and programs not only within a government by also between levels of governments. This leads to the possibility that government will become a single entity rather than a constitution of separate components, thus raising anew, in some people's minds, the spectre of Big Brother, the all-knowing government, the surveillance society.
Such a situation would require major changes in laws and mandates and approaches, and would certainly have a profound impact on the privacy of an individual's information and relationship with government.
- Delivering services or benefits electronically will depend on private sector involvement. In other words, as a citizen, receiving government services will not simply involve the electronic interchange of your information between you and the government, but between you, the government and the private sector. Private sector providers, as components of the government delivery systems, could become repositories of vast databases on Canadians, a situation some view with alarm, and rightly so, because privacy protection, except for Quebec, exists only in the public sector.
A third inevitable feature of any single interactive government system is some sort of access and identification device. And that device is almost inevitably an identity card, a prospect that is worrisome for many.
Frankly, there is nothing ominous in replacing a piece of paper with a piece of plastic which carries the same information and serves the same purpose. What is of concern, is the prospect, proposed by some, what we be forced to carry a single, national identification card, documenting our lives, which petty bureaucrats and police can demand at will.
This is marvellously efficient, undeniably accurate, but the ultimate tool of state control. The notion that we should be required to prove that we are who we say we are is anathema to North Americans. This is surely some what some of us here and many of our parents and grandparents came here to escape.
The introduction of a plastic identity card raises privacy concerns. Historically, we are opposed to the government initiating any such card, as witness the continuing controversy over the Social Insurance Number (SIN).
I am not here to argue that any of these scenarios is wrong. I am simply pointing out that whatever the scenario, the major problems that will arise will be in direct relation to how well we are able to explicitly consider their implications in relation to the protection of human values such as privacy. And what are some of those implications?
First of all, the introduction of any new technology or device transforms the relationship between citizen and state; with ID cards, for example, this is so in the sense that there is an expansion in the sphere of bureaucratic powers. In a process that privacy advocates call function creep, ID cards originally designed for a single use expand to multiple uses. The introduction of any such system leads to increased demands for its use to link multiple databases. We then see the call for a single multi-purpose application card for all government services and functions. Any system of universal ID, once established, is the slippery slope, it is a short step to then requiring people to have and carry ID cards.
People react against this for a variety of reasons. Developers of new systems and technologies must recognize that, for many people, privacy, anonymity, solitude and the right to be left alone, are values that they hold dear and that they will not accept encroachments upon. Proposals for a national identification card provoke a genuine apprehension in people. The prospect of being reduced to a number and the threat of being a non-person without an identity card may evoke fears and emotional memories of the recent past. Initiatives of this type may spark intense reactions and resistance from many.
Many privacy advocates also see risks in a system which requires an increasing level of compliance in all aspects of one's life. Simon Davis of Privacy International, for example, suggests that the introduction of universal ID cards could invite the following:
- a reaction not to accept or to willingly choose to be denied a range of services
- errors or failure in one part of the system leading to a domino effect involving suspension of benefits or entitlements in other areas
- the autonomy or freedom of individuals being compromised because of the scale and nature of information collection.
Without care, he says, the card becomes an icon - its use is enforced through mindless regulation or policy, disregarding other means of identification, and in the process causing significant problems for those without the card - the card becomes more important than the individual. Loss of cards can result in loss of identity.
Now, there is much benefit in the accurate identification of individuals for the proper reasons, at the proper times, for the appropriate purposes. In fact, the need for accuracy is one of the principles recognized in all codes of fair information practices around the world. The dilemma with ID cards occurs by virtue of their potential for unrestricted and un-regulated use in multi-applications and multi-linkages with disparate databases. This possibility threatens any vestige of personal control over one's own information, and threatens to put unlimited powers of social control in the hands of the bureaucracy. This is a prospect that invites us all to give thoughtful reflection on such proposals - simply because we can do something does not mean that we should do it.
Let me end by posing for discussion some of the considerations we will need to address before even proposing any form of national identification program.
First, there must be sound, justifiable and proven reasons for pursuing a national identification system. To date, there has been a noticeable lack of empirical evidence supporting the need for identify cards. There is no lack of desire to find a quick fix to social and economic problems through technological solutions, but the hope for such novel solutions and the efficacy of those solutions are two different things. In this regard, ID cards may well be a technology in search of an application. Before we travel down this road, there must be a demonstrated need for such a system.
Second, if it is possible to demonstrate that there is such a need, the legislative process must precede the implementation process of any national identification system. As Alberta Privacy Commissioner Robert Clark once remarked, we cannot have the "technocrats stepping on the democrats". There must be recognized legislated uses of the number/card, protective mechanisms and practices to protect privacy, and penalties in place for the misuse and abuse of any identification system. The adoption of an identification system outside the legislative process would have adverse consequences with regard to privacy and would be more detrimental than beneficial.
Finally, the impact of the introduction of such an identification system must be fully explored and understood before implementing its use in a national system. In other words, not only must a privacy impact assessment be conducted to determine the implications for privacy by the introduction of such as system, a broader societal impact assessment should be completed as well. I view the introduction of an identification system as being even more complex in its implications than in its applications. And these must be examined and assessed to help us understand the consequences that may result, and to help us make the right choices.
My view, in the end, is that human values must play a key role in any technological change involving personal information. We must acknowledge that privacy is a human right and that a reasonable expectation of informational privacy is fundamental to the provision, use and regulation of any new information systems or identification proposals.
Our challenge is to integrate computer technology and human values in such a way that the technology advances and protects those values rather than doing damage to them. I have always maintained that technology is not necessarily incompatible with the preservation of our values and freedoms. It is fairly clear that all infrastructures could have been designed differently if the first design priority had been human, not technological development.
So I want to thank you for allowing me to speak with you today and for recognizing the need for the technical and privacy communities to work together on these issues. We cannot afford to isolate ourselves in our separate disciplines, we must move towards the notion of a convergence of disciplines not only between ourselves but also among those many specializations that are needed to manage information and information technologies cooperatively in our organizations. We should see ourselves as a community of information professionals sharing a common vision of our responsibilities to the public we serve and to the information we safeguard. Thank you very much.
- Date modified: