Information & Ethics Committee on May 8th, 2008

Thank you.

I am going to start in French, but I am going to change to English because for more complicated things like the protection of personal privacy, it is easier for me to speak in English.

I also have jet lag. That's an additional good reason.

I feel I am almost twice as old as the Privacy Act. I started working on privacy issues as a young student from Montreal studying at Columbia University in 1964. I lobbied for the Privacy Act in the 1970s in the House of Commons during the Trudeau years and in Joe Clark's government. I've worked with every Privacy Commissioner of Canada since Inger Hansen, who was the first “sort of” commissioner under part IV of the Canadian Human Rights Act. The only one I didn't really work for was the late lamented Monsieur Radwanski. I've known them all.

I've written academic books about the Privacy Act and its origins and its development and how to implement it and things like that. I wrote case studies of data protection and privacy protection in Europe--in Sweden and Denmark and lots of countries--so I have had some comparative insights.

In 1993, through absolute good fortune, I became the first Information and Privacy Commissioner for British Columbia, which was a new position then, and I had the good fortune to move to Victoria. I was on leave from Western for six years, which was attractive, because I had the independence of returning there if I wanted to, but I fell in love with British Columbia and I've worked there since 1999.

I'm primarily a privacy and freedom of information consultant. Most of my consulting work is in the health field; in this area there are some really serious privacy issues with electronic health records and all this stuff. I have national clients. I've worked a fair bit with the federal government. I could give you as an example of a federal department that's doing pretty well at managing privacy risk Health Canada, and I take some credit for that, because as a reward for something I did for the deputy minister around 2001 I was invited to do what I call a privacy review of privacy management at Health Canada. They set up a structure, a policy department of about 35 people who advise Health Canada on privacy issues.

It's fortuitous, at least for me, that last December.... I have been an advisor to the Privacy Commissioner of Canada, Jennifer Stoddart, since she was appointed three or four years ago. I've actually known her for almost twenty years because we're both historians of Canadian law, and I published her work that far back, in the early 1980s.

Anyway, she and her colleagues invited me to do--and I emphasize this--an independent essay on the need for Privacy Act reform. I've written a 45-page essay that she mentioned to you, and that's how I got to talk with you. The essay is pretty much finished. It's fairly academic; it's tough-talking, and I'll try to reflect some of that in what I have to say to you today, but in a way you've surpassed me because you're already into the nitty-gritty of how you can improve the Privacy Act with the little things you can do and the ten quick fixes that she gave you. Mine is a more high-level overview of why this should be done.

An analogy I would use with you for the Privacy Act, which was progressive in its time, is that if you bought a house 25 years ago and did no maintenance or decoration, you'd be living in something of a slum. The Privacy Act is a somewhat slummy piece of privacy legislation. I used the word somewhere that it's risible in terms of what we need.

It reads very well in French:

the word “risible” sounds even better in French.

It's really a pathetic piece of legislation. I looked at it again online this morning. It was just hilarious. No wonder my federal clients aren't too bothered by the Privacy Act and its obligations: there ain't much there. There's not much meat in the sandwich. It doesn't meet the national privacy standard.

In 2000 Parliament voted PIPEDA through. I'm sure you're being driven crazy by all this alphabet soup of privacy legislation. That's the very fine piece of private sector law, the Personal Information Protection and Electronic Documents Act, which I helped lobby for in 1999-2000. It incorporates what we call the national privacy standard, which is built around ten principles.

For most of you, all you need to know is that there are ten privacy commandments, these ten privacy principles. There should be openness about what you do with personal information. There should be accountability; somebody should be in charge of the shop. You should state the purposes for which you're collecting personal information. You should limit the use, collection, and disclosure of personal information. You should get consent; I call that the adultery clause in the privacy standard, because it's the critical one. There's absolutely no consent requirement in the federal Privacy Act; it's disgraceful.

Some people say to me that the public service would never go for a consent standard. Well, why not? Why shouldn't they use either express consent, or implied consent, or notice to ask us for our personal information?

Then you're supposed to have reasonable security. There is absolutely no security requirement in the federal Privacy Act. Can you imagine that, in the years of identify theft and data breaches? That doesn't mean there's no security, but there's no standard of reasonable security against which the Privacy Commissioner can test what's actually done.

There is also the right to access your own personal information, to make privacy complaints, and so forth. That's done reasonably in the federal Privacy Act. That's about the only thing that's done well there.

I thought it was wonderful when it was enacted in 1979, 1980, 1981, and 1982. I helped push for it. But it no longer cuts the mustard, to put it quite simply. In particular, the Privacy Act doesn't begin to meet the kinds of privacy rights, constitutional rights to privacy, and statutory rights to privacy that we have under the Charter of Rights and Freedoms. It fundamentally fails to protect the privacy interests of Canadians in their relationship with the federal government.

I can tell you the story, if you wish, of the Ontario government changing the adoption law to allow individuals to have access to information about adoptees or those who were adopted, against the wishes of these individuals. Ann Cavoukian, the Ontario Information and Privacy Commissioner, fought this thing all through the legislature, etc., and she lost. But then a group of litigants led by Clayton Ruby as their lawyer went to the Supreme Court of Ontario. I was the privacy expert on a pro bono basis, and we overturned those parts of the statute, based on our articulation of privacy rights under the charter.

I would tell Canadians that over time they're going to bring constitutional challenges regarding the inadequacy of privacy protection and data protection at the federal level. And I would think that would be a good thing.

The work I did for the Privacy Commissioner's office is independent work. They're not telling me what to say. You'll be happy to know that almost everything the Privacy Commissioner of Canada and her associates have said to you makes perfect sense to me. A lot of the essay I've written seems to say “yes, sir, yes, sir, three bags full” regarding the need for educational power and various kinds of things in the ten quick fixes that Madame Stoddart has given to you. I'm completely onside with her and her colleagues. I assure you I'm very independent. There are some of them behind me, but I'm not Pinocchio, and they're not telling me what to say. They may take notes if I say something that doesn't meet the party line, but that's fine. I'm here to tell you what I think and what should be done.

The thing I'm promoting, which I think is regarded as somewhat radical but which I like very much, is the idea of giving order-making power, regulatory power to the Privacy Commissioner of Canada. I regret to tell you that it's much too easy to ignore the Privacy Commissioner of Canada. It's a talk-shop at one level. All she can do is tell you to do good or don't good, but you don't have to listen to her. I teased her yesterday. I called her a toothless tiger in some remarks I'd written. But I've changed that to a toothless watchdog, because I regard the Privacy Commissioner as the watchdog for our privacy interests, who articulates the privacy interests that are at stake in issue after issue and then helps the public bodies, helps the government institutions—and there are 250 of them subject to the Privacy Act—learn how to comply with these rules and regulations.

No doubt in the 1980s I agreed with John Grace and then with Bruce Phillips that the ombudsman role was satisfactory in just giving advice and so forth. She's not being listened to. The way you get listened to is to have the power to say “stop doing that”.

There was a case two years ago at the Ottawa Hospital where a poor unfortunate patient went in for open-heart surgery. When she got in there, she told them that her ex-husband and his new partner worked there. She and her ex-husband were involved in a custody dispute, and she wanted her information to be kept highly confidential. That couple, or at least the female part of it, started accessing her records right away. Eventually the ex-husband told his ex-wife that he had seen her records, knew that she was in for heart surgery, and all this stuff.

Ann Cavoukian, the Information and Privacy Commissioner of Ontario, has order-making power under both the Freedom of Information and Protection of Privacy Act in Ontario and the Personal Health Information Protection Act, PHIPA, which regulates all health information in the public and private sectors in Ontario. She issued an actual order--the situation was that bad--at the Ottawa Hospital: do this, do that, don't do something else. While this order-making power might not have to be used very often, it's a weapon or tool that can be used to bring the public service to the table to find pragmatic solutions to the issues taking place.

I will add, just while I'm thinking about it, that the public service, I regret to say, has not learned to live with the Privacy Commissioner of Canada. The last person they want to tell about their schemes and plans is the Privacy Commissioner. They wait until everything is almost finished and ready to go, a bill in Parliament for whatever it is that could be invasive of the privacy of Canadians, then they tell her about it--almost when it's too late, a fait accompli. There needs to be consultation up front with the Privacy Commissioner of Canada. There's a sorry track record of not doing that; they're not frightened of her.

I'm also arguing, in my presentation, for putting into the Privacy Act a framework for what we call “privacy risk management”. As I go from client to client on a daily and weekly basis, the way I get the attention of boards of directors, CEOs, senior executives, or in this case members of Parliament is to talk about privacy risk management. All of you know what risk management is all about, from your business backgrounds, your work in government, or whatever it is. This is privacy risk management.

We have developed some tools in the last 10 or 15 years that should be put into the Privacy Act so that every federal institution that's privacy-intensive--that is, that collects, uses, and discloses a lot of personal information--should have in place what we call “chief privacy officers”. The Bank of Montreal has a chief privacy officer, as does Aeroplan, Bell Canada, Intel, Microsoft, Oracle, Sun Microsystems, and Maximus Inc. All these companies have chief privacy officers. Why? They're a centre of privacy expertise. They're a focal point. If you put them high enough up, at the director level at least, then people will pay attention to them. They'll know to go to the privacy officer and their staff to get advice on this cross-cutting issue across the government.

The second thing they should be doing is privacy impact assessments. I helped invent, with some New Zealanders and fellow Canadians, the whole idea of privacy impact assessments. I do them regularly. They are very arcane, almost academic kinds of activities. I write them according to my own format. I'm going to send Nancy home with some background material--some of it she's seen before--on how I do these sorts of things.

The privacy impact assessments are terrific things to apply to a sensitive new database or sensitive application. They are being done under Treasury Board guidelines, but they're guidelines only. I would like to see a statutory requirement to do privacy impact assessments that are actually good ones, not lousy ones that skim over everything, and show them to and get them vetted by the Privacy Commissioner's Office, and then post them on the website so that you can actually see them. For a couple of the airline passenger information systems, I think there's a PIA on this website.

In term of privacy training, there are more than 200,000 public servants, most of whom have not had privacy training in a long time. They don't understand the ten privacy principles and wouldn't know a privacy issue if it hit them in the head. Some do, of course, but that kind of knowledge is transitory. The name of the game today is a 20-minute quiz, 30-minute test, taken once a year, with certification to your HR record that you've actually had privacy training. As I said to you before, you'll recognize that one of the basic privacy principles is involved.

There's been a lot of talk in the last few days, after the Auditor General's report, about data-sharing agreements and the lack of data-sharing agreements with the provinces for public health surveillance. That's just ridiculous. Why are they not doing them? They're a pain in the ass: you have to negotiate with the provinces, the provinces want to put the rules into the documents, and then you have to follow the rules. And guess what? The privacy commissioners from the provinces and territories might come and audit what you're doing--which they damn well should be doing.

I forgot to mention earlier that my argument for order-making power is largely derived from the fact that in Quebec, Ontario, British Columbia, and Alberta, which have pretty decent pieces of privacy legislation, the commissioner had order-making power. I used to get the attention of the British Columbia government, the NDP government of Glen Clark and others, in the 1990s. You can imagine what fun it was to be a privacy commissioner then. Life was pretty good because of the privacy impact assessments and the fact that I could get their attention because I could order them to do something.

I also want to leave with you this idea: the Privacy Act and PIPEDA were the products of political leadership and leadership in the public service. It was Perrin Beatty who brought the first Privacy Act, in a private member's bill in 1980, before the House of Commons. Then Francis Fox, from another party, with the Trudeau government coming in, put through the Access to Information Act and the Privacy Act. That was political leadership. In the 1990s we needed to regulate the private sector, and it was Allan Rock, justice minister, and John Manley, industry minister, who stepped up to the plate and said yes, we should be doing this.

If there's anything you can do.... In my opinion, the heavy lifting here has to be done by the Department of Justice.

I forgot to tell you that twenty years ago they had this report--Open and Shut, for 1984 to 1987--on how lousy the Privacy Act was and how it needed to be improved. Guess who was the expert on privacy for three years? Me. What did we get out of it under the Mulroney government? Nothing. Nothing was done. Some policy changes were done.

All the recommendations we made twenty years ago are still relevant, but what has happened in between? The Internet, the World Wide Web, ubiquitous computing--imagine trying to use the old Privacy Act to control that kind of stuff.

The political leadership also came from people I call “policy entrepreneurs”. In the 1970s there were three or four senior public servants--Barry Strayer, now in the Federal Court; Gill Wallace, subsequently Deputy Attorney General of British Columbia; and I've forgotten the other names--who recognized that it was part of an international movement to have sound privacy management in the federal government. That then was replicated in Ontario and Quebec. Quebec was actually the first, even before the federal government, in 1981, as I recall. I gather you're having Paul-André Comeau, one of my former colleagues as Privacy Commissioner, to talk to you before too long. He knows the Quebec scene much better than I do.

I think you also as politicians--this is my final point, at least in this beginning presentation--have to ask why doesn't the federal government, why doesn't the bureaucracy, why don't deputy ministers want a stronger Privacy Act? It would be a pain in the ass. They'd have to do things much more carefully than they're doing them now. Their power would be constrained. They wouldn't be able to have kind of a free-for-all with the personal information of Canadians.

They have a lot on their plate, I will admit. There are a lot of other issues they have to deal with. But the Privacy Act, like the Access to Information Act, is cross-cutting. Everywhere in the federal government there's personal information collected, used, disclosed, retained for all kinds of purposes for very long periods of time in more and more massive databases and with more and more data-sharing across government institutions.

I have no objection to outsourcing. I'd be happy to discuss the outsourcing in B.C. with you. It's in my speaking notes. I have no objection to data-sharing with consent. If I want to file my tax return online, I'm doing it consensually. That's exactly the way it should be. All of our relationships with the federal government should be based, to the fullest extent possible, on consent.

In 1999-2000, when PIPEDA was going through, I was lobbying on behalf of Industry Canada as a paid consultant. The Canadian pharmacy association said that we were going to shut down pharmacies in this country if we put PIPEDA through. Why? Because every time someone came in with a prescription, the pharmacies would have to read people's privacy rights to them. We told them that was crazy; we'd be using implied consent.

When I take a prescription to my druggist and hand it to him, why do you think I'm handing it to him? Is it just so he can have a little read? No; it's to fill my prescription. So I'm giving implied consent, as you do, to use my personal information for the purpose of filling a prescription. But then if he starts calling me up and saying, “I see you have this little medical problem, and I have this hot new product I'm selling on the side”, I'd be quick to complain to the Privacy Commissioner. That's a completely unacceptable use of my personal information. It's not in the statement of purposes for which the personal information is collected.

I hope those introductory remarks, plus the 30 other points I've made in my written stuff, will whet your appetite. I'm a teacher by background, so I'd be particularly happy to help you understand some of this stuff. There's no particular reason, as lay persons, you should have gotten a university degree in Privacy 301.

Thank you.

When you're doing the privacy risk management strategy, the first thing you have to have is a law.

When they first introduced the freedom of information law in Ontario, my comment to the media around 1983 or 1984 was that I thought any law was better than no law until I saw this law. It was pathetic, so it was never introduced. Ian Scott, as Attorney General, actually took the initiative and went into his own law office, when he became Attorney General, and drafted the bloody thing. It's the model we use now in Alberta and British Columbia. It just shows what leadership can do. So if you don't have a good law, you have a problem.

Schedule 1 to PIPEDA, which is the Canadian Standards Association model privacy code, is where you find the ten privacy commandments. They were a product of the public sector and the private sector in the mid-1990s. Smart characters like me said, “This is a wonderful code. Why don't we give it the force of law?” They give it the force of law in PIPEDA. It was like putting the ten commandments into law in one way or another.

If you don't have a good law, you have a problem, but then you need a privacy policy. Then you need chief privacy officers, a privacy team, meaningful confidentiality agreements, frequently asked questions on websites for the general public, and privacy impact assessments to make the system work.

I'm not sure I've totally answered you. I started a filibuster already, and it's only the first question.

If my successor, David Loukidelis, who appeared before you on PIPEDA last year, were here—and of course he told me what to say when I was here, so I have to remember all the things he told me to say, not particularly on this question—he would be talking about the need for the British Columbia government to appoint a chief privacy officer. I recently advised a major university in British Columbia to appoint a chief privacy officer. I'm working for two crown corporations there at the moment, and they need a chief privacy officer.

The B.C. law is from 1993. It's not too antiquated. It's not adequate for an electronic health record environment, and we still need more resourcing of privacy management by the B.C. government.

They have chief information officers. They should have chief privacy officers to go along with them, and then the two of them would work together, because you have to marry privacy and security. There are all kinds of resources in security, and too often there are not enough on the privacy side.

I wouldn't run around claiming that the B.C. government is doing A+ work on the privacy field. When these new laws are brought in, there's a honeymoon phase, like any other honeymoon, and then resourcing goes down; interest goes down; privacy training goes down; and people like new commissioners have to come in and give the whole system a kick-start, which is more or less, after a lengthy hiatus of 25 years, where you are with this crummy privacy act.

You don't want to do anything in the way of European data protection. It's so complicated. It's so rule-bound. It's inspired by the European directive. It's very legalistic. It deals primarily with law rather than practice.

My interest is in policy. What happens in practice? In the privacy game, the motto is say what you do, as an organization, and then do what you say. Whether you're running an auto dealership, a drugstore, or Health Canada, say what you do with personal information, and then follow it up with compliance. I've written about these European countries. My knowledge is not as au courant as it was when I was writing books and when I published in 1989 my big book on the five countries. That's where I learned how to do it--by watching what they were doing.

I don't think there's much to be learned from the continental European countries. In my paper I talk a lot about the fact that the ultimate goal here is robust privacy protection and robust security so that we keep ourselves from living in surveillance societies. My book in 1989 was Protecting Privacy in Surveillance Societies. People thought I was writing about the Soviet Union, mainland China, or something like that. In fact, I was writing about Germany, France, Sweden, the United States, and Canada. Most of us believe that the United Kingdom, in particular, is the worst example in the English-speaking world of a surveillance society, where you're being watched all the time. Public health surveillance, cancer cohorts, and that kind of thing--those are examples of good surveillance. Then there's bad surveillance.

There was a lovely editorial yesterday in the National Post. It was called “A bad day for Big Brother”. Some student or researcher in the United Kingdom had stood up and said, you know, we have the most massive investment in surveillance cameras in the entire world. We're being watched all the time. Most of the time the cameras aren't working. They're no good in preventing crime. They're too grainy to actually see anything, and it bores the hell out of people to watch them. That's the kind of country I don't want to be in. I don't want to be watched all the time. I couldn't imagine why you'd have a surveillance camera on me. If you were videotaping, that would be fine, with my consent.

The ultimate goal is to keep from being watched all the time for bad things. If we're all suspected terrorists, I want to be watched until I'm blue in the face. If it's a law enforcement matter, we can balance the privacy rights of individuals and law enforcement and national security. I think the Privacy Commissioner knows a lot more about national security, in particular, than I do. It's not as if, you see, we privacy advocates want to trump law enforcement or dealing with child pornography or whatever the other evils of society are. We simply want to know in advance what the rules are going to be and how the personal information is going to be used.

I got along famously with the deputy chief of the Vancouver Police Department and with the Victoria police, as well. They had their job to do, and I watched what they were doing. When they had books of known prostitutes sitting around on open desks, I'd say, you know, do you really have to keep that where people can see it, or can you come to a slightly more sophisticated data gathering system? Any time anybody calls 911, how long are you going to keep that information?

Data retention and data destruction are good things. I have clients who have kept records for fifty years. They've never destroyed anything. Why?

I like words.

No, but when I read them this morning, I marked recommendations 1 to 4 and 9, because I found them more substantial than recommendations 5 to 8.

I'm a little tired of transported data flows, because the Open and Shut report in 1987 recommended that we should really be studying transported data flows of personal information, and nothing much was done about it. They commissioned a study, which I didn't get to do. A bunch of scholars at UQAM, Université du Québec à Montréal, did it, and nothing happened legislatively.

I gave a talk about electronic health records in Vancouver on Tuesday afternoon. I was talking about the U.S.A. Patriot Act and what it costs the taxpayers of British Columbia to comply with the special laws that were brought in in British Columbia because of Patriot Act concerns. Contracts that had already existed were grandfathered.

The credit bureau of Equifax, the credit reporting company, to the best of my understanding is in Atlanta. My Visa card every month is processed in Atlanta, and the Privacy Commissioner said that was okay. We actually have massive flows of personal data that we've approved of, that we think make sense. Some of it's now going to India and is being outsourced and all this kind of stuff.

My point is that we have to know what these data flows are. I point out in my paper that I was an advisor to the commissioner on her audit of the Canada Border Services Agency and of the flow of information on us across the border to the Americans. I have a PhD in American history. I taught it for many years. I'm not vaguely anti-American, so that's not where I'm going with this, but we simply can't be handing over our personal information across the border to the Americans without data-sharing agreements about how it's going to be used and for what purposes.

We need a record of what's happening, and that doesn't exist at the moment. The commissioner said her power was limited by the border. The Canada Border Services Agency, if it's going to engage in data exchanges back and forth across the border, should know what they're doing.

Mr. Dhaliwal mentioned the United States. No country in the world has more privacy law than the United States, but nobody has a collection of more meaningless privacy laws than the United States. That's only a small exaggeration. There's no enforcement except in the courts. There's no privacy commissioner in almost any of the American states or federally. The Federal Trade Commission is doing some useful work in consumer rights.

The American model is highly decentralized, very court-driven, very expensive, very difficult to influence. Our data's going over there. We don't know what's happening with it, and nobody's minding the shop. I certainly don't think the director or the president or whatever he is called of Homeland Security is a good custodian of my personal information when he doesn't even think fingerprints are sensitive personal information.

Yes.

But it is not just a matter of saying yes, is it?

I agree with all ten recommendations.

Pardon?