Panel Presentation - "Privacy and Security" Fact Scenario & Discussion

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

The Canadian Information Processing Society (CIPS) Executive Forum

February 19, 1998
Ottawa, Ontario

Brian Foran
Director Issues Management & Assessment
(Check Against Delivery)


(NOTE: Panelists were asked to address their remarks to the scenario below in the form of a dialogue with the character of the scenario.)

SCENARIO:

George Castanza, is the owner and founder of a start-up health care company and clinic, to be known as Castanza Health Care Services, which will specialize in the detection and treatment of people at high risk for contracting various infectious diseases.

George has decided to enter the new millennium by utilizing the latest in information technology to run his business.

In addition to electronically collecting information obtained from patients, the company's information system will be used to automate all aspects of the business, including employee files, company health benefits and performance evaluations.

Since George's company deals with patients with infectious diseases, there is the possibility that it will have to report occurrences of some of the diseases contracted by its patients.

Every employee of Castanza Health Services will have e-mail and Internet access. George has also decided to create an Intranet in cooperation with similar companies around the world to share ideas and information with respect to heath care and offer the ability for these companies to purchase reference material and other items from each other.

George needs help in spotting the data and privacy issues in implementing his ideas.

Mr. Foran was asked to provide an overview of privacy as well as a general look at what governments in Canada are doing and relate this to what George needs to be aware of at an overall level.

Dear George,

Congratulations on nailing down all the pieces to launch your new company. Your business plan must have really impressed the bank for them to come up with that kind of money! And I hear you lured that systems whiz away from Megatech, the one you met at that last CIPS conference. I know how hard you've worked so far and all the ingredients for success seem to be there.

I also know you are going to receive all kinds of gratuitous advice, much of it worth what you paid for it. So you'll forgive me if I add mine because, despite the great ideas, capital and talented employees, there are minefields in your chosen business.

Pour yourself a cup of coffee and put your feet up for a few minutes and consider the bigger picture. It will be hard after hours, days and months of looking after the details. But your business is essentially peoples' information, the details of their lives. And since much of the information is medical, it is particularly sensitive.

In short, George, like it or not, you are now in the privacy business. And if you are not, you won't be in business long.

What I mean by privacy is not the locks and keys, the firewalls, encryption systems and audit trails, although all those are part of protecting your clients and employees personal information.

There is a common fallacy that privacy equates to security, and that it all comes down to the same thing, safeguarding the confidentiality of information. Some think, therefore, that we can deal with growing public concern about privacy in interactive electronic systems simply by promising confidentiality. If it ever was, it is no longer that easy.

Privacy, security and confidentiality are three separate and distinct issues and to address them, we have to recognise and understand their inherent distinctions.

What I mean by privacy is that fundamental value that we have so taken for granted that we don't even recognise it until it's gone. It is such a bedrock value in a democracy that we often fail to see it in action in things we take for granted, like being free from unreasonable search and seizure, the right to cast a secret ballot, the right to decide how we will live our lives. Privacy is the value at the heart of individual liberty.

And it is not just the right of one individual versus another's. Nor is it simply the right of the person against society. Privacy is one of those values that makes a humane democratic society possible. It is fundamental to how we treat one another, to how we respect one another's space, if you like.

In a narrower informational context, privacy concerns our right to control the flow of information about ourselves, the right to fair, reasonable and confidential information practices.

Confidentiality, on the other, hand, is a third-party obligation, the obligation of a custodian to protect the personal information with which it has been entrusted. A promise of confidentiality is, in essence, a fiduciary duty, a duty of care to maintain the secrecy of the information and not misuse or wrongfully disclose it. It is confidentiality that establishes a bond of trust between the individual and the custodian.

And, finally, security. Security is a process, it is the manner of assessing the threats and risks posed to information and taking the appropriate steps to protecting that information against unintended or unauthorised access, use, intrusion, or such other dangers as accidental loss or destruction.

We have so taken for granted our privacy in all its contexts that it was not until the technology pre-history of the 1970s that we woke up. It slowly dawned on policy makers that the implications of information technology on public administration were far greater than more and faster. At stake could be our control over how we live our lives. Putting our information in the hands of others risks giving them the power to influence our decisions.

In simpler times, our relationships were real, concrete and visible. We talked to municipal clerks, bank tellers, doctors and police face to face. The human interaction imposed some constraints born out of that societal sense of mutual respect. Now we are all just case files in a database. The systems deaden our innate sensitivity to the person, and their individual rights.

As the systems spread the data farther and faster, the risks increase exponentially. We are no longer dealing with gossip in a doctor's office or a rumour in the personnel office. We are facing leaks from e-mail, Intranets, data warehouses and Internet. Now we can blab to the world in a nanosecond.

And with a person's life at their fingertips, replete with all our weaknesses, wrong choices and bad judgements, bureaucracies may be tempted to want to influence our behaviour, and business to capitalise on it.

Governments, which, after all, control huge databases and have the unique power to pass laws, acknowledged the dangers and responded. European and North American governments passed laws to control how they collect use and disclose their citizens' personal information. Generally these laws also give the person the right to see the information and to correct errors and annotate disputed information.

Let me tell you how the Canadian federal government has attempted to deal with that issue. In 1983, Parliament enacted the Privacy Act, a somewhat misleading name. Privacy Commissioner Bruce Phillips once joked that it might be more accurate to call it "an act respecting the protection of personal information in the hands of Ottawa bureaucrats". It is essentially data protection legislation similar to most of those in effect in major Western nations.

At its heart, the federal Privacy Act is basically an information handler's code of ethics. It is designed to control the information collection by government to only what is necessary and relevant. It recognises the inherent right of ownership of the information by the people from whom it was taken. It requires government to collect data directly from those people and to tell them why the information is needed and how it will be used. It outlaws unrelated uses and disclosure of the data. It gives individuals the right to have access to information held about them by government. And finally, it puts in place an independent ombudsman (the Office of the Privacy Commissioner) to resolve problems and oversee compliance.

In short, the Act holds government accountable. No longer can government act as if it owns outright the personal information under its control. Broadly similar laws now govern many but not all provincial governments.

The European countries' laws are very similar. The important exception being that they also govern the private sector. Some of these laws could have implications for you, George, so bear with me.

We now face the European Union and its harmonisation of member states' national laws. Among these is what the Europeans call data protection laws, a much more accurate description. The differences have been hammered out and beginning in the Fall of 1998, the EU will be singing from the same privacy songbook. The private sector will be singing along.

Not so in North America, at least, not yet. In the U.S. and Canada, the federal laws apply only to government operations. So too do the provincial laws, with the sole exception of Quebec. This means that, for the moment George, your business is not covered.

However, Canadians are growing increasingly worried about that gap in the law. They are staggered when told that they have no recourse against a business that has sold their information, accidentally disclosed it or shared it with subsidiaries. Their concern is one factor in the federal government' proposals for a national privacy law to cover the private sector.

Industry Canada and Justice have issued a discussion paper on protecting personal information as part of their electronic commerce initiative. I recommend you get a copy and consider what is being proposed. The final product may not look quite like their model but it is clear that the public wants rules for the private sector and a system of holding users of personal data accountable. The announced target date for legislation is the mythical year 2000. In fact, it may happen sooner.

So sooner or later George you will be facing legal obligations. Now is the time to build the principles into your systems. Don't try to glue them on when you're required to; the cost and the aggravation will be substantial.

Another significant factor in developing a law and for you, George, if you have international ambitions, is that European Union law. Its implications for Canadian business are its obligation to protect Europeans' personal data. Canadian companies that want to process that data must meet an adequate standard of data protection, that is, adequate to the EU.

This is not simply a theoretical problem as Citibank found when it won the contract to administer the German railway's passenger card. The details are interesting enough for a separate speech. But in summary the case led the German Data Protector to block the transfer of the passenger records to the U.S. until he was satisfied that the information was secure. As part of the arrangement Citibank had to agree to on-site inspections by the German Data protector, all because the U.S. doesn't have adequate laws. And at this point, neither does Canada.

So get ahead of the curve, George, and do it right. Your obligations may be even greater because you're going to be gathering and using sensitive personal information, medical information, which can have substantial impact on the person's life. This information belongs to the patient, not you. The physical files and the computer systems are yours, of course. But the information you collect and use is yours in trust only, and you have a fiduciary responsibility to the patient for its use.

Eventually you may also find yourself as part of the government's proposed national health information system. This powerful system is being developed as part of a national health information infrastructure to provide linkages with medical practitioners, researchers and health providers of all kinds. Privacy protection will have to be a cornerstone of building such a network as well as recognizing the distinction between patient privacy and data security.

So, I hope this will help you get a bit ahead of the curve and I want to thank you for allowing me to speak with you today and for recognizing that the technical and privacy interests must merge together if you are going to be able to manage both the information and the information technologies successfully in your organization. I hope I can help you in dealing with your privacy responsibilities and I look forward to more discussion and dialogue.

Date modified: