Building privacy into pension and benefits administration

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Ontario Regional Conference 2002 of the Canadian Pension and Benefits Institute

October 22, 2002
London, Ontario

Julien Delisle
Executive Director

(Check Against Delivery)

---

The world of privacy is intricate, the issue is complex. What I hope to achieve today is to define privacy for you, to explain why privacy is different from confidentiality and security, and to give you a brief overview of the new Personal Information and Electronic Documents Act, or PIPED Act, as we call it, and how it will affect the administration of pension and benefit plans.

Many of you will be familiar with the PIPED Act. Those of you who aren't will be soon enough. Within the next couple of years, either it or a substantially similar provincial law will apply to all commercial activities in Canada. While most of the organizations that you represent may not be directly covered, the organizations on whose behalf you process personal information are or will be. Their obligations to handle personal information in accordance with the Act are as important for you as they are for your clients.

In short, the protection of privacy is increasingly going to be a feature of the business landscape. A heightened awareness and understanding of privacy is going to be required of everyone in business.

So what is privacy?

It's not easily defined, though most people have a sense of what it means.

The best-known definition dates back over a century, to the American jurists Samuel Warren and Louis Brandeis. They defined privacy as "the right to be let alone." That definition is easily understood, but it doesn't quite capture the modern complexity of privacy and the threats to it.

Privacy is, of course, about being let alone: about being free from interference and surveillance.

But modern threats to privacy are subtle. Without interfering with our sense that we're being let alone, organizations can compile and manipulate personal information about us, and use that information for purposes we haven't consented to, or that we're not entirely aware of or don't understand.

That's why the Privacy Commissioner of Canada, George Radwanski, defines privacy as the right to control access to one's person and information about oneself. That definition, I think, is better suited to the challenges facing us in today's world.

Whatever they mean by it, people recognize that there is something fundamentally important about privacy. George Orwell's 1984 has become entrenched in popular culture and vocabulary because of its depiction of a world without privacy. People react viscerally to that: they sense that there can be no real freedom without privacy, that privacy is the right from which all freedoms flow-freedom of speech, freedom of conscience, freedom of association, freedom of choice.

Privacy is frequently entrenched in national constitutions as an inviolable right. It underlies the Canadian Charter of Rights and Freedoms' prohibition of unreasonable search and seizure. Interpreting that prohibition, Mr. Justice La Forest, former Chief Justice of Canada's Supreme Court, described privacy as "being at the heart of liberty in a modern state."

To say that privacy is a fundamental right, of course, does not mean that it is absolute. Privacy exists in a balance with other rights and obligations.

But I want to emphasize that it's not a question of balancing the privacy of the individual against the interests of society.

Privacy is not only an individual right; it's also a social, public good. Our society as a whole has a stake in its preservation. We cannot remain a free, open, and democratic society unless the right to privacy is respected.

In other words, the interests of society include the privacy of individuals. And when that is lost, society also loses.

Now let me clarify how privacy differs from security and confidentiality, because unfortunately the terms are often used inter-changeably. They are in fact three separate and distinct issues.

Privacy is our fundamental right to control the collection, use and disclosure of information about ourselves.

Confidentiality is the obligation of a custodian to protect personal information in its care, to maintain the secrecy of the information and not misuse or wrongfully disclose it.

Security is the process of assessing threats and risks to information, and taking steps to protect it.

So the distinctions are dramatic: privacy a fundamental right; confidentiality, an obligation to protect information; and, security, the process of protection.

It's privacy that drives the duty of confidentiality and the responsibility for security. Privacy has to be addressed before we can deal with confidentiality and security. And if privacy is not respected, ensuring confidentiality and security is not enough. If information about someone is collected, used, or disclosed without their knowledge or consent, their privacy has been violated. Ensuring the confidentiality and security of their information after the fact doesn't change that.

A good example to illustrate the differences between privacy, confidentiality and security is what was known as the HRDC long file case. Canada's largest ministry, the Department of Human Resources Development, or HRDC, developed a Longitudinal Labour Force File for research, evaluation, and analysis to support departmental programs. It contained records on over 30 million individuals drawn from widely separate internal and external files, such as welfare and income tax records. The profile on any given individual could contain as many as 2000 data elements.

This huge database was relatively invisible to the public. When its existence was made public, more than 70,000 Canadians demanded access to their personal information contained in it. As a result of the public outcry, the database was dismantled.

The security and confidentiality of this database were impeccable. HRDC had in place strict protocols for access to the database - access was strictly limited to only a very few public servants and researchers - and no information was ever improperly disclosed from the database.

But Canadians were still concerned that their privacy had been violated. They were concerned about the vast collection of personal information without a specific defined purpose. They were concerned that information had never been purged from the database. They were concerned that the state had unduly pried into their private lives, and that they had been kept in the dark about it.

Information technology has brought tremendous advantages to businesses, and through that, to all of us. At the same time, IT solutions, with their ease of handling masses of information, can pose tremendous privacy risks if privacy protection is not built into their design. Technology itself may be neutral. But, without rules of the road to govern the handling of personal information, it becomes anything but neutral.

Unregulated technology becomes a threat to privacy because it exponentially increases our capacity to collect, use and disclose quantities of personal information. It allows us to move it instantaneously across great distances. Technology has eliminated the protection of personal information that was inherent in manual filing systems. Individuals need additional protection for their privacy now that inefficient manual filing systems no longer serve as de facto gatekeepers of privacy.

The well-founded fear that technology would erode the fundamental right of privacy was one of the key forces behind the development of the Personal Information Protection and Electronic Documents Act, which began coming into force on January 1, 2001.

I would like to give you a brief overview of this legislation now.

The Act is intended to balance individual privacy rights with the needs of businesses to collect, use, and disclose personal information for reasonable and appropriate purposes.

At present, the Act applies to collection, use, or disclosure of personal information in the course of commercial activities by federal works, undertakings, and businesses. Those are primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. The Act also applies to the personal information of employees in those organizations. That's an important point, obviously, for you here today, since many of you undoubtedly will have federal works, undertakings and businesses among your clients. The Act also applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across provincial or international boundaries.

Beginning in January 2004, the Act will apply right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.

The special circumstance is this: In provinces that have passed privacy legislation that's "substantially similar" to the PIPED Act, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities that take place within provincial boundaries. The Act will still apply to federal works, undertakings, and businesses in all provinces. And it will also still apply to personal information when it's collected, used, or disclosed across provincial or international boundaries.

The result will be that any commercial activity in Canada, after January 2004, will be subject to the PIPED Act or to a substantially similar provincial law.

The Act is based on what is known in the privacy business as a code of fair information principles. These fair information principles consist of rules to regulate the collection, use and disclosure of personal information, and to provide individuals with access to personal information held by others.

Personal information is any information about an identifiable individual. Organizations include associations, partnerships, persons and trade unions. Bricks-and-mortar and e-commerce businesses are both covered by the Act. The term commercial activity includes the selling, bartering or leasing of donor, membership or other fund-raising lists.

The Act does not cover all collections of personal information. For example, it does not include personal data gathered strictly for personal purposes (such as your personal greeting card list), or for journalistic, artistic or literary purposes, or for a non-commercial activity.

The heart of the law is the Canadian Standards Association's Model Code, which is embodied in the Schedule to the act. The code is a consensus developed by a partnership of business and government. It was designed to provide organizations with the personal information they need for legitimate purposes while protecting individuals' rights and interests. The code rests on 10 principles that normally define an organization's responsibilities.

These principles are:

Accountability

An organization is responsible for personal information under its control and shall designate individuals who are accountable for the organization's compliance with the following principles.

Identifying Purposes

The organization must identify the purposes for which it collects personal information at or before the time of collection.

Consent

The individual must know of and consent to the collection, use or disclosure of personal information, except where inappropriate.

Limiting Collection

The organization must limit its collection of personal information to that which is necessary for the identified purposes. And it must collect the information by fair and lawful means.

Limiting Use, Disclosure and Retention

Organizations must not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. And they must keep the personal information only as long as required to fulfil those purposes.

Accuracy

Personal information must be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Safeguards

Organizations must protect personal information by security safeguards appropriate to the sensitivity of the information.

Openness

An organization must make readily available to individuals specific information about its policies and practices on managing personal information.

Individual Access

Upon request, an individual must be informed of the existence, uses and disclosures of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Challenging Compliance

An individual shall be able to challenge an organization's compliance with the principles to the individual designated accountable for the organization's compliance.

Of course, complying with these principles means an organization needs to do some homework. It must review and analyze how it conducts its business to determine:

What personal information it collects;

Why it is collected;

How it is collected;

What is done with it;

Where it is kept;

When it is used or disposed of, and

To whom it is given.

Many organizations may be surprised to learn that they really don't know what personal information they collect, how they use it, or what quality controls and security safeguards, if any, they have in place. One lesson learned in the early days of the federal Privacy Act was that some government organizations were collecting excessive amounts of personal information for no valid reason, and at unnecessary cost. Privacy laws aim to eliminate the practice of getting it all, getting it now, and thinking of a use for it later. That is what data profiles are made from and it is the opposite of good privacy practice.

In essence, the act requires organizations to establish an open and transparent relationship with their clients. That can only be good for business. Exceptions to that general rule should be limited and specific.

I know that a lot of you are interested in the implications of the Act for your dealings with your employees. To begin with, the Act only applies to employment in federal works, undertakings or businesses. The extension of the Act in 2004 to personal information practices in the provincially-regulated private sector will only apply to commercial activities, not to employment.

Having said that, I think every private sector organization should be as scrupulous about collection, use and disclosure of personal information of its employees as it is with clients and customers. If you're subject to provincial regulation, provincial privacy legislation will very likely apply to employment. Quebec's privacy legislation already does, and the draft Ontario legislation covers employment. I think it's very likely that other provinces will follow the same route.

Now, I've mentioned the obligations that the Act imposes on organizations. What happens when things go wrong, as they inevitably do?

Anyone who is unhappy about an organization's information handling practices, or is dissatisfied with the results of an access request, may complain to the organization's designated officer. This should be someone senior enough to have the organization's confidence and who also has sufficient clout to make changes when necessary.

This first step is an important part of the scheme because it puts the onus for dealing with dissatisfied clients where it should be - on the organization. Resolving these disputes is a great learning experience. It can require staff to think through procedures they never questioned, and frequently to change them when they don't meet the test.

The next step in our system, if the applicant is still not satisfied, is to complain to the Privacy Commissioner. The Commissioner must investigate any complaints. However, he can decide not to issue a formal report if he concludes that the complainant should first use other remedies or another law, or if the circumstances are simply too old to investigate, or the complaint is trivial, vexatious or made in bad faith. The Commissioner may also initiate his own complaint if the evidence warrants.

The Commissioner has broad powers to investigate, including summoning witnesses, compelling evidence and entering premises. In practice, he has never needed to be so heavy handed. The most critical aspect of the Commissioner's role is that he is an ombudsman. And like all ombudsmen, his focus is on ferreting out the facts and achieving resolution of the problem - reaching reasonable solutions by reasonable people. The office is non-confrontational and non-adversarial.

Once the Commissioner issues the formal report, the complainant has the right to seek a Federal Court review. The Commissioner cannot order organizations to comply with the law. He simply attempts mediation and conciliation.

If the court agrees, it conducts a de novo review, meaning that it examines the legality of the organization's actions, not the Commissioner's investigation. If the court concludes that an organization has breached the law, it can order the offender to change its practices and publish notices about the changes. The court can also award damages, including damages for humiliation.

In order for companies and organizations to be in compliance with the PIPED Act, they need to build privacy in at the outset of their business plan. One way to do that is by using a Privacy Impact Assessment. This allows for the examination of any system or initiative organizations are considering to develop with a view to forecasting its impacts on privacy, assessing its compliance with legislation and principles, and determining what's required to fix any problems there may be.

Privacy Impact Assessments allow organizations to forecast impacts of a proposal on privacy, assess its compliance with privacy legislation and principles, and determine what's required to overcome the negative impacts. It helps avoid the costs, adverse publicity, and loss of credibility and public confidence that could result from a proposal that hurts privacy.

Mr. Radwanski, our Privacy Commissioner, is a strong advocate of Privacy Impact Assessments (PIAs). Since he took office in September of 2000, he has encouraged the Government of Canada to implement a PIA policy. I am happy to report that the Honourable Lucienne Robillard, the President of our Treasury Board announced last April 24 that the Government of Canada was implementing a comprehensive PIA policy that will apply to all federal government departments and agencies. This, in fact, makes Canada a world leader with regard to PIAs.

To Conclude:

The PIPED Act does introduce a new way of doing business in Canada. However, this is not a radically new way of doing business compared with other Western countries. Far from it. The Act simply brings Canada up to speed with much of the rest of the Western world, which long ago recognized the importance of establishing fair information practices in both the public and private sectors.

There have been and will continue to be hiccups as organizations find their footing and learn to bring their practices into line with the PIPED Act. It is not the intention of the Office of the Privacy Commissioner of Canada to demand immediate and perfect compliance with the Act. The Act is a vehicle to encourage respect for a fundamental human right, not an instrument of oppression.

We want to ensure that organizations have access to personal information that they legitimately need to carry on their activities.

At the same time, surrendering one's privacy must not become the necessary price for living in a modern democratic society. Rules of fair information practices, and laws like the PIPED Act, are at their core about the respect we all have for and owe to each other.