Information Sharing Across Departmental Boundaries
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Response of the Privacy Commissioner of Canada to IPAC Roundtable
March 1, 1999
Privacy Commissioner of Canada
(Check against delivery)
"The integration of information systems and data bases allows government to function more efficiently and effectively, for example, in policy development or program evaluation. On the one hand, it raises many questions: Who should have access to this information? How readily should it be shared between government departments and agencies? Is information technology a driver for greater 'horizontal' integration of government?"
I thought I would open with a quote. Not exactly a groundbreaking introduction I'll admit. This one is not poetry; it does not sing. But it does finger the crux of the issue we are discussing here today.
In a 1971 U.S. Supreme Court decision, the Court talked about the mandate of the American Bill of Rights to, and I quote, "protect the fragile values of a vulnerable citizenry from the overbearing concern for efficiency that may characterize praiseworthy government officials no less, and perhaps more, than mediocre ones," unquote.
(Stanley v Illinois, US Supreme Court, 1971)
This seems an effective reminder of the role efficiency should play in government, and of the role of law in protecting the individual against its too enthusiastic pursuit. We can all applaud efficient administration. We would all like effective government for our tax dollars. But we have to remember where on the column of figures to draw the line across the page. Above that line is sound administration. Below it lies excessive collection, client profiling, data surveillance... and at the bottom of the page... social engineering or just plain manipulation.
It's a very short trip, a very slippery slope, from building an effective social safety net, preventing fraud and promoting population health, to the all-seeing, all-knowing Nanny State. That prospect is every bit as offensive, and arguably even more so, when it purports to be for our own good.
What would once have been possible only with the most extensive, pervasive (and one would argue, intolerable) network of police, government investigators and informers, information technology now hands us on magnetic tape. And because it can be done, we seem unable to ask ourselves "Yes, but should it be done?"
The handout for this rountable asks whether information technology is the "driver for greater... integration of government"? My question is should information technology "drive" anything? Who's in charge here, the designers and operators as proxy for citizens? Or do we just climb aboard, hang on for the ride, and damn the consequences?
Put in those bald terms we all know that's an abdication of our responsibilities as public servants, as legislators and as human beings. It's a bit like saying my car can do 200 kilometers an hour so give those horses their heads.
No. The advent of the internal combustion engine led to traffic laws, drivers' licences, turn signals, seatbelts, parking metres, and demerit points. All of these are society's answer to benefiting from the undeniable convenience and freedom of the family sedan, while trying to contain the havoc it could wreak.
It didn't take the Pentium III chip for policy makers, legislators and the public to understand one downside of the technology. That debate began more than 30 years ago, naturally enough in the United States. But it spread rapidly around nations advanced enough and wealthy enough to own and control new computer systems.
The debate focussed on two levels. The more prosaic was a framework for ensuring accuracy, security and individual access to the information, and on controlling disclosures.
The second level of the debate looked at those less tangible but even more vital matters of privacy and political power. Many acknowledged the power of these systems to essentially undo what democracies had struggled for for so long, that is, maintaining the autonomy of the individual, and constraining the power of the state.
A consensus grew, and from it was born the data protection statutes that now guide virtually all Western nations (and Japan and Hong Kong as well).
The principles are simple but unequivocal. I will read you just two from the federal Privacy Act which are essential to the sharing debate.
"No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution." (emphasis added) Section 4
"Personal information under the control a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except
(a) for the purpose for which it was obtained or compiled...or for a use consistent with that purpose; or
(b) when it may be disclosed under section 8(2)."
That's it. It's very simple. Does the information relate directly to a departmental program? Is the proposed use consistent with the original purpose? If not, you're out.
This is not a case of the principles needing updating to keep up with the new technology. No. These are the principles designed for this very technology. The policymakers and legislators foresaw the dangers and the temptations and set out to add the brakes and seatbelts. The principles are the imposition of human and social values on the machines we have made.
Of, course every rule has its exception. One of these in the Privacy Act allows federal agencies to enter agreements to disclose personal information to other governments for administering and enforcing laws. This exception (8(2)(f)) is used for such exchanges as HRDC's with provincial welfare agencies and workers compensation boards, Revenue Canada's with provincial tax departments, and Correctional Services with provincial law enforcement agencies.
Another exception allows disclosures if an act of Parliament permits. So certain information from bankruptcy records is public, as is holders of radio licences. But these are among the limited and specific exceptions to the general rules. Collect it for a specific purpose. And use it only for that, or a "consistent" purpose.
While we are at it, I would urge us all to call this particular spade a shovel. Rather than that warm, fuzzy euphemism sharing (what reasonable person could object) let's remember what we are discussing here is disclosing personal information on one hand, and collecting it on the other.
Whether the federal government actually becomes more horizontally integrated at the physical level, there is no doubt that proposals for powerful data warehouses threaten to make a virtual government monolith. A data warehouse creates a web of computers and computer systems. Users can travel along the electronic skeins to find the data they need. A little from there, and a little more from there... and soon you have a whole lot here.
Do you have a right to all those details? Your information search was invisible to the person concerned. You probably didn't ask permission to search. Now perhaps you will make an administrative decision about that person based on what the computer said. Or perhaps you will predict his behaviour or eliminate him from an opportunity based on his profile. Now you are exerting control. Now the person is losing his autonomy.
Remember, we are the owners of our personal information. We entrust it to government agencies for limited and specific purposes. We do not hand over the decisions over our lives to those who think themselves capable of making better ones. Autonomy means the right to be wrong too.
This debate reminds me of Thoreau's observation that inventions are but an improved means to an unimproved end. I'd like to see us focus on improving the end. Then we can discuss an improved means to getting there.
- Date modified: