Creating a Body of Privacy Professionals
Remarks at the IAPP KnowledgeNet Tour
Ottawa, Ontario and Montreal, Quebec
March 26, 2009
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
When we discuss the need for a body of competent privacy professionals in the private and public sectors, the most compelling argument is how much poorer our information-hungry world can be without them. The dangers of a lack of professionalism can best be seen in the growing number of data breaches around the globe in recent years.
Of the breaches reported to the federal Privacy Commissioner, banks accounted for over 40 per cent, followed by mortgage brokers, insurance and telecommunications companies and retailers. This is not very comforting for anyone concerned about the protection of their personal information.
In its early years of the federal Privacy Act, data breaches were very different than they are today. The Privacy Commissioner’s 1986 annual report, for example, discussed an investigation about 340 completed census forms that had fallen off a truck in Winnipeg. Those familiar with today’s data breaches would breathe a sigh of relief if that were the scale of the loss you faced. And even when larger breaches did occur in the early days of privacy legislation, the technology to exploit the personal information was too unsophisticated to produce widespread damage.
We no longer have the protection of inefficient technology to protect our privacy when breaches occur. Data breaches that once revealed information about hundreds have been supplanted by data breaches that reveal sensitive information about hundreds of thousands and, in some cases, millions. And sometimes no one finds out about the breach until the information is misused, sometimes on a massive scale. There are often no telltale documents fluttering down the street. Today, so many of the large data breaches occur by stealth.
We have learned, sometimes through painful lessons, of the forces that lead to data breaches. In some cases, those breaches are the product of disgruntled employees who know the damage they can inflict on companies that do not sufficiently protect the personal data they hold. Other times, the company or government agency may be target of a malevolent hacker from outside. Still other times, data breaches may simply be incidental to the theft of computer hardware, or information may have been entrusted to a third party without adequate checks beforehand to ensure that appropriate means were in place to protect the information.
A failure to use appropriate technological privacy safeguards adds to the risk of data breaches. Many useful technologies exist – firewalls, encryption, audit trails among them – but they have to be used to be of benefit. On the other hand, we must not allow a belief in technology to lull us into believing that the human element is not important in the privacy equation. The overwhelming majority of data breaches that have been reported to the Office of the Privacy Commissioner in recent years – approaching 90 per cent – were caused by human error – sometimes as simple an error as faxing information to the wrong number, emailing it to the wrong email address or disposing of sensitive information in the trash.
This points to the risks of a lack of privacy professionalism, if I can call it that – the risks of allowing employees who are unschooled in the value of privacy to handle personal information. They simply haven’t had the opportunity to learn the importance of protecting personal information and the harms caused by its unintended release.
We know too that there can be a commercial advantage to collecting and retaining personal information. Collect as much as you can, some might argue, because you might find a use for that information at some point. That approach certainly doesn’t comply with the Personal Information Protection and Electronic Documents Act, but the temptation remains to collect all and sundry personal information, particularly when corporate management does not understand its responsibilities under privacy legislation. As a result, a greater body of personal information will be placed at risk by a data breach than if a company limited its collection of personal information to what was necessary, and regularly culled its information holdings of unneeded information.
That is why we need a body of privacy professionals in Canada – not just people who are interested in complying with privacy rules, but people who are interested in privacy as an essential value in a democratic society.
You might be surprised to hear that the call for a body of privacy professionals is not new. Twenty-five years ago, Canada’s Privacy Commissioner, the late John Grace, wrote that one way to judge the commitment of senior public service managers to the then-fledgling federal Privacy Act was the attention they gave to the position of privacy co-ordinator in government departments. John Grace was speaking almost two decades before PIPEDA came into force, so he did not focus his attention on the need for privacy professionals in the private sector. However, I am certain that if he were alive to speak today, he would be doing just that.
We need people who understand the value of privacy, the need to protect personal information, and the risks posed to that information by improper information handling practices. We need people in positions of responsibility who understand that privacy is not just about complying with rules.
That is why the Office of the Privacy Commissioner strongly supports efforts to professionalize those involved in handling personal information. The work of many organizations, including IAPP, is central to this. Training, continuing education, networking – all these activities are vital if we are to equip ourselves to achieve the delicate balance between safeguarding our privacy and allowing reasonable uses of our personal information by others.
Privacy professionals can work to persuade management that information is an asset to be protected, not merely an afterthought in a commercial or departmental transaction. They can help to bring a privacy ethos to the worlds of organizations and governments. They can press within their institutions for strategic management of information and policies on information retention, as well as the appropriate uses of technology.
Data breaches are only one force threatening privacy. Many others are at play, among them the unquenchable thirst of governments for information about us in this post-September 11 world, often in response to the siren song of greater security through greater surveillance, and the imperative in the private sector to use information for commercial advantage.
Amidst these risks to privacy, privacy professionals can be the linchpins to secure effective privacy practices. That is why the Office of the Privacy Commissioner is so delighted with the work you are doing. I wish you the best of luck with your efforts.