Office of the Privacy Commissioner Compliance Monitoring of Statistics Canada’s Financial Transactions Project and Credit Agency Data Project: Final Report

May 3, 2021

---

Complaint under the Privacy Act (the “Act”)

Description

Our Office investigated complaints relating to Statistics Canada’s collection of detailed credit and financial information as part of the Credit Information Project and the Financial Transactions Project in 2018-19. While our Office concluded that there were no contraventions of the Privacy Act, we also identified significant privacy concerns. Statistics Canada committed to work with our Office going forward on the Projects’ redesign and this follow-up report assesses whether the redesigned projects meet our recommendations regarding necessity and proportionality.

Takeaways

• When considering privacy-sensitive initiatives, government institutions should consider whether the collection and use of personal information is necessary to achieve a pressing and substantial public goal and whether the impact on privacy is proportionate to the importance of the public goal.
• Government institutions should describe the public goal with a level of specificity and precision that will allow it to be meaningfully assessed against the privacy impacts of an initiative.
• Statistics Canada has made efforts to incorporate the principles of necessity and proportionality into its work, including the redesign of the projects we investigated. However, after assessing the proposal for the redesigned projects, we believe that more work needs to be done.

Compliance Monitoring Report

Purpose

1. The purpose of this report is to provide Statistics Canada (“StatCan”) with our assessment of the Financial Transactions Project and the Credit Agency Data Project (the “projects”) as per the Terms of Reference (the “TOR”) for the Office of the Privacy Commissioner (the “OPC”) and Statistics Canada Compliance Monitoring of Administrative Data Collections.

Summary

2. StatCan has made progress toward incorporating the principles of necessity and proportionality into the redesign of the projects. In particular, it now proposes to advance the projects in three iterative phases; the first will test for feasibility (the “feasibility phase”), which, as advised by StatCan, will inform and further shape the final projects. Furthermore, StatCan chose to limit collection through the reduction of personal information that is to be gathered in the respective feasibility phases of the projects. For example:
   • For the Financial Transactions Project;
     • The number of affected households has been reduced from 500,000 to 5,000^{Footnote 1};
     • The number of variables has been limited to 16^{Footnote 2} cut in half from 32;
   • For the Credit Agency Data Project;
     • The number of variables has been reduced from 600 to 46.
3. The progress made by StatCan extends beyond the redesign of the projects. During our engagement we observed the implementation of a number of privacy-enhancing measures including:
   • The establishment of a data ethics secretariat mandated to conduct ethical reviews and raise awareness of data ethics within the organization;
   • The creation of an external ethics body - the Advisory Council on Ethics and Modernization of Microdata Access (the “Council”) – whose mandate includes making recommendations in the areas of data privacy, data security and data ethics;^{Footnote 3}
   • The initiation of research into the assessment of data sensitivity and the development of a sensitivity scale with a view to guide program managers to take sensitivity into account in their efforts to gather data for statistical programs;
   • The creation of an online “Trust Centre” on StatCan’s website designed to inform Canadians about privacy, necessity and proportionality, data collected by surveys and administrative data, and modernization projects.
4. Despite this progress, we found that the project plans and subsequent explanations left the criteria^{Footnote 4} we established for assessing the projects unfulfilled in a number of areas such as:^{Footnote 5}
   • The public goals are not described with a level of specificity and precision that is commensurate with the privacy impacts;
   • The effectiveness of the projects has not been demonstrated;
   • Privacy impacts have not been given sufficient consideration.
5. We observed that some of the missing elements appear to be related to the iterative approach taken. For example, as StatCan explained, the initial phase of each project is designed to test for feasibility. Consequently, we are unable to assess whether privacy matters will be effectively addressed in the final iterations of the projects. Although we do not take issue with the adoption of an iterative approach, it entails that answers to some of our questions will only come in later phases.
6. In other instances, we believe that some missing elements can be addressed by aligning the project plans more closely with the assessment criteria we provided. For example, in our assessment criteria we provide guidance for describing public goals in the context of assessing necessity and proportionality. Specifically, we distinguish between the ends being pursued (the public goal) and the means chosen to pursue these ends. We found that StatCan focussed on its chosen means (direct collection from financial institutions and credit bureaus) without describing the ends with sufficient precision.
7. In order to assess whether the privacy impacts that flow from the projects are necessary to achieve pressing and substantial public goals, the goals must be adequately described and it must be demonstrated that the means chosen are likely to be effective in achieving these goals. Furthermore, in order to assess whether the privacy impacts are proportional to the goals being pursued, the privacy impacts must be considered in context, taking into account the totality of the circumstances.^{Footnote 6} In light of this and the elements missing from the project plans, we recommend that before proceeding with the respective final phase of implementation for each project, StatCan do the following:
   • Recommendation 1: Describe the public goals with a level of specificity and precision that will allow them to be meaningfully assessed against the privacy impacts.
   • Recommendation 2: Revisit the question of effectiveness once the projects have proceeded to a point where effectiveness can be demonstrated.
   • Recommendation 3: Analyze privacy in context and consider both the risk of harm to individuals and broad-based harms.
   • Recommendation 4: When recommendations 1-3 have been completed resubmit the plans for the OPC’s review.

Background

8. In the Fall of 2018, the OPC launched an investigation into allegations that StatCan was contravening the Privacy Act by collecting personal information for two administrative data projects:
   • the Credit Agency Data Project;
   • the Financial Transactions Project.
   This investigation was launched following a public outcry of concerns over the projects for their privacy intrusiveness, and a high number of complaints received by our Office.
9. We found that StatCan had the legal authority to collect the information at issue in the Credit Agency Data Project. With respect to the Financial Transactions Project, we raised serious concerns that the project, as originally designed, would have exceeded StatCan’s legal authority to collect personal information had it gone ahead. As this Project was halted during our investigation, no personal information was collected. Consequently, we did not issue a finding.
10. Notwithstanding these conclusions, our investigation identified significant privacy concerns with respect to the two Projects as originally designed. Specifically we found that:
    • While the public objectives we inferred for the two Projects could, if validated, reasonably meet the requirement for a pressing and substantial public goal, StatCan did not demonstrate that all the personal information it sought to collect was necessary for its objectives and that, as designed, the Projects were proportionate to the invasion of privacy entailed and that less invasive alternatives were not reasonably available;
    • StatCan also failed to be adequately transparent with respect to the collection of personal information via the Projects; and
    • While StatCan had taken significant steps to isolate and minimize access to data and protect against external threat actors, it could improve its security safeguards to mitigate against internal threat vulnerabilities via monitoring for internal unauthorized access and use.
11. In response, StatCan agreed to implement the recommendations^{Footnote 7} outlined in our Fall 2019 investigation report of findings and to work with our Office to ensure that the Projects were revised to respect the principles of necessity and proportionality. This agreement was formalized in Terms of Reference (“TOR”) signed by both the OPC and StatCan in Spring of 2020.
12. In June of 2020, the OPC provided StatCan with criteria to be used for the assessment of its redesigned projects.^{Footnote 8}
13. This final report fulfills the OPC’s obligation to provide a report assessing the projects, as outlined in the TOR
14. The documents reviewed in preparation of this report are listed in Appendix B.

Mandate and Scope of the Report

15. The purpose of this report is to provide our assessment of whether StatCan has demonstrated that the Projects, as presented, meet the principles of necessity and proportionality. It does not, however, examine in specific detail StatCan’s actions on our recommendations with respect to safeguards or transparency. That said, the report includes references to updates provided by StatCan as they provide context to the project plans.
16. In our investigation report, we explained our position that had StatCan proceeded with the financial transaction plan it would have exceeded its legislative authority to collect the personal information at issue. However, we did not have sufficient information to make a determination on this issue. At this stage of the Financial Transactions project, we still do not have sufficient information to assess whether the revised Financial Transactions project falls within StatCan’s lawful authority. StatCan will need to assess this issue in collaboration with financial sector institutions to ensure that it has the legal authority to collect the personal information at issue.
17. As an agent of Parliament tasked with investigating complaints from individuals, the OPC is not in a position to approve or endorse programs and activities of organizations over which the Office has jurisdiction to investigate. However, we do have a mandate to advise organizations on privacy-related issues to promote compliance with the law and help ensure organizations implement projects and initiatives in a privacy-respectful manner.

What are necessity and proportionality and why do they matter to privacy?

18. Privacy is a fundamental human right that encompasses the freedom to live and develop free from surveillance. It is also a precondition for exercising other human rights, such as equality rights in an age when machines and algorithms make decisions about us, and democratic rights when technologies can thwart democratic processes. Privacy protection is not just a set of technical rules and regulations, but rather represents a continuing imperative to preserve fundamental human rights and democratic values.
19. The collection of personal information for the pursuit of important and legitimate public goals can impact the right to privacy. In such instances, we advise organizations to consider whether the proposed measures are necessary, likely to be effective, minimally intrusive and proportional to the public goal.
20. What is “necessary” depends on context, including the institution’s mandate and objectives. In this regard, we do not interpret necessity as “absolute necessity” (i.e., that no other conceivable means are available, regardless of costs). Among other things, this would be inconsistent with the case law, interpreting minimal impairment as requiring that a measure infringe a right no more than is “reasonably” necessary.^{Footnote 9} This said, the concept of necessity requires thought be given to what personal information is required to achieve a legitimate, sufficiently important and specific public goal. Limiting collection to “need to have” (necessary) instead of “nice to have” (potentially useful) is an important and a nationally and internationally recognized privacy-risk mitigation measure, especially in the current data-rich environment.
21. As to proportionality, the OPC has long held this to be an essential element of privacy protection. We understand proportionality to mean that the more severe the impact on privacy the more important a public goal should be. Furthermore, the measure should be carefully tailored in a way that is rationally connected to the specific purpose to be achieved. We apply a proportionality test when assessing Privacy Impact Assessments (“PIAs”) submitted by government institutions for new or modified programs or activities, especially for particularly intrusive or privacy-invasive initiatives or technologies. During the course of our investigation, we applied this test to the programs at issue to support our findings.
22. With respect to what necessity and proportionality are assessed against, there may not be a great difference in practice between focusing on a program, activity or service versus a “purpose”. In either case, there will be a public objective being pursued by a government institution against which the necessity and proportionality of the collection will need to be assessed. What matters more, in our view, is that the public objective of the program, activity, service, etc. in question must be defined with sufficient precision so that a necessity and proportionality assessment can take place. As the Supreme Court has noted, if the objective is defined too broadly, it risks inflating the importance of the objective and compromising the analysis.^{Footnote 10}
23. The assessment criteria we provided to StatCan in June of 2020 were developed with the abovementioned principles in mind, and designed to guide StatCan through its own assessment of necessity and proportionality of its redesigned projects.

StatCan’s Necessity and Proportionality Framework

24. We heard from StatCan that the projects were redesigned according to its Necessity and Proportionality Framework (the “StatCan framework” or the “framework”).
25. In fall of 2020, we reviewed the framework and found that it did not align with our assessment criteria. Specifically, we identified three general areas where we believe the framework can be further refined:
    
    

    Concepts

    • We found that some of the concepts used by StatCan did not reflect the definitions we set out in our assessment criteria, which are based on domestic and international law and widely accepted privacy norms. We recommended that StatCan align the concepts in its Framework to those set out in our criteria.

    Sequencing

    • Although the Framework contains some steps and considerations that are common to our interpretation of necessity and proportionality, we recommended that StatCan refine their sequencing to ensure that the right questions are asked at the right time.
    • In our assessment criteria, we proposed a sequence to the assessment of necessity and proportionality. The sequence reflects Canadian case law, our Office’s approach to the application of this case law, and internationally recognized data protection norms. Specifically, we recommended the following sequence:
      • Define the public goal or objective with sufficient precision.
      • Describe proposed measure/project and the collection of personal information in detail.
      • Assess necessity in context.
      • Assess proportionality in context.

    Context

    • We noted that StatCan’s framework fell short in its consideration of context and recommended that StatCan use our assessment criteria to incorporate the concept of context into its assessment of privacy impacts.
26. In addition, StatCan explained that it is currently conducting research on how to assess the sensitivity of data and is developing a data sensitivity scale with a view to guiding program managers to take sensitivity into account in their efforts to gather data for statistical programs.
27. In an effort to increase transparency, StatCan created a Trust Centre on its web site. The aim of the centre is to inform Canadians about the importance of privacy, necessity and proportionality, data collected by surveys and administrative data, accountability, and modernization projects.

Assessment of Projects

28. In general, the projects appear to be substantially similar to those we investigated. For the Financial Transactions Project, StatCan still intends to collect line-by-line transaction data for a period of one year and link it with other information it holds about individuals in other databases (e.g. demographic, socio-economic). For the Credit Agency Data Project, StatCan still intends to collect credit files from a credit agency for all individuals in Canada with such files and link it with information it holds about the individuals in other databases. In these important respects, the projects remain unchanged.
29. We highlight two notable differences between the presentation of the original projects and the updated plans. Firstly, StatCan is now proposing to proceed according to an iterative approach, with the first phases devoted to feasibility to assess the effectiveness of the projects from the perspective of outcomes. In our view, this is consistent with prudent step-by-step database development, whereby new learning and inevitable surprises at each step can be folded into the design of the next step.
30. Secondly, StatCan has reduced the data it collects. For example, for the Financial Transactions Project StatCan will start with a much more modest sample size than it had originally envisioned: 5,000 households which will increase to 130,000 households for the final phase (as opposed to 500,000). StatCan has also reduced the number of variables it intends to collect (16 as opposed to 32).
31. This said, the project plans do not meet the criteria we provided. For example:
    • The descriptions of the public goals lack specificity and precision;
      • The level of specificity and precision should permit the privacy impacts to be meaningfully weighed against the public goals;
    • The effectiveness of the projects was not demonstrated;
      • This is understandable given the iterative process begins with a feasibility phase that would, presumably, provide answers to questions related to effectiveness;
      • Since effectiveness was not demonstrated, the assessments of less privacy intrusive alternatives lacked a fair comparison – at this stage we do not know if the proposed projects are more effective than alternatives and if so, by how much, nor could privacy considerations be assessed;
    • Privacy impacts were not given sufficient analysis.
      • For example, potential harms flowing from the proposed projects were not addressed.

Public Goals should be defined with more specificity and precision

32. In our assessment criteria, we asked StatCan to provide a clear and detailed description of the public goal (the ends) to be achieved or furthered by the projects (the means). We explained that the public goal underlying a potentially privacy infringing measure must be evidence-based and defined with specificity and precision. It cannot simply be a description of the means chosen to achieve the objective or a reiteration of the institutional mandate. We found that in both project plans, StatCan focused on the merits of the means it would use but did not describe the public goals (ends) with enough precision or specificity.
33. For example, with respect to the public goal of the financial transactions project, StatCan submitted that Canadian families, business owners, and policy makers have to make decisions about how best to manage their finances in areas such as education, employment, purchases, and investments. It explained that the financial project would support these decisions by filling existing public source data gaps and providing timely and quality data related to inflation measures, including the Consumer Price Index (the “CPI”). A further illustration can be found in the Financial Transactions Report, where the general claim is made that “understanding household spending makes decision making easier for Canadian businesses” (page 2).
34. The public goal must be important enough to justify the privacy impact of the means. In the case of the Financial Transactions Project, the means include the collection of line-by-line financial transactions and account balance information of a household for the period of one year and linking this data with other data sets - this entails privacy intrusions that are extremely high in terms of scope and scale.^{Footnote 11} Consequently, the goal must be stated in a manner that will allow for a meaningful balancing. We found that for both projects, the goals presented were too vague to balance against privacy impacts.

Effectiveness has not been demonstrated

35. In our assessment criteria, we asked StatCan to demonstrate that the means it is proposing (the projects) are likely to be effective in meeting the need presented by the public goal. In comparison with the descriptions of the public goals, the descriptions of the proposed means contain more detail. The general message that we heard from StatCan is that its current survey methods present challenges to the ongoing provision of reliable and timely data.
36. For example, in the Financial Transactions Report, StatCan explains that survey response rates are declining, and certain information is not even reliably collectible through surveys. For certain programs, like the Canada Child Benefit (the “CCB”) and Employment Insurance (“EI”), StatCan has measured their benefits through data from tax records; however, according to StatCan, tax records are updated too infrequently to be fully valuable, particularly for self-employed Canadians working in the gig economy, or for measuring the effects of emergency income programs like the Canada Emergency Response Benefit (the “CERB”).^{Footnote 12}
37. We heard from StatCan that replacing survey data with administrative data addresses the following issues:
    • Data subjects are relieved of the burden of participating in a survey;
    • The issue of decreasing response rates is addressed since a response from the data subject is not required;
    • The data will be more up to date because it can be collected more frequently;
    • The data will be more accurate because it does not rely on the ability of the data subject to recall or track expenditures.
38. As stated above, StatCan intends to proceed with an iterative approach, whereby the first phase of each project will test for feasibility, i.e., effectiveness. Although we do not take issue with this approach, the result is that we do not yet have the available information needed to assess effectiveness as much remains to be determined.
39. For example, the Financial Transactions report states that it will collect 16 data fields: 3 personal identifiers (name, address, and age) and 13 financial transaction data fields. This is presented as a reduction from the 32 fields proposed in the original project, however, there is no mention of what the financial transaction data fields contain. It is conceivable that the nature of the “reduced fields” is such that it increases the privacy impact.
40. A related issue is the benefit of the use of administrative data in comparison to survey data. For these specific projects, will administrative data produce better data, and if so, how does this impact the public goals? Will the collection of administrative data raise unforeseen methodological issues that impact the effectiveness of its use? We understand that the feasibility phase is designed to answer such questions. The point is that such answers, which are required to assess necessity and proportionality, are not available at this stage of the process.

Privacy Impacts not given sufficient analysis

41. In our criteria, we asked StatCan to assess whether the impact on privacy for each project is proportional to the importance of the public goals identified. We explained that proportionality means that the more severe the impact on privacy, the more important the public goal should be. We found that both reports lack sufficient analysis of privacy impacts.
42. For example, the section of the Financial Transactions Report devoted to the analysis of proportionality does not attempt to compare the importance of a public goal against privacy impacts. Rather, it highlights that the number of variables being collected have been reduced and makes the claim that the overall collection has a “smaller degree of sensitivity” when compared to the original design. These claims are presented without sufficient detail or support, and raise the question as to how sensitivity was assessed and what are the variables at issue? Although reducing the amount of data collected can reduce the privacy impact, the report does not contain enough detail or analysis to make this determination.
43. In our investigation of the original projects, we expressed serious concerns about the privacy impact of collecting line-by-line financial transactions for the period of one year. The level of detail provided by such a collection is concerning and can paint an intrusively detailed portrait of an individual’s lifestyle, consumer choices and private interests, including lawful choices individuals would not want the government to know about. The Financial Transactions Report does not acknowledge this level of intrusiveness or the impact it has on the privacy rights of those affected. This is a significant shortcoming.

Context

44. Although security safeguards are essential to mitigate privacy impacts, they are not sufficient. In order to assess proportionality an organization must analyze the privacy impacts in context. In our assessment of StatCan’s framework we noted a lack of contextual analysis of privacy impacts and recommended that StatCan consider the following factors when assessing the privacy impact of a measure or initiative:
    • The kind of personal information (sensitivity)
    • The breadth and depth of personal information – how much can the information tell us about an individual?
    • The number of individuals whose information will be collected (sample size)
    • The reasonable expectations of individuals – would individuals reasonably expect that this information would be collected, used and disclosed in the manner proposed?
    • Purpose limitations (i.e. limits on uses)
      • Who will have access to the information?
      • How will the information be used?
      • How long will the information be retained?
      • Linkages – will the information be linked with other data sets? If so, which ones, for what purpose, and what would that reveal about an individual?
    • The extent to which the information will be de-identified or aggregated
    • The extent to which freedoms, including the freedom to live independent from surveillance and to participate in modern society, are impacted
    • Public perception and views regarding the privacy impact of the proposed measure
    • What measures will be put in place to mitigate the privacy impact?
45. Furthermore, in our review of the framework we explained that with respect to sensitivity, there is no “bright line” separation of what is, and is not, sensitive information. Certain categories of information (such as health or financial) will generally be considered sensitive, but even non-sensitive information can become sensitive depending on the circumstances. For example, an individual piece of information considered non-sensitive on its own, could become sensitive depending on what it is capable of revealing when combined with other personal information about the individual. Conversely, in certain circumstances, personal information generally considered sensitive may become less so where other related information is already in the public domain, depending on the purpose for which such information is being made public and the nature of the relationship between the parties involved.
46. We recognize that StatCan is currently in the process of developing a “sensitivity scale” to assess the level of sensitivity of the personal information it collects in order to assess the privacy impact of its collection and use. However, the project plans do not include a contextual analysis of the sensitivity of the information at issue – rather, they merely acknowledge that the information is sensitive. Furthermore, in addition to sensitivity and sample size, other factors, such as the reasonable expectations of individuals must also be taken into consideration – neither plan considers the reasonable expectations of affected individuals.
47. In our review of StatCan’s framework, we explained that underlying the contextual analysis of both sensitivity and reasonable expectations is the risk of harm to the individual. The project plans do not include a contextual analysis of privacy impacts in general, let alone harm to the individual. In fact, the word “harm” does not appear in either report.

Safeguards

48. Compliance with our recommendation regarding safeguards^{Footnote 13} fell outside the scope of the TOR. However, safeguards are relevant to our assessment of the projects insofar as both plans rely on security safeguards to mitigate the respective impacts on privacy. In our investigation report, we noted that while StatCan had taken significant steps to isolate and minimize access to data and protect against external threat actors, more is required to address internal threat vulnerabilities via monitoring for internal unauthorized access and use.
49. In this context, we asked StatCan for an update on its progress in addressing internal threat vulnerabilities. StatCan submitted that it:

    … has implemented measures to address risks posed by internal threat vulnerabilities, in particular risks leading to breaches of sensitive information. As the underlying infrastructure and technologies evolve, such as the Government of Canada’s cloud-first strategy, Statistics Canada will continue to analyze and to seek continuous improvement to address risk posed by internal threat vulnerabilities including emerging technologies to audit, log, and monitor the detection of anomalous behaviors and to support remediation through automated means.

50. Through our experience investigating breaches of highly sensitive and valuable personal information, we have observed instances where insider threats led to the successful exfiltration of personal information. For example, our recent investigation of Desjardins revealed that the exfiltration of financial information was the result of actions taken by an employee. Internal threat attacks can be more difficult to detect and prevent than attacks caused by external threats, in particular because they can be the work of technically competent employees who know the company’s systems and security weaknesses, where information is located, and how to circumvent the security processes in place. In the case of Desjardins, attention had been directed at external threats but internal threats were not given sufficient consideration.
51. Insofar as StatCan is relying on its safeguards to mitigate the privacy risks entailed by the projects, and in light of the level of detail that the data at issue can reveal about an individual, we welcome StatCan’s efforts to modernize its approach to monitoring internal threats.

Recommendations and Concluding Remarks

52. This report fulfills our obligation to provide a report assessing the projects as set out in the TOR. We appreciate StatCan’s demonstrated commitment to incorporating necessity and proportionality as a means to enhance privacy and hope that our engagement has been of utility and assistance to StatCan as it continues to incorporate privacy into its statistical methods.
53. We understand that both projects raise complex privacy issues. Furthermore, we recognize that many of StatCan’s stakeholders are asking for more timely and granular data to support a wide range of important decisions. However, given our current data rich environment, and the kind of harms that can result from a failure to attend to privacy impacts, it is essential that fundamental privacy principles, such as those we set out in our assessment criteria, are incorporated at this stage to provide a safe and effective path forward. To this end, we recommend the following:
    • Recommendation 1: Describe the public goals with a level specificity and precision that will allow them to be meaningfully assessed against the privacy impacts.
    • Recommendation 2: Revisit the question of effectiveness once the projects have proceeded to a point where it can be demonstrated.
    • Recommendation 3: Analyze privacy in context and consider both the risk of harm to individuals and broad-based harms.
    • Recommendation 4: Resubmit the plans for our review before the final implementation of the projects.

Appendix A – Criteria for assessment

Office of the Privacy Commissioner and Statistics Canada

Compliance Monitoring of Administrative Data Collections

The following table sets out the criteria the OPC used to assess the necessity and proportionality of the projects. The criteria have been organized according to the main stages of the assessment process. Guidance for carrying out each stage is provided in the “Description” column.

It should be noted that the assessment of necessity and proportionality presupposes that personal information is involved in a project.^{Footnote 14}

Item/Stage	Description
1. Public Goal (the ends)	Provide a clear and detailed description of the public goal (the ends) to be achieved or furthered by the project (the means) - that is, the insights produced by the project and for what purposes those insights will be used. The public goal must be demonstrably pressing and substantial. A pressing and substantial public goal has been defined as something that is "of sufficient importance to warrant overriding a constitutionally protected right or freedom".Footnote 15 While this definition was developed by the Supreme Court of Canada in the context of Charter rights, it stands that it must not be “trivial or discordant with the principles integral to a free and democratic society”.Footnote 16 The public goal underlying a potentially privacy infringing measure must be evidence-based and defined with some specificity. It is important to define the public goal carefully and with precision. It cannot simply be a description of the means chosen to achieve the objective or a reiteration of the institutional mandate. Note: In general, cost and/or administrative convenience alone are not enough to qualify a public goal as pressing and substantial.
2. Describe proposed measure/Project (the means)	Describe the proposed project, i.e., the means used to achieve the ends described in stage 1 of the assessment process. Indicate whether it will involve personal information (PI) as defined by the Privacy Act. (If the project does not involve PI then, from a privacy perspective, there is no need to assess necessity and proportionality.) The project should be described with enough precision, specificity, detail, and clarity, so as to demonstrate the means will achieve the ends described in stage 1. The description of the project should include scientific evidence to support the method and use of PI for the stated purpose. However, the description should be written in plain language such that a non-specialist can understand, in concrete terms, what means will be used to achieve the specific ends defined in stage 1. If the project is not adequately described, it will not be possible to assess whether it is necessary to achieve a pressing and substantial public goal or whether it is proportional.
3. Impact on Privacy	Describe how and to what extent the project will impact the right to privacy. Although Privacy is a broad concept, the Supreme Court of Canada (SCC) describes three broad privacy interests – territorial, personal, and informational – that are helpful when assessing the privacy impact of a proposed measure.Footnote 17 With respect to informational privacy, the SCC identifies three distinct although overlapping concepts: Privacy as secrecy; The expectation that information will be kept confidential; For example, a patient has a reasonable expectation that their information will be kept confidence by an attending medical professional; Privacy as control; Information about a person is, in a fundamental way, their own and therefore they ought to have some measure of control over it; Privacy as anonymity; Freedom from identification and surveillance. Determining whether a person can reasonably expect privacy in a particular situation requires a contextual assessment that takes into account the totality of the circumstances.Footnote 18 The Privacy Commissioner defines the right to privacy in the following way: “Privacy is nothing less than a prerequisite for freedom: the freedom to live and develop independently as a person, away from the watchful eye of a surveillance state or commercial enterprises, while still participating voluntarily and actively in the regular (and increasingly digital) day-to-day activities of a modern society such as socializing, getting informed or simply buying goods.” Further considerations for assessing privacy impact include: The kind of personal information (sensitivity). The breadth and depth of personal information – how much can the information tell us about an individual? The number of individuals whose information will be collected (sample size). The reasonable expectations of individuals - would individuals reasonably expect that this information would used in the manner proposed? The extent to which the information will be de-identified or aggregated. The extent to which freedoms, including the freedom to live independent from surveillance and to participate in modern society, are impacted. Limitations on the use of the information. Are there specific laws or regulations that allow you to use the information in this way? Public perception and views regarding privacy impact of the proposed measure. What measures will be put in place to mitigate the privacy impact?
4. Necessity	Provide a detailed explanation of how the project (the means) is rationally connected to a pressing and substantial public goal (the ends), and how the proposed collection or use of personal information will serve to meet these needs. This requires empirical evidence in support of the initiatives and should preclude the collection of personal information for “just in case” scenarios or the retention of information that might be useful for yet to be determined future purposes. Consider the need for each element of personal information being collected. Is each piece or category of personal information necessary to achieve the public goal? How would the effectiveness of the project be impacted if less information were to be collected? Only collect personal information if it is directly relevant to your initiative and needed to meet its objectives. Be as specific and detailed as possible here. To guide the assessment of necessity, consider the following: Is the measure demonstrably necessary to meet a specific need? Is it rationally connected to a public goal that is pressing and substantial? Is there empirical evidence in support of the initiative? Is it likely to be effective in meeting that need? Was it carefully designed to achieve the objective in question? Is there a less privacy-invasive way of achieving the same end? Is there empirical evidence that less privacy-intrusive means will not achieve the objective? Have reasonable and demonstrable steps been taken to ensure that the minimum amount of personal information required to achieve the objective has been collected? This could include the use of aggregate data, direct collection (e.g. surveys), and other methods that mitigate the privacy impacts identified above.
5. Proportionality	Assess whether the impact on privacy is proportional to the importance of the public goal identified. Proportionality means that the more severe the impact on privacy, the more important the public goal should be.

Appendix B – Documents reviewed in Preparation of this Report

Office of the Privacy Commissioner and Statistics Canada

Compliance Monitoring of Administrative Data Collections

• One of two MAIN DOCUMENTS: Statistics Canada, Oct. 20, 2020, “Privacy impacts related to Statistics Canada’s pilot project on the acquisition of financial transactions information.” (14 pp); hereafter the “Financial Transactions Report’ or the “October 20 Report” ;
• Second of two MAIN DOCUMENTS: Statistic Canada, Director – Macroeconomic Accounts/Investment, Science and Technology Division, October 22, 2020, “Privacy Impacts Related to Statistics Canada’s pilot project on the Acquisition of Credit Agency Data” (17 pp); hereafter the “Credit Agency Data Report” or the “October 22 Report”;
• April 1, 2020, “Terms of Reference, Office of the Privacy Commissioner and Statistics Canada, Compliance Monitoring of Administrative Data Collections” (3 pp);
• OPC Initial Response to Statistics Canada’s May 20, 2020 “An Introduction to Statistics Canada’s Necessity and Proportionality Framework” (8 pp);
• Office of the Privacy Commissioner of Canada, November 2020, “Report on Statistics Canada’s Necessity and Proportionality Framework” (8 pp);
• Statistics Canada Statistical Programs, undated, “Generic Privacy Impact Assessment” (130 pp);
• Statistics Canada Statistical Programs, May 16, 2018, “Amendment – Section 3 and Appendix A” (8 pp);
• Statistics Canada, received January 8, 2021, “Response to Financial Transaction Project Questions, January 2021 (final)”;
• Statistics Canada, Director - Macroeconomic Accounts/Investment, Science and Technology Division, October 22, 2020, Appendix A to main report, entitled “Outputs from Statistics Canada using TransUnion Credit Data.”;
• Vanessa Livernois and Adam Mulligan, May 15, 2020, Appendix B to October 22 report, entitled “Potential Sampling Strategies of the TU file.”;
• Cilanne Boulet et al, undated, Appendix C to October 22 report, entitled “Findings of the Working Group on the Use of Data on Consumer Debts in Social Statistics Programs.”;
• Data SPIA – Statistics Canada – PIA-988-J;
• Data Ethics Committee, September 30 2020, “Record of Decisions”;
• Data Ethics Committee, September 23, 2020, “Collection of Comments for DEC Discussion”.