Statistics Canada: Invasive data initiatives should be redesigned with privacy in mind
Complaint under the Privacy Act
December 9, 2019
Overview
In late fall 2018, our Office received more than a hundred complaints relating to Statistics Canada’s collection of personal information from a credit bureau and from financial institutions. The complaints followed on the heels of media reports that Statistics Canada had collected, or was proposing to collect, detailed credit and financial information about a large number of Canadians indirectly from private sector companies without individuals’ prior knowledge or consent as part of two projects: (i) the Credit Information Project; and (ii) the Financial Transactions Project (the “Projects”). Complainants raised concerns regarding (i) the legal authority to collect the information, (ii) transparency about the collections, and (iii) the handling of collected information including potential intentional or unintentional disclosures, and individuals’ right of access.
Statistics Canada maintained that it had the authority to collect personal information without consent for both projects under the Statistics Act and section 4 of the Privacy Act (the “Act”) and that the Projects were protective of privacy. It maintained that the personal information it gathered would be kept confidential and that it had appropriate safeguards to protect it.
After reviewing the available evidence, we conclude that Statistics Canada had the legal authority to collect the information at issue in the Credit Information Project. We thus find the matter not well founded.
With respect to the Financial Transactions Project, we have serious concerns that the Project, as originally designed, would have exceeded Statistics Canada’s legal authority to collect personal information had it gone ahead. As this Project was halted during our investigation, no personal information was collected, and so we decline to make a finding.
Notwithstanding these conclusions, our investigation identified significant privacy concerns with respect to the two Projects as originally designed, although these were not contraventions of the current Act. Specifically:
- While the public objectives we inferred for the two Projects could, if validated, reasonably meet the requirement for a pressing and substantial public goal, Statistics Canada did not demonstrate that all the personal information it sought to collect was necessary for its objectives and that, as designed, the Projects were proportionate to the invasion of privacy entailed and that less invasive alternatives were not reasonably available;
- Statistics Canada also failed to be adequately transparent with respect to the collection of personal information via the Projects; and
- While Statistics Canada has taken significant steps to isolate and minimize access to data and protect against external threat actors, it could improve its security safeguards to mitigate against internal threat vulnerabilities via monitoring for internal unauthorized access and use.
In light of our findings and observations, and Statistics Canada’s express commitment to address the privacy concerns of Canadians before proceeding further with these Projects, we recommended that Statistics Canada take the following measures:
Recommendation number 1: Statistics Canada not continue to proceed with the Credit Information Project as originally designed. We also strongly encourage Statistics Canada to dispose, in due course, of the personal information already collected that would not have been collected via the redesigned project.
Recommendation number 2: Statistics Canada not proceed with the Financial Transactions Project as originally designed.
Recommendation number 3: Statistics Canada work with the OPC to redesign the Credit Information Project so as to respect the principles of necessity and proportionality before proceeding further with the Project.
Recommendation number 4: Statistics Canada work with the OPC to complete the design of the Financial Transactions Project so as to respect its lawful authority and the principles of necessity and proportionality before implementing the Project.
Recommendation number 5: In order to maintain public trust, we recommend that Statistics Canada increase transparency regarding prospective collections of personal information from administrative sources.
Recommendation number 6: In light of the issue we found, we recommend that Statistics Canada implement measures to address risks posed by internal threat vulnerabilities.
We are pleased that Statistics Canada put both Projects on hold last fall and has agreed to implement our recommendations in full. As will be described throughout the report, Statistics Canada has already made improvements with regard to transparency and safeguards and has committed to redesigning both Projects with the principles of necessity and proportionality considered. Further, it has committed to work with our Office going forward on the Projects’ redesign.
In addition to these specific recommendations, we are also of the view that Parliament should consider legislative reform of the Statistics Act and the Privacy Act to ensure that the public interest in obtaining personal information from administrative data sources for statistical purposes does not unjustifiably infringe upon the privacy of individuals, including principles of necessity and proportionality.
Background
- Statistics Canada is Canada’s national statistical office. It has a broad mandate under the Statistics Act to collect, compile, analyse, abstract and publish statistical information in relation the “commercial, industrial, financial, social, economic and general activities and conditions of the people.”Footnote 1 Statistics Canada collects information via two principal streams: (1) direct collection from survey respondents (e.g. individuals, businesses, organizations); and (2) use of administrative data collected by other organizations for their own purposes. The collection of information at issue falls into the second stream and is part of Statistics Canada’s Administrative Data Program (the “ADP”). Statistics Canada defines administrative data as:
Information that is collected by other government agencies and private sector companies for their own purposes, which is then used by Statistics Canada to efficiently accomplish its mandated objectives.Footnote 2
- According to Statistics Canada, it uses administrative data to complement survey data, or in lieu of surveys and to support statistical operations because it:
- improves data quality;
- reduces data collection costs;
- avoids data duplication;
- reduces the burden on respondents; and
- can help to gather information regarding populations who may be less likely to fill out a survey.Footnote 3
- According to Statistics Canada, it has been collecting administrative data since 1921 and approximately 40% of its statistical programs currently use administrative data. In the past, the most important administrative data sources containing personal information were public sector sources such as vital statistics and income tax records.Footnote 4 However, the Projects at issue in these complaints are part of a modernization initiative by Statistics Canada, which aims to use new public and private sources of administrative data and therefore raises new issues from a privacy perspective.Footnote 5
- Our Office, through our Government Advisory Directorate, had some preliminary consultations with Statistics Canada about the expansion of its administrative data program. At that time, the breadth and scope of the collection was not communicated to us. In response to the high-level information Statistics Canada provided to us in those initial discussions, we made some recommendations as outlined in our 2017-2018 Annual Report to Parliament. We recommended that Statistics Canada consider whether it could achieve the same objectives by collecting personal information that has been de-identified before it is disclosed to the agency. We also suggested it limit collection of administrative data to what is needed for the specified purposes, and that it evaluate the necessity and effectiveness of this work on an ongoing basis. Finally, we recommended that Statistics Canada be transparent with Canadians about its collection of data from administrative and other non-traditional sources.Footnote 6
- In October 2018, a news outlet reported that Statistics Canada had plans to collect the banking information of 500,000 households without their knowledge or consent.Footnote 7 It was later reported that Statistics Canada had already collected credit information from TransUnion of Canada Inc. (“TransUnion”).Footnote 8
- Our Office subsequently received 103 complaints from Canadians raising concerns about Statistics Canada’s authority to collect personal information from credit bureaus and/or financial institutionsFootnote 9 without consent. The complaints also raised concerns regarding a perceived lack of transparency, the safeguards Statistics Canada had in place, access to personal information and possible secondary purposes for which the information might be used and disclosed.
Methodology
- Following receipt of the complaints, we notified Statistics Canada of the investigation and requested representations in response to the allegations. In addition, we obtained evidence and information from multiple sources including:
- submissions from the Canadian Bankers Association (the “CBA”), financial institutions, and TransUnion;
- site visits to Statistics Canada’s headquarters and one of its Research Data Centres;
- interviews with staff from Statistics Canada and representatives from the CBA and its members; and
- a review of current literature related to the use of administrative data, including privately-held data, by other National Statistical Offices (“NSOs”) as well as interviews with privacy authorities and representatives of statistical offices in the United Kingdom and New Zealand.
- During our investigation, we engaged an expert in statistical sciences to assist us in analysing and evaluating the evidence collected including the information provided to us by Statistics Canada.
- Statistics Canada submitted timely responses to our requests for representations and provided access to its staff and facilities.
The Projects
The Credit Information Project
- According to Statistics Canada, the Credit Information Project aims to measure household debt on a periodic basis by collecting credit information of individuals directly from credit bureaus. Statistics Canada submitted that the information obtained from these bureaus will be used to compile “timely estimates” of household debt, according to household type and geographic location. The data would be used to analyze vulnerabilities in Canada relating to personal finances, interest rates and housing prices.
- In March 2018, Statistics Canada signed a formal agreement with TransUnion for the transfer of information as part of the Project. The data captured by the agreement includes historical data going back to 2002, as well as current data. The type of information to be provided under the agreement included approximately 600 elements of data containing personal information including name; age; date of birth; social insurance number; address; and credit information. Credit information included, but is not limited to, types of credit, and numbers and amounts related to each type. For example, number of mortgages, balance of mortgage amount, number of months since last mortgage activity, available mortgage credit amount. Statistics Canada had initially sought access to 900 elements of personal information, but later agreed to limit the collection to 600 elements.
- Statistics Canada submitted that the Credit Information Project requires a “near census” of credit information and would eventually represent roughly 80% of the total population of Canada. TransUnion confirmed that, before the Project was put on hold, it had transferred to Statistics Canada information relating to approximately 44 million records, comprising information of approximately 24 million Canadians. Explaining the 24 million records figure, TransUnion submitted that individuals could be linked to multiple records. Records provided also included those linked to individuals who are deceased or have left the country.Footnote 10
- The data provided by TransUnion included direct identifiers as required by Statistics Canada. Upon receipt of the data, Statistics Canada performs microdata linkages,Footnote 11 which allows it to link the TransUnion data to other information related to individuals contained in its data holdings, such as household income and property information collected from other sources. Once these linkages are created, the direct identifiers are replaced with an artificial number that is maintained on a linkage key, separated from the data in order to create future linkages, and the direct identifier from the TransUnion raw data is deleted or destroyed. That said, the information remains identifiable through the linkage key, to which a small and limited number of Statistics Canada employees have access.
- TransUnion indicated that it was required under consumer reporting legislation to inform individuals of the disclosure to Statistics Canada, and that it did so by placing a “Non-credit Related Inquiry” on consumers’ files whose data had been disclosed. The notice was accompanied with a phone number that individuals could call to obtain further information from Statistics Canada about the project.
- Statistics Canada completed a short supplement to its generic privacy impact assessment (“PIA”) for the Credit Information Project in March 2018, which it shared with our Office. The supplemental PIA was also subsequently published on its website.
- In November 2018, following the public controversy surrounding the two Projects, TransUnion and Statistics Canada ceased the transfer of credit information under the Credit Information Project pending the outcome of our investigation.
The Financial Transactions Project
- The Financial Transactions Project aims to measure household expenditures by collecting detailed financial transaction information of individuals directly from financial institutions. Statistics Canada submitted that, initially, it was proposing to obtain the personal information for 500,000 households on a monthly basis. This information was to have included the value of all transactions recorded in personal accounts (e.g., payments, purchases, income); a description of each transaction and the date of its occurrence; the payee’s name and description in the case of payments, and account balances after each transaction. The collection of information would be repeated on a yearly basis for a differentiated set of 500,000 unique households.
- In addition, the Financial Transactions Project was to have collected personal information related to the account holders associated with these financial transactions. This was to have included information such as name, social insurance number, date of birth, most recent home phone number, and most recent home address. Statistics Canada submitted that this type of information was necessary in order to organize the information into types of households and to link it to other information.
- Statistics Canada first piloted the Financial Transactions Project using the information of a small sample of employees who had volunteered to participate. Statistics Canada submitted that the results of this pilot gave it reason to proceed with requesting information from financial institutions.
- In April 2018, Statistics Canada approached the CBA to initiate a discussion regarding the Financial Transactions Project. The discussions continued for five months until late September 2018, which included presentations to the CBA and its members. In October 2018, Statistics Canada sent a letter specifically to nine financial institutions requesting financial transactions data (the “request letter”).
- We heard different perspectives regarding the request letter and the status of the Project. Statistics Canada characterized it as a “package” that outlined the legal authority under which personal information would be collected and that the project was a “pilot” that was still in its design phase. According to Statistics Canada, it sent this “package” at the request of the CBA and submitted that it intended to work with the financial institutions regarding the details of collecting the information.
- However, in the request letter, Statistics Canada took a more definitive and directive tone:Footnote 12
We are writing to obtain access to the individual-level financial transactions data gathered by the [name of the financial institution]. This data will be used for statistical purposes only. Section 13 of the Statistics Act authorizes the Chief Statistician to compel the disclosure of, and obtain, any documents or records that are maintained in any department or in any municipal office, corporation, business or organization, from which information is sought in respect of the objects of the Statistics Act.
[…]Please find attached two draft schedules that specify the type of information required. We will contact your office next week to schedule a meeting or call to further discuss our requirements [emphasis added].
- The draft schedules attached to the request letter identified in detail the information that was required of the financial institutions.
- The financial institutions stated they were surprised by the request letter, which they perceived as compelling the production of personal information of their customers. In their view, Statistics Canada lacks the legal authority to compel them to provide the information since it would require them to create and produce documents or records that they do not currently maintain. They further submitted that financial transaction information is an attractive, high-value target for hackers, and that the creation and compilation of the information as requested by Statistics Canada would create a security threat in their sector.
- The financial institutions also submitted that Statistics Canada proposed to place the onus on the institutions themselves to inform their customers of the collection, which, in the view of the financial institutions, would as a consequence, threaten the relationship of trust that financial institutions work to maintain with their customers. When we raised this issue with Statistics Canada, it submitted that options for informing affected individuals were being explored but no decision had been made.
- Statistics Canada completed a two and half page supplement to its generic PIA for the Financial Transactions Project near the end of October 2018, but it had not been provided to our Office at the time the investigation was launched.
- According to Statistics Canada, the Financial Transactions Project was still being conceptualized when our investigation was launched. It submitted that it had intended to address any potential issues raised by the financial institutions in subsequent discussions. Notwithstanding its representations, we found that the project was quite advanced, conveyed in an authoritative form, and that the two draft schedules attached to the request letter specified in significant detail the information that Statistics Canada was to collect.
- In any case, Statistics Canada never collected any information related to this project and has since publically pledged that it will not proceed until the privacy issues raised by Canadians and our Office were addressed.
International context
- As noted above, during the course of our investigation, we conducted a review of current literature related to the use of administrative data by other NSOs, including privately-held data, to assist with our understanding of the necessity and proportionality of the Projects.
- In general, we found that, similar to Statistics Canada (see paragraph 2 of this report), NSOs around the world have been experiencing decreasing survey response rates while being faced with increased costs and growing demands from governments at all levels for more timely and detailed statistical information about the population. In response, NSOs are increasingly using public administrative registers, which are adapted and processed to make the data suitable for statistical purposes, in combination with surveys in order to enhance the quality, scope, and cost-efficiency of statistical products.Footnote 13,Footnote 14
- We also observed greater calls for use of data from private sector companies for similar reasons. That said, it appears that projects relating to the use of personal information from the private sector by other NSOs have to date been largely tentative and experimental.Footnote 15 The conservative and careful approach is in part due to concerns with respect to privacy and complying with associated data-protection legislation, particularly when the data at issue consists of raw customer data in identifiable form that would be exported outside of the organization to an NSO.Footnote 16
- We also found in our review that consideration is being given by other NSOs to less privacy-invasive alternatives to accessing personal information in the hands of private sector companies in order to address privacy concerns. For instance, in Portugal, a study regarding the use of credit and debit card data noted that “[t]he key factor for success in accessing this data was the use of somewhat aggregated data. No individual information is received, but instead specific outputs defined based on the needs evaluated by Statistics Portugal. In the discussion between Statistics Portugal and the institution owner of this data, it was realised that accessing individual data could be a major issue.”Footnote 17
- Similarly, the results of research into the use of mobile phone data for statistical purposes in France noted that as “these raw data are very sensitive, it would be preferable for [NSOs] to get access to more aggregated data, less confidential.”Footnote 18 In the UK, studies using mobile phone data are moving forward in which “[o]nly aggregated and non-disclosive data will be sought.”Footnote 19
- Consideration is also being given to alternative methods of collection that serve to minimize the privacy concerns raised when accessing private sector data for statistical purposes, including:
- “civic data sharing” where individuals are encouraged to authorize public sector bodies to collect and use their personal information which was previously shared with a private sector company;Footnote 20
- “algorithm-to-the-data,” where an algorithm is installed within the IT environment of the private company and the analysis takes place there. Only anonymous results are transferred back to the public body such as an NSO;Footnote 21 and,
- “privacy-preserving computation,” which allows data analysis to be performed without disclosing the input data.Footnote 22
- In order to better situate the Projects in an international perspective, we also consulted with representatives of the Office of the Information Commissioner (“ICO”) and the Office for National Statistics in the United Kingdom (“ONS-UK”), along with the Office of the Privacy Commissioner of New Zealand (“OPC-NZ”) and Stats NZ.
- During these consultations, it was revealed that while the collection and use of administrative data from public sector sources by NSOs is widespread, the use of private sector data is much more limited. Furthermore, it is important to note that the information that is being provided from government departments and agencies – most commonly revenue and customs information – is generally in aggregate form and not personally identifiable.
- In terms of the use of credit and financial data, both the ONS-UK and Stats NZ advised that, at this point in time, they do not collect personal information from private sector entities – they are only provided with aggregate data upon request. Both offices also confirmed that they have not attempted to compel the production of personal information from private sector entities although their enabling legislation allows for information to be compelled. Rather, aggregate data is obtained through negotiation and agreement.
- Additionally, we heard that the collection of only aggregated and de-identified data at source does not necessarily impede an NSO’s ability to produce and publish meaningful and robust statistics.
- From a privacy perspective, we also heard concerns from our counterparts at the OPC-NZ that even the use of aggregate data may create significant risk to individual privacy rights in that its use is often “not fit for purpose,” meaning that in many cases, neither the necessity or effectiveness of the use of the data have been adequately established prior to collection because the specific objectives of the subsequent analyses remain undefined. Moreover, in such cases, the possibility that individuals included in the aggregate datasets could somehow be rendered identifiable would not have been sufficiently assessed.
- Overall, we were informed that while there is general statistical interest by NSOs internationally in gaining access to individual-level financial information, including credit and banking information, many barriers and countervailing considerations exist to collecting such information, including both legal barriers and concerns relating to privacy intrusion and safeguard concerns.
- In Europe, Article 89 of the General Data Protection Regulation 2016/679 (“GDPR”) sets out the safeguards that controllers must implement in order to further process personal data for research or statistical purposes and specifies that organizations must put in place “technical and organizational measures” to ensure respect for the principle of data minimization.
- In general, the NSOs that we consulted have conveyed that they are cautiously exploring the collection of credit and financial information. They are doing so with active public engagement in order to better understand cultural values and attitudes regarding the collection and use of such sensitive personal information. They have also conveyed that their approach is being carried out with the view to ensuring and maintaining public confidence in their agencies’ collection processes, analytical methodologies, and statistical products.
Collection
- The complaints and the Projects raise the following issues with respect to collection:
- Does Statistics Canada have the legal authority to collect the personal information at issue in the Projects, as required by the Privacy Act?
- Has Statistics Canada established that the collection, use, disclosure and retention of personal information for the Projects are necessary and proportional to the intrusion of privacy that they entail?
Legal Authority
- Government institutions that collect personal information must do so in accordance with the Act, which defines personal information as information about an identifiable individual that is recorded in any form. The credit information that Statistics Canada has collected and the financial information it proposed to collect via the Projects includes information about identifiable individuals – such as first and last name, social insurance number, age, credit history (e.g., frequency of payments), amount and nature of outstanding debt obligations, detailed financial transactions (e.g., purchases, transfers), and account balances. All of this is personal information as defined by section 3 of the Act.
- Section 4 of the Act prohibits government institutions from collecting personal information unless the information sought “relates directly” to one of the organizations’ “operating programs or activities.” In order to comply with section 4 of the Act a government institution must have lawful authority for the operating program or activity in question and be authorized to collect the personal information it is seeking.Footnote 23
- In its agreement with TransUnion and the request letter to financial institutions, Statistics Canada identified section 13 of the Statistics Act as its lawful authority to collect personal information for the purposes of the Projects. Section 13 provides as follows:
Access to records
13. A person having the custody or charge of any documents or records that are maintained in any department or in any municipal office, corporation, business or organization, from which information sought in respect of the objects of this Act can be obtained or that would aid in the completion or correction of that information, shall grant access thereto for those purposes to a person authorized by the Chief Statistician to obtain that information or aid in the completion or correction of that information [emphasis added]. - Statistics Canada noted that pursuant to the Statistics Act it has the mandate to collect, compile, analyse, abstract and publish statistical information on the commercial, industrial, financial, social, economic and general activities and condition of the people of Canada.Footnote 24 As such, in its view, the Projects, to the extent they seek to measure matters such as household debt and spending patterns, fit within the types of statistics that Statistics Canada is mandated to produce and which it is authorized to collect under section 13.
- In its representations to our Office, TransUnion supported the view that section 13 permitted Statistics Canada to obtain the information it requested via the Credit Information Project. However, the CBA, in its representations, disputed that section 13 of the Statistics Act is sufficient legal authority for Statistics Canada to obtain the personal information it was proposing to collect via the Financial Transactions Project. It noted that section 13 is limited to allowing Statistics Canada to obtain “access” to “documents or records that are maintained.” It submitted that these words must be given some meaning and that as a result section 13 does not permit Statistics Canada to require a company to collect, collate and package data into new records. The CBA also noted that banks store the customer data requested in multiple disconnected databases, including for privacy and security reasons, and collating such a large volume of sensitive data as Statistics Canada had requested would create security risks and represent a considerable burden for the affected banks.
- As far as we are aware, there is no judicial authority interpreting the scope of section 13 of the Statistics Act. We are therefore left to consider the issue by reading the words of section 13 in context and harmoniously with the scheme and object of the Statistics Act.
- Beginning with the ordinary meaning of section 13, the authority granted by this provision is to “access” documents or records “that are maintained” by an organization and from which information relevant to Statistics Canada’s mandate “can be obtained”.Footnote 25 A plain reading of section 13 thus suggests that Statistics Canada may obtain access to pre-existing documents or records (“documents or records that are maintained”) rather than compel the creation of new ones.
- This plain reading is supported by other provisions in the Statistics Act that, in contrast, allow Statistics Canada to request “information” in certain circumstances and under certain conditions.Footnote 26 The fact that section 13 does not use this broader formulation suggests, at first blush, that Parliament intended Statistics Canada’s authority under section 13 to be more limited or at least of a different nature.
- Statistics Canada submitted that the focus must rather be on the word “information” in section 13, a term which appears in other provisions such as section 3, 7 and 8 of the Statistics Act and which must be given a consistent meaning throughout. However, the specific authority granted by Parliament in section 13 is to access documents or records, not to require the production of information, as it is in other provisions in the Statistics Act. We accept that “information” should be given a consistent meaning, but in our view, this does not alter the plain meaning of section 13, which refers to access to documents or records that are maintained.
- The legislative history of section 13 also suggests that it was intended to be limited to access to existing document or records. The current wording of this provision can be traced back to the 1918 version of Statistics Canada’s enabling legislation, which provided that persons designated by the Dominion Statistician could “access” “any records or documents of any corporation.”Footnote 27 When the Statistics Act was revised in 1971, this formulation was largely kept, but Parliament added the qualifier that the documents or records that Statistics Canada could access were those “that are maintained” by the department, office, corporation, business or organization.Footnote 28 Section 13 therefore appears to reflect a balance struck by Parliament between allowing Statistics Canada access to information stored in administrative records and limiting the burden on respondent organizations by not requiring them to compile and combine data into new documents or records.
- In its submissions, Statistics Canada maintained that section 13 must also be read in light of sections 7 and 8 of the Statistics Act, which authorize the Chief Statistician to prescribe, among other things, “requests for information” and to decide whether such requests are mandatory or voluntary.Footnote 29 In its view, section 13 is an “enforcement compulsion provision” that allows it to enforce requests for information made mandatory under section 8.
- We have carefully considered this submission, but we are of the view that it is not supported by the wording or structure of the Statistics Act or Statistics Canada’s own previous practices.
- First, the wording and context of sections 7 and 8, on the one hand, and section 13, on the other, suggest that they are standalone provisions and operate independently of each other. In contrast to sections 7 and 8, section 13 does not use the phrase “requests for information” and instead speaks of “access” to documents or records. As such, there is no indication in the Statistics Act that the Chief Statistician must first “prescribe” a request for information under section 7 and then determine that such a request is mandatory under section 8 before seeking access to records under section 13. The wording of section 13 suggests that it can be invoked independently of sections 7 and 8.
- We also note that the Statistics Act treats refusing to respond to a request for information as a separate offence from refusing to grant access to records.Footnote 30 This also suggests that they are separate authorities. Indeed, it is difficult to see why separate offences would be necessary if section 13 was merely an “enforcement provision” for sections 7 and 8.
- Second, reading sections 7 and 8 of the Statistics Act as broadening section 13 so as to permit Statistics Canada to request an organization to produce and compile data would appear to render the terms “access” to “documents or records that are maintained” in section 13 meaningless, contrary to accepted principles of statutory interpretation. Whether a document or record is “maintained” by an organization would be of no significance under this interpretation since Statistics Canada would simply be able to required that a new one be produced. In comparison, interpreting section 13 as a separate authority that is limited to existing documents or records gives meaning to the wording of the provision and is consistent with the statutory scheme.
- Third, Statistics Canada’s submission also appears inconsistent with its own previous interpretations and practices. In particular, the submissions and documentation we reviewed indicated that Statistics Canada has consistently viewed its authority under sections 7 and 8 as its authority to conduct surveys – in which respondents are asked to respond to questions and furnish information – and distinct from its authority to access administrative records under section 13. For instance, in its Directive on obtaining administrative data under the Statistics Act, Statistics Canada indicates that its legal authority to obtain administrative data is section 13 and does not refer to sections 7 or 8.
- The evidence also indicates that Statistics Canada was of the view that its authority for the specific Projects was exclusively section 13 of the Statistics Act. In the agreement with TransUnion, the request letters and the PIA for the Projects, the lawful authority identified by Statistics Canada was section 13 of the Statistics Act, not sections 7 or 8.
- Statistics Canada submitted that it was under no obligation to cite the specific provision that it was relying on. We respectfully disagree. Statistics Canada’s agreement with TransUnion and its request letter to financial institutions indicated that its requests were being made pursuant to paragraph 7(3)(c.1)(iii) of PIPEDA. That provision allows an organization to disclose personal information without the knowledge or consent of an individual if the government institution has “identified its lawful authority to obtain the information”. Statistics Canada was therefore required to properly identify its lawful authority. The evidence indicates that in the documents relating to the Projects, Statistics Canada did seek to identify its lawful authority and that it identified section 13, rather than sections 7 or 8, as its authority consistent with its previous practice.
- Finally, there is no evidence that Statistics Canada followed the important transparency requirements in section 8 that apply to mandatory requests for information when carrying out the Projects. In particular, section 8 requires advance publication of a mandatory request and notification to the Minister, neither of which were done for the Projects.Footnote 31 While not determinative, this is consistent with the view that Statistics Canada did not view sections 7 or 8 as the legal basis for the Projects.
- For these reasons, we are of the view that sections 7 and 8 of the Statistics Act do not assist in the circumstances or expand Statistics Canada’s authority under section 13.
- Statistics Canada and TransUnion also pointed to provisions in access to information legislation that require government institutions to produce a record from electronic databases in certain circumstances as supporting their interpretation. However, we note that these appear to act as deeming provisions.Footnote 32 Their presence suggests that without them there would be no requirement to produce a new record in response to an access request. The fact there is no equivalent deeming provision in the Statistics Act suggests that, to the contrary, section 13 does not require an organization to create a new record or document.
- Statistics Canada and TransUnion submitted that limiting Statistics Canada’s authority under section 13 to accessing existing records or documents would lead to absurd results and would frustrate the objects of the Statistics Act, particularly in light of the fact that organizations regularly store information in electronic databases. Statistics Canada suggested that such an interpretation would be the equivalent of saying that it cannot request that two documents be stapled together as this would involve the creation of a new record.
- In our view, the premise underlying these submissions is not correct: requesting access to a document stored electronically clearly does not entail the creation of a new document or record, nor would changing the format of an existing document such as stapling two pages together.
- Furthermore, we find it difficult to see how an interpretation that allows Statistics Canada to access all documents or records that are maintained by an organization containing information relevant to its mandate would frustrate its mandate or purposes. While this may place some limits on its authority, it is still an extremely broad power, which permits it to potentially access a wide range of documents or records. In contrast, reading section 13 as authorizing Statistics Canada to require an organization to collate and compile any data in its possession, regardless of how they are stored potentially represents a much more vast and intrusive power. In the absence of an express indication that this is what Parliament intended, we are not inclined to read section 13 so broadly.
- While section 13 may need updating to reflect how information is stored by businesses and other organizations in today’s environment, an issue discussed below under legislative reform, this should not be grounds for reading out the words of the statute, which at present, appear to place limits on what Statistics Canada can legally require organizations to provide access to under section 13.
- In light of the above, our view is that the specific wording chosen by Parliament in section 13 is significant and limits Statistics Canada’s authority to seeking access to existing documents or records.
Application to the facts
- Applying the above analysis to the facts, we considered whether both Projects fell within the scope of Statistics Canada’s authority under section 13 of the Statistics Act.
- With respect to the Credit Information Project, TransUnion explained that it maintains a system that it uses to reply to requests for information as part of its business operations. It stated that it did not create a technical process to respond to Statistics Canada’s request and used the same system and processes to provide the information requested by Statistics Canada.Footnote 33 It maintained that responding to Statistics Canada’s request therefore did not involve the creation of a new document or record.
- We noted that TransUnion was expressly required pursuant to its agreement with Statistics Canada to “compile data” from several services in order to respond to the request. However, TransUnion represented that nevertheless, the data was in fact retrieved from a single consumer reporting database.
- Based on the evidence and submissions before us, it appears that TransUnion was not required to create new documents or records in order to respond to Statistics Canada’s request. Rather it was providing Statistics Canada with access to records and documents that it maintains electronically in a single database. We therefore conclude that the Credit Information Project fell within Statistics Canada’s lawful authority and was consistent with section 4 of the Privacy Act.
- We have serious concerns, however, with respect to the Financial Transactions Project. In particular, the evidence obtained from the CBA, in consultation with certain of the affected financial institutions, indicated that Statistics Canada’s request would likely have involved the creation of new records or documents. Specifically, institutions explained that although they may have some of the data that Statistics Canada is looking for, it is maintained in separate databases, which, for various reasons, including security, privacy and confidentiality,Footnote 34 are compartmentalized and disconnected. This means that producing the data would have required financial institutions to compile information from separate databases.
- According to the financial institutions, it would have also required significant resources to produce records that responded to Statistics Canada’s request. The financial institutions also raised issues related to regulatory barriers and data quality. They explained that, in some instances, they are subject to rules or regulations that prohibit data compilation. Furthermore, some compilations would not be practically feasible due to inconsistencies in the content of data records. Statistics Canada noted that it planned to organize certain documents sought from financial institutions in a manner whereby the latter information would be difficult to re-link by the institutions themselves – clearly implying the creation of new documents.
- All of this strongly suggests that the planned collection would have exceeded simply accessing documents or records that are maintained by financial institutions in order to obtain relevant information. Rather it appears as if it would have involved the compilation and production of a tailored data set respecting the financial institutions’ customers, a data set which financial institutions would not normally keep as part of their operations. We therefore have strong concerns that had the Financial Transactions Project proceeded as originally designed, it would have contravened section 13 of the Statistics Act.
- However, given that the Financial Transactions Project did not ultimately proceed and did not result in the collection of any personal information from financial institutions we decline to make a finding on this aspect of the complaints. We therefore recommend that Statistics Canada address its lawful authority in any redesign of the Financial Transactions Project.
Necessity and proportionality
- In addition to the issue of legal authority, the Projects also raised broader issues regarding the privacy invasiveness of Statistics Canada’s activities.
- Although not a legal requirement based on the current law,Footnote 35 we note that as a matter of government policy, the TBS Directive on Privacy Practices requires that government institutions only collect personal information where it is “demonstrably necessary” for its operating programs or activities.Footnote 36
- Our Office has recommended for several years that the collection of personal information by federal institutions be governed by a necessity and proportionality standard. We also note that the principle of necessity is found in provincial and territorial legislation protecting personal information in the public sector, and is a commonly accepted standard to ensure that public bodies do not over-collect personal information.Footnote 37
- In its December 2016 report on modernizing the Privacy Act, the Standing Committee on Access to Information, Privacy and Ethics (ETHI) recommended that the Privacy Act be amended “to explicitly require compliance with the criteria of necessity and proportionality in the context of any collection of personal information, consistent with other privacy laws in effect in Canada and abroad.”Footnote 38
- Until such time as the Privacy Act is amended, our published guidance on PIAs calls on government institutions to assess both the necessity and proportionality of a particular activity that impacts individual privacy before carrying out the activity. Statistics Canada, among other institutions, has accepted to have its activities assessed under the necessity and proportionality standard when it submits PIAs for review by our Office. As noted in paragraphs 16 and 28 of this Report, Statistics Canada has undertaken not to proceed with its Projects until our investigation is completed and the privacy concerns of Canadians have been addressed. In our view, satisfying the standard of necessity and proportionality is a requirement to that end. For activities that are particularly privacy-invasive, our Office encourages government institutions to assess the following questions (known as the four-part test):Footnote 39
- Is the measure demonstrably necessary to meet a specific need?
- Is it rationally connected to a public goal that is pressing and substantial?
- Is there empirical evidence in support of the initiative?
- Is it likely to be effective in meeting that need?
- Was it carefully designed to achieve the objective in question?
- Is the loss of privacy proportional to the need?
- The more severe the impact on privacy, the more clear and important the goal should be.
- Is there a less privacy-invasive way of achieving the same end?
- Is there empirical evidence that other means will not achieve the objective?
- Have reasonable steps been taken to ensure that the minimum amount of personal information required to achieve the objective has been collected?
- Is the measure demonstrably necessary to meet a specific need?
- With respect to necessity, government institutions are encouraged to explain, in detail, how their proposed privacy-intrusive initiatives are rationally connected to a pressing and substantial goal, and how the proposed collection or use of personal information will serve to meet these needs. This requires empirical evidence in support of the initiatives and should preclude the collection of personal information for “just in case” scenarios or the retention of information that might be useful for yet to be determined future purposes.
- In order to meet the first part of the test, institutions must define a pressing and substantial public objective. In its submissions, Statistics Canada described the public objectives of the Projects in general terms. Based on the information provided, we inferred the following broad objectives for the Projects:
- The objective of the Credit Information Project is to provide valid statistical information to support policies directed at addressing vulnerabilities in Canada relating to personal finances, especially household debt, interest rates and developments in the housing market; and,
- The objective of the Financial Transactions Project is to fill data gaps in order to produce valid statistical information across household groups and to support specific economic and social policies (such as anti-poverty policies targeted at vulnerable populations and policies to pre-emptively mitigate the effects of economic recessions).
- In our view, these inferred objectives, if validated by Statistics Canada, could reasonably meet the requirement for a pressing and substantial public goal. However, further consideration would need to be given as to whether all of the personal information the Projects seek to collect are demonstrably necessary to achieve these objectives.
- Statistics Canada was similarly able to explain, with respect to the second point of the four-part test, that the overall effectiveness of its historical methods are increasingly challenged by a range of factors including cost, declining survey response rates, and respondent burden. It contends that collection of administrative data through the two Projects is an effective alternative in light of these challenges.
- We acknowledge Statistics Canada’s authority and expertise in statistical methodology. Furthermore, we note that the Projects were reviewed by external methodology and statistics experts, as well as Statistics Canada’s Advisory Committee on Statistical Methods,Footnote 40 to validate their effectiveness.
- However, Statistics Canada has not yet explicitly provided a clear definition of the specific objectives of the Projects at a level of detail sufficient to fully assess their effectiveness. Without such a definition, it is impossible to determine whether the Projects were carefully designed to achieve the objectives.
- This is important in order to assess, among other elements, the level of accuracy and granularity required to effectively achieve the objectives. This is a fundamental question as the means or statistical methods chosen (for instance, the collection of line-by-line financial information) must be analyzed, under the four-part test, in relation to what level of precision is intended to be achieved. It is clear and accepted that valid and reliable statistics can be obtained without reaching 100% accuracy or confidence. Statistics Canada did not define the level of accuracy required at a granular level for the data to be collected through the Projects.
- With respect to the third and fourth parts of the four-part test, our analysis of the evidence gathered during the investigation led us to conclude that as originally designed, the two Projects did not meet these aspects. In particular, as originally designed, the Projects raised serious concerns as to whether the loss of privacy was proportional to the need. We are also of the view that less invasive alternatives are available that would achieve the same objectives.
- Proportionality is a principle that limits the collection of personal information to ensure that the expected benefits are balanced against privacy intrusiveness. Statistics Canada initially argued that because its purposes are limited to producing aggregate statistics and that it is required to keep personal information it collects confidential, the collections are “proportional”. We accept that these are important factors in the proportionality analysis, but they are not sufficient. Otherwise, there would be seemingly no limit to what personal information Statistics Canada could collect pursuant to its mandate. According to such logic, no matter the scale or sensitivity of the personal information Statistics Canada would propose to collect, this would be outweighed by the fact that the information would only be used for statistical purposes and would generally not be disclosed in identifiable form.
- Both Projects involve the collection of extremely detailed and sensitive information about individuals. Credit information relates to an individual’s current and historic debt levels and is sensitive in nature. For the Credit Information Project, Statistics Canada initially requested 900 elements of data from the credit bureau but then agreed to a collection of just over 600. While it espoused data minimization principles, Statistics Canada did not demonstrate that it considered whether each of the 600 elements, ultimately produced on 44,000,000 records, was required before they were collected.
- With respect to the nature and scope of the personal information at issue in the Financial Transactions Project, financial transaction information can paint an intrusively detailed portrait of an individual’s lifestyle, consumer choices and private interests, including lawful choices individuals would not want the government to know about. We consider a complete record of financial transactions to be extremely sensitive personal information. Indeed, this line-by-line collection of information relating to individuals’ banking activities by a government institution could be considered akin to total state surveillance. It is doubtful that any public objective can be so compelling (pressing and substantial) as to justify this level of intrusiveness.
- Determining proportionality of a collection requires that the privacy intrusiveness of a measure be weighed against not simply the existence of a demand by stakeholders for a particular type of statistics, but also an assessment of the importance of the specific public policy need behind the demand. In any case, Statistics Canada has not demonstrated here that this depth of surveillance is proportional to the objectives of the Financial Transactions Project.
- In addition to the sensitivity of the information collected, we also considered the extent to which the information would be kept by Statistics Canada in identifiable form and would be used for possible future linkages. Statistics Canada stated that the information it received via the Credit Information Project was “anonymized upon receipt.” However, Statistics Canada maintains the ability to re-identify the information and create links with other data sets linked to individuals. As such, the information is not truly anonymized in the hands of Statistics Canada. Linkages between credit information and financial transactions and information from other sources have the potential to further elevate the sensitivity of the information produced creating an extremely detailed and multi-dimensional profile of an individual. Statistics Canada submitted that it intended to link the credit information and financial transaction information with census information, and to other source(s) that have yet to be determined, for statistical purposes.
- We asked Statistics Canada how long the information required to identify an individual (linkage keys and/or direct identifiers) would be kept. It did not provide us with a specific retention period, but it submitted that it intended to retain the information for the purpose of making “future linkages”. For example, Statistics Canada explained that financial transaction information could be linked with census data in order to generate statistics regarding “expenditures and affordability of vulnerable subpopulations such as seniors, single parent families, immigrants and youth.”
- For both Projects, Statistics Canada submitted that the size of its sample was a mitigating factor that demonstrated that the privacy impact is proportional to the benefit. Specifically, it argued that the information it collected from TransUnion – 600 data elements from approximately 44,000,000 files – represents only “4% of the credit information data that resides within the Credit Bureau industry, limiting the information collected to only what is required to meet the policy need objectives.” With respect to the Financial Transactions Project, it argued that the collection of banking transaction information from 500,000 households was proportional because it represented “less than 3% of all households.”
- In our view, the sample sizes of the Projects do not sufficiently mitigate the intrusiveness of the collections. TransUnion is one of Canada’s two principal credit bureaus. As can be seen from the number of records involving individuals’ information that was provided to Statistics Canada by TransUnion, it holds information on a large section of the population. In fact, it is arguable whether “4% of all information that exists in the credit industry” – a figure which was undefined by Statistics Canada and is unclear – can even be considered or characterized as “limited” given the totality of sensitive information held by that industry for all credit related activities and services. Additionally, as noted above, the Credit Information Project involved a near census of the Canadian population, further raising questions on the “limited” nature of the collection.
- With respect to the Financial Transactions Project, while it notionally involved a smaller subset of the population by proportion, as originally designed it nevertheless would have implicated a large number of individuals and included information regarding their financial transactions at the highest level of comprehensiveness and granularity. In our view, the sample size would not have sufficiently mitigated the intrusiveness of this project, particularly given the scope and depth of the personal information that would have been collected, and that as the collection repeats, it would ultimately capture the information of virtually all Canadians.
- The last part of the four-part test asks organizations to consider whether there are less privacy-intrusive ways of achieving their specific objectives, including using less data (i.e. the principle of data minimization).
- With respect to the Credit Information Project, Statistics Canada submitted that it considered using a survey to gather the information it needs. It conducted a test to determine if a survey would be effective. Based on the testing, Statistics Canada determined that it would not receive the information it needs because survey respondents would either not have the information required or, find the burden of gathering the information too great.
- With respect to the Financial Transactions Project, Statistics Canada submitted that it had considered two less privacy intrusive methods: (i) increasing the sample size of the Survey of Household Spending; and (ii) collecting anonymized information from the bank. According to Statistics Canada, neither method would be effective in filling the data gaps it identified.
- After reviewing Statistics Canada’s position, we were not satisfied that Statistics Canada had given sufficient consideration or weight to alternatives that are less intrusive from a privacy perspective but would still substantially assist in filling the data gaps Statistics Canada has identified. This view is reinforced by our international benchmarking exercise and the analysis of the statistical expert we consulted. As noted above, the international context surrounding access to personal information in the hands of private-sector sources by NSOs suggests that there are a number of innovative methods being discussed or trialled that Statistics Canada could have more fully considered. Available alternative methods include, but clearly are not limited to, the following:Footnote 41
- Obtaining aggregate or anonymized data from administrative sources;
- Hybrid methods, using benchmarksFootnote 42 obtained from administrative data bases, and supplementing information with surveys on topics not available from administrative databases;
- Panels of individuals compensated for their input. Commercial survey houses have established panels of hundreds of thousands of people willing to share information – including household income information;Footnote 43 and,
- Surveys with booster sampling for studying small groups.Footnote 44
- Statistics Canada stated that it took measures to consider less privacy intrusive means for both Projects. However, we are not satisfied that less intrusive alternatives do not exist, particularly given that other NSOs have adopted alternative methods for similar types of projects such as the use of aggregated information.
- For the reasons outlined above, Statistics Canada has not demonstrated that the collection already undertaken in the Credit Information Project, and the proposed collections in both Projects, as originally designed, were necessary and proportional.
- During our investigation, we presented to Statistics Canada the analysis above. After reviewing our analyses and with further discussions with our Office, Statistics Canada committed to explicitly incorporate necessity and proportionality into its approach by using “the four-point test […] on a foundational basis, in conjunction with statistical principles”. We are encouraged by this commitment.
- Statistics Canada’s commitment includes two components:
- The development of a framework for incorporating necessity and proportionality into its statistical methods; and,
- Applying this framework to the projects at issue.
- Concerning the development of a necessity and proportionality framework, Statistics Canada has proposed to develop tools, such as a sensitivity scale, that will help it to assess the sensitivity of the personal information it is collecting. Statistics Canada has also suggested that this sensitivity scale would be used to inform the sample size, scope, breadth, and depth of collections, along with other factors including the quality level required to serve the identified purposes. Statistics Canada explained that it also intends to consider alternative methods to minimize the privacy impact of personal information collected.
- Furthermore, Statistics Canada has proposed that it will include a stage in its project planning procedures that requires an assessment of the necessity and proportionality of the potential collection of personal information.
- Finally, Statistics Canada has proposed that it will establish a scientific review committee that will include privacy expertise to assess the necessity and proportionality of proposed projects.
- In our view, Statistics Canada’s proposed framework represents a positive change in direction that has the potential to address many of the privacy issues raised by this investigation. However, it is too early to assess the effectiveness of the approach.
- Statistics Canada has provided us with high-level descriptions of revised designs of the two Projects. We note many positive developments, including a commitment to significantly reduce the amount of information collected, including a reduction in sample sizes, number of variables, and number of personal identifiers. That said, we did not receive details regarding what specific information would no longer be collected, what would still be collected, and why the specific information, including individual level credit and financial information, in the updated Projects is required. Furthermore, given the sensitivity of the personal information potentially in question in both Projects, alternative measures considered need to go beyond selection of data elements to be collected and determining sample size. They should include a range of approachesFootnote 45 to meaningfully limit the privacy impacts. We acknowledge that the incorporation of necessity and proportionality is new territory for statistical agencies, and therefore it is to be expected that a period of engagement will be required.
- Nevertheless, we note that since our investigation commenced, Statistics Canada has committed to working towards defining necessity and proportionality within the context of statistical science. In particular, it has demonstrated a willingness to work with our Office to redesign the projects to respect the principles of necessity and proportionality.
Transparency
- The complaints and the Projects raise the following issue with respect to transparency: does Statistics Canada have sufficient measures in place to ensure that individuals are aware that their personal information will be collected via the Projects?
- Apart from the requirement to publish an index of personal information banks,Footnote 46 the Privacy Act does not impose specific transparency requirements with respect to the collections at issue in the complaints.Footnote 47 Nevertheless, Statistics Canada has committed to being transparent with its collection of personal information. In its representation Statistics Canada generally stated that it “informs Canadians and data users of new initiatives through consultations, meetings and conferences […] during later testing and pilot phases, more detailed information on collection methods and privacy safeguards is shared with Canadians and stakeholders involved in the project.”
- That said, we did not find evidence that Statistics Canada adequately engaged the public or affected individuals about the Projects. We were unable to find any reference to the Credit Information Project, the Financial Transactions Project, or the ADP more generally as part of its public consultations.Footnote 48
- The absence of openness and transparency related to the Projects was evident from the content of the representative 103 complaints our Office received. It was apparent that the public was concerned, surprised, and unclear about what was being collected and for what purpose.
- With respect to the Credit Information Project, Statistics Canada published the supplemental PIA for the project on its website and indicated that “TransUnion informs Canadians each time it provides individual credit information to Statistics Canada by informing Canadians that a ‘Non-credit related inquiry’ of their account has been made.” Statistics Canada’s contact information is then provided.
- Statistics Canada further submitted that this was the same approach being taken for the Financial Transactions Project: “in August 2018 […] Statistics Canada advised that the financial institutions be transparent with their customers and proposed that [a notice] be placed on customer online banking statements.”
- We note that the notices placed by TransUnion would require that individuals first request access to their credit file in order to see the notice. Furthermore, the issuance of notices to customers by TransUnion and the proposed issuance for financial institutions is carried out “post-collection” of information, and as demonstrated by the complaints related to credit information, was widely perceived as a surprise and “too late.”
- Considering the scope and breadth of the collection of sensitive information in the Projects, it is equally surprising that Statistics Canada would see it as appropriate or effective from a transparency perspective, to rely on third parties to notify affected individuals. In our view, Statistics Canada needs to be more proactive in ensuring that individuals who are impacted by the Projects are informed in advance of the collections.
- In response to our concerns and recommendations, Statistics Canada has recognized that it could do more to be proactively transparent, and it has accepted our recommendation in full. During the course of our investigation, Statistics Canada added new content to its website and launched the “Trust Centre,” a new website where Canadians can access information about the Projects and the ADP. At the time of our review, the Trust Centre lacked detail, notably with regards to the two Projects, and its usability could be improved. Statistics Canada has acknowledged more needs to be done and it plans to continue the website’s development. We encourage Statistics Canada to continue making improvements to its website and to avail itself of additional communication streams to proactively inform Canadians when their data is collected and of the purposes for doing so.
Handling of Personal Information after Collection
- The complaints and the Projects raise the following issues with respect to handling of personal information after collection:
- Does Statistics Canada have appropriate safeguards in place to protect against unauthorized access, use or disclosure of personal information collected via the Projects?
- Does Statistics Canada have in place proper procedures to ensure that individuals may obtain access to their personal information?
- Is there a risk that personal information collected via the Projects will be disclosed for secondary purposes and/or in an inappropriate manner?
Safeguards
- Government institutions are required under the Privacy Act to ensure that personal information under their control is used or disclosed in accordance with the Act. In order to meet these obligations, government institutions must have adequate safeguards to protect against unauthorized use or disclosure.Footnote 49
- In certain of the complaints received, we heard concerns regarding the security of the personal information collected. The issue raised is that the vast amount and elements of information collected present a high value target to hackers and cybercriminals and therefore increases the risk of cyberattack. We observed this in other investigations (e.g., the World Anti-Doping Association breach investigationFootnote 50) where an organization and its databases may became a high value target for well-resourced and highly motivated actors, including of a state sponsored nature. Statistics Canada’s data holdings have few parallels in richness and depth. We therefore would expect their level of safeguards to be commensurate with its status as a high value target.
- In the course of the investigation, we reviewed the processes and systems related to the Credit Information Project to evaluate the de-identification, or Statistical Disclosure Control (SDC),Footnote 51 practices and security safeguards used by Statistics Canada. As no information had been collected for the Financial Transactions Project, the specific details around the SDC and other safeguards related to the banking information had not been developed and/or finalized for our assessment.
- In addition to reviewing Statistics Canada's written submissions, we conducted two site visits: one to a Research Data CentreFootnote 52 and one to the Statistics Canada’s headquarters, both located in Ottawa, Ontario. The objective of these visits was to assess: (i) measures taken to protect the privacy of individuals when sharing or releasing data or statistics, and statistical disclosure controls on site; and (ii) safeguards as they relate to digital encryption, and logging and monitoring.
De-identification
- We examined Statistics Canada’s policies, processes and procedures, as well as the governance structure that it uses to reduce the possibility of the disclosure of personal information. Our assessment considered the context of the environment and the circumstances in which the data could be shared or released, along with an evaluation of the data itself.
- Following our review, we found that Statistics Canada has demonstrated that it has a number of organizational measures and appropriate controls combined with SDC methods that transform data.
- In all, Statistics Canada has reasonable processes and procedures to manage the opportunity for, and likelihood of, disclosure. It also uses data transformations to reduce disclosure risk before sharing data with outside parties. It should be noted that there is no such thing as zero risk when releasing data; however, our assessment confirmed that Statistics Canada’s SDC is both adequate and effective.
Encryption
- Our review confirmed that Statistics Canada encrypts the data at issue, and it has employed multi-level encryption, which goes beyond Communications Security Establishment (“CSE”) and TBS requirements.
Logging and Monitoring
- Our review confirmed that Statistics Canada uses logging and audit trails that capture and can explain internal access to the data at issue; however, these logs are reviewed upon request only, which does not meet the requirements included in the TBS Directive on Privacy Practices,Footnote 53 specifically, section 6.2.21 that states:
Adopting appropriate measures to ensure that access to, as well as use and disclosure of, personal information are monitored and documented in order to address the timely identification of inappropriate or unauthorized access to, or handling of, personal information.
- We also noted that Statistics Canada does not employ a centralized logging and monitoring solution. This means that in order to gain a comprehensive picture of user activity, in particular to detect unauthorized activity or intrusions, security/administrative personnel have to compare activity across multiple systems and logging solutions.
- We did note that Statistics Canada has robust access controls in place. While this could help to mitigate unauthorized access, it is not adequately monitoring unauthorized use. That said, Statistics Canada has indicated that it is seeking tools that would allow it to evaluate logs for anomalies, which although a step in the right direction is not likely to satisfy the TBS requirements on its own if it does not involve proactive monitoring of logs for unauthorized access.
- Previous investigations conducted by this Office have uncovered instances where employees (both private and public sector) inappropriately accessed, and in certain cases used sensitive personal information. Therefore, monitoring is an essential component to address internal threat vulnerabilities, especially where personal information is of such breadth, sensitivity, richness and value, as clearly is the case in this instance.
- While existing encryption safeguards create significant obstacles for external threat actors, the deficiencies identified with respect to logging and monitoring mean there is an increased risk from internal unauthorized access.
- In light of the issue we found, we recommend that Statistics Canada implement measures to address risks posed by internal threat vulnerabilities. Specifically, Statistics Canada should implement a form of proactive monitoring in order to comply with the TBS Directive on Privacy Practices, and Policy on Privacy Protection.Footnote 54 Section 3.1.3 of the policy explains that effective protection and management of personal information includes monitoring privacy risks involved in the collection, retention, use, disclosure and disposal of personal information.
- In response, Statistics Canada has accepted this recommendation and has taken steps to improve its internal threat monitoring. Although its plan as submitted lacks the detail that would allow for a full analysis, we note that it appears promising and encourage Statistics Canada to continue its development and to ensure it meets TBS standards.
Access
- The Act gives individuals the right access to their personal information held by federal government institutions. Certain complainants expressed concerns regarding their right to access the personal information collected for the Projects.
- We confirmed that Statistics Canada has general procedures in place to ensure that individuals can access the personal information they are entitled to under the Act. We found no systemic issues with these procedures.
- We note that the information at issue in both Projects includes information about identifiable individuals including the linkage keys, which constitutes personal information as defined by the Act. Therefore, affected individuals would have a right of access to this information.
Use or Disclosure for Secondary Purposes
- Certain complainants expressed concerns that Statistics Canada would disclose the information to other institutions to be used for secondary purposes (such as for law enforcement).
- In general, section 17 of the Statistics Act prohibits Statistics Canada from disclosing information that could identify an individual. Section 18 of the Statistics Act also prohibits the use of identifying information collected by Statistics Canada as evidence in any proceedings and prohibits Statistics Canada employees from being compelled to testify or to produce identifying information.
- This said, we noted that paragraph 17(2)(a) of the Statistics Act permits the Chief Statistician to disclose, by order, identifying information it has obtained from organizations and which the organizations had collected for their own purposes, which would include information collected via the Projects and other administrative data programs. The information must be subject to “the same secrecy requirements to which it was subject when collected” and may only be disclosed in the manner and to the extent agreed to by the organization and the Chief Statistician.
- Statistics Canada represented that there have only been seven disclosures under paragraph 17(2)(a) involving personal information since 2010-11 and that these have represented disclosures to other provincial, territorial or federal departments for non-statistical purposes (for instance, to allow provinces to update their vital statistics registries). Statistics Canada stated that such disclosures are governed by its Directive on Discretionary Disclosures and that disclosures can be made where the public good is clearly evident and outweighs any privacy intrusion.
- Notwithstanding these representations, the requirement for Statistics Canada to weigh the public good against privacy intrusion is not stated in its Directive on Discretionary Disclosures. Rather the Directive indicates that Statistics Canada may disclose identifiable information where (i) the information is needed for statistical or analytical purposes, and (ii) the “information released does not disadvantage Statistics Canada’s respondents and does not harm the relationship between the Agency and its respondents or the reputation of the Agency” [emphasis added].
- However, the interests of a respondent organization may not be the same as those of an individual whose personal information would be disclosed by Statistics Canada. On its face, the Directive does not seem to expressly require Statistics Canada to weigh privacy interests of affected individuals when deciding whether to make a disclosure under paragraph 17(2)(a).
- While we did not uncover evidence that Statistics Canada was using its authority under paragraph 17(2)(a) inappropriately, we encourage Statistics Canada to update its written policies and procedures, including the Directive on Discretionary Disclosures to ensure that the privacy interests of individuals are taken into account when making disclosures under this provision.
Conclusion
- In light of the above, the complaints with respect to the Credit Information Project are not well founded. Based on the facts we gathered, the Project involved accessing documents or records maintained by TransUnion and fell within Statistics Canada’s authority in section 13 of the Statistics Act. The Project therefore involved the collection of personal information that related directly to an authorized program or activity of Statistics Canada within the meaning of section 4 of the Act.
- Given that no personal information was collected with respect to the Financial Transactions Project, we decline to make a finding, but note our concerns that the proposed design of the project would have exceeded Statistics Canada’s authority under section 13.
- Although we found no violation of the Act, we nevertheless had very significant concerns that both Projects did not respect the principles of necessity and proportionality and therefore did not adequately respect privacy. While the public objectives we inferred for the two Projects could, if validated, reasonably meet the requirement for a pressing and substantial public goal, Statistics Canada did not demonstrate that the collection of sensitive credit and financial information via the Projects was necessary or proportional in the circumstances.
- We also had concerns that Statistics Canada did not take sufficient steps to be transparent about the Projects and to ensure that affected individuals were notified prior to their personal information being collected.
- Lastly, we identified no issues with respect to the handling of personal information after collection, with the exception that it does not currently have sufficient measures in place to monitor internal access to the information at issue, which poses security risks.
Recommendations
- To mitigate the above concerns, we presented the following recommendations to Statistics Canada:
- Recommendation number 1: Statistics Canada not continue to proceed with the Credit Information Project as originally designed. We also strongly encourage Statistics Canada to dispose, in due course, of the personal information already collected that would not have been collected via the redesigned project.
- Recommendation number 2: Statistics Canada not proceed with the Financial Transactions Project as currently designed.
- Recommendation number 3: Statistics Canada work with the OPC to redesign the Credit Information Project so as to respect the principles of necessity and proportionality before proceeding further with the Project.
- Recommendation number 4: Statistics Canada work with the OPC to complete the design of the Financial Transactions Project so as to respect its lawful authority and the principles of necessity and proportionality before implementing the Project.
- Recommendation number 5: In order to maintain public trust, we recommend that Statistics Canada increase transparency regarding prospective collections of personal information from administrative sources.
- Recommendation number 6: In light of the issue we found we recommend that Statistics Canada implement measures to address risks posed by internal threat vulnerabilities.
- In response to our findings, Statistics Canada agreed to implement all of the above recommendations. As has been described throughout the report, Statistics Canada has already made improvements with regard to transparency and information handling and has committed to redesigning both Projects in light of our recommendations. Further, it has committed to work with our Office going forward on the Projects’ redesign.
Post-script: A Call for Legislative Reform
- In our view, this investigation underscores the need for legislative reform to both the Statistics Act and the Privacy Act. The Projects that we reviewed are likely to be the first of many that Statistics Canada will seek to pursue under its modernization initiative and it seems likely that there will continue to be calls and pressure for access to the increasing amounts of personal information held by private sector entities for public interest purposes.
- Such reform must, in our view, carefully balance important interests. On the one hand, Statistics Canada and policy makers have a legitimate need to lawfully access data and to generate timely and up-to-date statistics to inform sound decision-making. On the other hand, individual Canadians are rightly concerned that there must be appropriate limits on the amount and type of personal information that Statistics Canada can access about them from banks, credit bureaus, telecommunications companies, social media companies, mobile app developers and a myriad of other private sector companies without their knowledge or consent.
- In our view, Statistics Canada’s current legislative framework, as it relates to its authority to collect personal information indirectly from private sector companies is outdated, allows for overly broad collection, and is unsuited for today’s world of big data analytics, where privacy concerns have taken on a new and ever-present dimension.
- The current wording of section 13 of the Statistics Act largely dates back to 1918 and predates an era where organizations collect and store large amounts of personal information electronically. While the Statistics Act was recently amended in 2017, these amendments do not appear to have contemplated the legal framework that should apply to novel “big data” administrative data programs that the Projects we examined in this investigation represent. In our view, if Statistics Canada is going to access personal information on a large scale from private sector companies, its lawful authority for doing so should be clear and grounded on a modern understanding of technology and its impact on privacy.
- Moreover, Parliament should consider what the appropriate limits on Statistics Canada’s authority should be when accessing, using and disclosing such information. As it stands, there is no express requirement in the Statistics Act for Statistics Canada to demonstrate the necessity and proportionality of an administrative data collection involving personal information. There are also no specific legal requirements in the context of administrative data programs regarding data minimization, transparency, retention or regulating when Statistics Canada can use the information to make linkages for other studies. In our view, the proposition that “because Statistics Canada is subject to confidentiality requirements, no further safeguards are required” does not adequately take into account the privacy interests at stake when Statistics Canada seeks to access vast quantities of personal information of Canadians without their consent and to potentially retain it indefinitely.
- The deficiencies in the Statistics Act would not be as troubling if the Privacy Act were not so out of date. However, as our Office and ETHIFootnote 55 have noted on several occasions previously, the Privacy Act is also in need of reform. In particular, section 4 of the Privacy Act does not expressly refer to a necessity requirement for the collection of personal information and it has been interpreted by the Federal Court of Appeal as not containing one.Footnote 56 Although we are encouraged that Statistics Canada has agreed to implement principles of necessity and proportionality into its administrative data programs, they are not, at present, legally required to.
- We therefore call on Parliament to examine this issue. Statistics Canada should have a clear legal framework for its administrative data programs, with appropriate safeguards, if it is to continue to seek access to sensitive personal information in the hands of private sector actors and to retain it for undefined future linkages. It is time to give serious thought to the legal framework governing Statistics Canada’s administrative data programs involving personal information so that the public benefits of big data can be realized while at the same time respecting Canadians’ right to privacy.
- Date modified: