What is privacy?

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

8^th Annual Strategic Information Management Program (SIMP)

October 3, 2002
Ottawa, Ontario

Julien Delisle
Executive Director

(Check Against Delivery)

---

The world of privacy is intricate, the issue is complex, so what I hope to achieve today is to define privacy for you, to explain why privacy is different from confidentiality and security, and to give you a brief overview of the new Personal Information and Electronic Documents Act and a brief summary of the Privacy Act.

So what is privacy?

Privacy is not easily defined, though most people have a sense of what it means.

The best-known definition dates back over a century, to the American jurists Samuel Warren and Louis Brandeis. They defined privacy as "the right to be let alone", a definition that, if nothing else, is easily understood, but is inadequate to deal with the modern complexity of privacy and the threats to it.

Privacy is, of course, about being let alone: about being free from interference and surveillance.

But modern threats to privacy are more subtle. They are about compiling and manipulating personal information about us, and using that information for purposes we haven't consented to, or that we're not entirely aware of or don't understand.

The Privacy Commissioner of Canada, George Radwanski, defines privacy as the right to control access to one's person and information about oneself. That definition, I think, is better suited to the challenges facing us in today's world.

Whatever they mean by it, people recognize that there is something fundamentally important about privacy. George Orwell's 1984 has become a cultural beacon because of its depiction of a world without privacy. People react viscerally to that: they sense that there can be no real freedom without privacy, that privacy is the right from which all freedoms flow --freedom of speech, freedom of conscience, freedom of association, freedom of choice.

Privacy is frequently cited in national constitutions as an inviolable right. It underlies the Canadian Charter of Rights and Freedoms' prohibition of unreasonable search and seizure. Interpreting that prohibition, Mr. Justice La Forest, a former Justice of Canada's Supreme Court defined privacy as "being at the heart of liberty in a modern state".

To say that it is fundamental, of course, does not mean that it is absolute. Privacy exists in a balance with other rights and obligations.

But I want to emphasize that it's not a question of balancing the privacy of the individual against the interests of society.

Privacy is not only an individual right; it's also a social, public good. Our society as a whole has a stake in its preservation. We cannot remain a free, open, and democratic society unless the right to privacy is respected.

In other words, the interests of society include the privacy of individuals. And when that is lost, society also loses.

Now let me clarify how privacy differs from security and confidentiality because unfortunately the terms are often used inter-changeably. They are in fact three separate and distinct issues.

Privacy is our fundamental right to control the collection, use and disclosure of information about ourselves.

Confidentiality is the obligation of a custodian to protect personal information in its care, to maintain the secrecy of the information and not misuse or wrongfully disclose it.

Security is the process of assessing threats and risks to information, and taking steps to protect it.

So the distinctions are dramatic: privacy a fundamental right; confidentiality, an obligation to protect information; and, security, the process of protection.

But it's privacy that drives the duty of confidentiality and the responsibility for security. It is privacy that has to be addressed before we can deal with the ensuing notions of confidentiality and security. And if it is not respected, ensuring confidentiality and security is not enough. If information about someone is collected, used, or disclosed without their knowledge or consent, ensuring the confidentiality and security of their information doesn't mean that their privacy has been respected.

A good example to illustrate the differences among privacy, confidentiality and security is a recent Canadian example known as the HRDC long file case. Our department of Human Resources Development, Canada's largest ministry, or HRDC, operates a Strategic Policy Branch. This Branch had developed a Longitudinal Labour Force File for research evaluation, policy and program analysis to support departmental programs. It contained records on 33.7 million individuals drawn from widely separate internal and external files, such as welfare and income tax records. Each citizen profile could contain as many as 2000 data elements. The LLFF was relatively invisible to the public and there were important gaps in the legal framework to protect the information.

When the existence of the database was made public, more than 70,000 Canadians demanded to obtain access to their personal information contained in the database. As a result of the public outcry, the database was dismantled.

While HRDC had in place strict protocols for access to the database - access was strictly limited to only very few public servants and researchers - and while security was not an issue - no information was ever improperly disclosed from the database; Canadians were, nonetheless, concerned that their privacy had been violated. They were concerned about the vast collection of personal information without a specific defined purpose. They were concerned that information had never been purged from the database. They were concerned that the state had unduly pried into their private lives.

Much is said these days about the strategic issues surrounding the advances in information technology and what it means for businesses. At the same time, IT solutions, with their ease of handling masses of information, can import tremendous privacy risks if they do not build privacy protection into their design. Technology itself may be neutral. But, without rules of the road to govern the handling of personal information, it becomes anything but neutral.

Unregulated technology becomes a threat to privacy because it exponentially increases our capacity to collect, use and disclose quantities of personal information. It allows us to move it instantaneously across great distances. Technology has eliminated the protection of personal information that was the inherent byproduct of inefficient manual filing systems. Individuals need additional protection for their privacy now that manual filing systems no longer serve as de facto gatekeepers of privacy.

The well-founded fear that technology would be used to suppress this fundamental right of privacy was one of the key forces behind the development of the Personal Information Protection and Electronic Documents Act. The main privacy provisions of the Act came into force on January 1, 2001.

I would like to give you a brief overview of this legislation: the timeframe for implementation, details on compliance and the complaint process.

The implementation schedule is as follows:

As of January 1, 2001 the law applies to federal works, undertakings or businesses, such as banks, telecommunications companies, airlines, railways and interprovincial trucking companies and to the employee records in those organizations. It also applies to personal information disclosed across borders for consideration.

As of this past January 1, the law also applies to personal health information collected, used or disclosed by organizations described under phase one of the law.

On January 1, 2004 the law will apply to the collection, use and disclosure of personal information by any organization in the course of commercial activity within a province and all personal information in all interprovincial and international transactions by all organizations subject to the Act in the course of commercial activities.

The Personal Information Protection and Electronic Documents Act enacts what is known in the privacy business as a code of fair information principles. These fair information principles consist of rules to regulate the collection, use and disclosure of personal information, and to provide individuals with access to personal information held by others.

Personal information is any information about an identifiable individual. Organizations include associations, partnerships, persons and trade unions. Bricks-and-mortar and e-commerce businesses are both covered by the Act. The term commercial activity includes the selling, bartering or leasing of donor, membership or other fund-raising lists.

The act does not cover all collections of personal information. For example, it does not include personal data gathered strictly for personal purposes (such as your personal greeting card list), or for journalistic, artistic or literary purposes, or for a non-commercial activity.

The heart of the law is the Canadian Standards Association's Model Code, which is embodied in the Schedule to the act. The code is a consensus developed by a partnership of business and government. It was designed to provide organizations with the personal information they need for legitimate purposes while protecting individuals' rights and interests. The code rests on 10 principles that normally define an organization's responsibilities.

These principles are:

1. Accountability

   An organization is responsible for personal information under its control and shall designate individuals who are accountable for the organization's compliance with the following principles.

2. Identifying Purposes

   The organization must identify the purposes for which it collects personal information at or before the time of collection.

3. Consent

   The individual must know of and consent to the collection, use or disclosure of personal information, except where inappropriate.

4. Limiting Collection

   The organization must limit its collection of personal information to that which is necessary for the identified purposes. And it must collect the information by fair and lawful means.

5. Limiting Use, Disclosure and Retention

   Organizations must not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. And they must keep the personal information only as long as required to fulfil those purposes.

6. Accuracy

   Personal information must be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards

   Organizations must protect personal information by security safeguards appropriate to the sensitivity of the information.

8. Openness

   An organization must make readily available to individuals specific information about its policies and practices on managing personal information.

9. Individual Access

   Upon request, an individual must be informed of the existence, uses and disclosures of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance

    An individual shall be able to challenge an organization's compliance with the principles to the individual designated accountable for the organization's compliance.

Of course, complying with these principles means an organization needs to do some homework. It must review and analyze how it conducts its business to determine:

• What personal information it collects;
• Why it is collected;
• How it is collected;
• What is done with it;
• Where it is kept;
• When it is used or disposed of, and
• To whom it is given.

Many organizations may be surprised to learn that they really don't know what personal information they collect, how they use it, or what quality controls and security safeguards, if any, they have in place. One lesson learned in the early days of the federal Privacy Act was that some government organizations were collecting excessive amounts of personal information for no valid reason, and at unnecessary cost. Laws like this aim to eliminate the practice of getting it all, getting it now, and thinking of a use for it later. That is what data profiles are made from and it is the opposite of good privacy practice.

In essence, the act requires organizations to establish an open and transparent relationship with their clients. That can only be good for business. Exceptions to that general rule should be limited and specific.

Now what happens when things go wrong, as they inevitably will? Anyone who is unhappy about an organization's information handling practices, or is dissatisfied with the results of an access request, may complain to the organization's designated officer. This should be someone senior enough to have the organization's confidence and who also has sufficient clout to make changes when necessary.

This first step is an important part of the scheme because it puts the onus for dealing with dissatisfied clients where it should be - on the organization. Resolving these disputes is a great learning experience. It can require staff to think through procedures they never questioned, and frequently to change them when they don't meet the test.

The next step in our system, if the applicant is still not satisfied, is to complain to the Privacy Commissioner. The Commissioner must investigate any complaints. However, he can decide not to issue a formal report if he concludes that the complainant should first use other remedies or another law, or if the circumstances are simply too old to investigate, or the complaint is trivial, vexatious or made in bad faith. The Commissioner may also initiate his own complaint if the evidence warrants.

The Commissioner has broad powers to investigate, including summoning witnesses, compelling evidence and entering premises. In practice, he has seldom needed to be so heavy handed. The most critical aspect of the Commissioner's role is that he is an ombudsman. And like all ombudsmen, his focus is on ferreting out the facts and achieving resolution of the problem - reaching reasonable solutions by reasonable people. The office is non-confrontational and non-adversarial.

Once the Commissioner issues the formal report, the complainant has the right to seek a Federal Court review. The Commissioner cannot order organizations to comply with the law. He simply attempts mediation and conciliation.

If the court agrees, it conducts a de novo review, meaning that it examines the legality of the organization's actions, not the Commissioner's investigation. If the court concludes that an organization has breached the law, it can order the offender to change its practices and publish notices about the changes. The court can also award damages, including damages for humiliation.

The Privacy Commissioner's authority is actually derived from his appointment as Commissioner under the Privacy Act. That Act was proclaimed in 1983. As a result, the Office of the Privacy Commissioner was created.

The Privacy Commissioner is appointed by the Governor-in-Council (the Cabinet of Ministers) after his appointment has been approved by a vote in both houses of Parliament - the Commons and the Senate.

The Privacy Act was enacted as part of Canada's commitment to support the OECD's guidelines regarding data protection.

The fundamental principles of the Privacy Act are the same as those I've already described for the PIPED Act - informed consent, purpose specificity, access and correction rights, among others.

The principal differences between the Acts are that the Privacy Act does not rely on the CSA Code. The Privacy Act does not allow for public education and research.

The exemptions to the right of access are different to allow for such matters as law enforcement, national security and cabinet confidences.

The Commissioner's authority under the Privacy Act, while the same with regard to his investigative powers, differs with regard to his ability to audit. Under section 37 of the Privacy Act the Commissioner has free reign to conduct his inquiries. Under section 18 of the PIPED Act, the Commissioner can only conduct an audit if he has reasonable grounds for believing an organization is contravening a provision of the Act.

With regard to references to the Federal Court the Privacy Act allows the Commissioner only to proceed if there has been a denial of access to information.

In order for government, companies and organizations to be in compliance with both the Privacy Act and the PIPED Act, they need to build privacy in at the outset of their business plan. One way to do that is by using a Privacy Impact Assessment. This allows for the examination of any system or initiative organizations are considering to develop with a view to forecasting its impacts on privacy, assessing its compliance with legislation and principles, and determining what's required to fix any problems there may be.

Privacy Impact Assessments allow organizations to forecast impacts of a proposal on privacy, assess its compliance with privacy legislation and principles, and determine what's required to overcome the negative impacts. It helps avoid the costs, adverse publicity, and loss of credibility and public confidence that could result from a proposal that hurts privacy.

Mr. Radwanski, our Privacy Commissioner, is a strong advocate of Privacy Impact Assessments (PIAs). Since he took office in September of 2000, he has encouraged the Government of Canada to implement a PIA policy. I am happy to report that the Honourable Lucienne Robillard, the President of our Treasury Board announced last April 24 that the Government of Canada was implementing a comprehensive PIA policy that will apply to all federal government departments and agencies. This, in fact, makes Canada a world leader with regard to PIAs.

To Conclude:

The PIPED Act does introduce a new way of doing business in Canada. However, this is not a radically new way of doing business compared with other Western countries. Far from it. The Act simply brings Canada up to speed with much of the rest of the Western world, which long ago recognized the importance of establishing fair information practices in both the public and private sectors.

There will be hiccups in the early stages of applying the PIPED Act. It is not the intention of the Office of the Privacy Commissioner of Canada to barge in and demand immediate and perfect compliance with the Act. That would present an impossible demand on the private sector and it would color the Act as an instrument of oppression, rather than a vehicle to encourage respect for a fundamental human right.

As long as we have the technology, we will face the temptation to intrude. But is that what we really want to stand as one of the defining characteristics of our society, a society where the fundamental human right of privacy is at the mercy of overly-inquisitive minds and intrusive technologies such as video surveillance? I hope that you agree that this is not what we want. We want instead to ensure that organizations have access to personal information that they legitimately need to carry on their activities. At the same time, surrendering one's privacy must not become the necessary price for living in a modern democratic society. Rules of fair information practices, are, at their core, about respect for each other.