Evidence of meeting #133 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was services.
A recording is available from Parliament.
3:35 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
I just want to clarify the rules. Asking to adjourn debate, I don't believe it does. I would imagine that Peter would agree to defer it.
3:35 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Assuming we're going to get back to the question....
3:35 p.m.
Conservative
3:35 p.m.
Conservative
3:35 p.m.
Daniel Therrien Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Thank you, Mr. Chair.
Members of the committee, thank you for inviting me to provide my views in the context of your study of the privacy implications and potential legal barriers relating to the implementation of digital government services in Canada.
A good starting point for this study, given that it defines the government's approach, is the government data strategy roadmap, published in November 2018, which was shared with us late last year.
In that document, the government indicates:
Data have the power to enable the government to make better decisions, design better programs and deliver more effective services. But, for this to occur, we need to refresh our approach.
Today, individual departments and agencies generate and hold a vast, diverse and ever-expanding array of data. These data are often collected in ways, based on informal principles and practices, that make it difficult to share with other departments or Canadians. Their use is inconsistent across the government and their value sub-optimized in the decision-making process and in day-to-day operations.
We of course support the use of technology to improve government decision-making and service-delivery but, as mentioned in your mandate, this must be done while protecting Canadians' privacy. In that regard, it is important to remember that privacy is a fundamental human right and that it is also a prior condition to the exercise of other fundamental rights, such as freedom, equality and democracy.
The government's roadmap underlines the difficulty of sharing data across departments and attributes this either to informal principles and practices or, in other circumstances, to legal barriers. I understand that there is in fact an exercise within government to identify these legal barriers with a view to potentially eliminating those found inconsistent with the new approach that the government feels is required to extract value from data.
I would say that what is a legal barrier to some may be seen as a privacy safeguard by others. The terminology that the government or other interveners use in this debate is not neutral. Many of the presumed barriers are found in sections 4 to 8 of the current Privacy Act. Should these rules be re-examined with an eye to improved government services in a digital age? Certainly. Should some of these rules be amended? Probably.
But, as you go about your study, I would ask you to remember that, while adjustments may be desirable, any new legislation designed to facilitate digital government services must respect privacy as a fundamental human right. I can elaborate on this point in the question period, if you wish. In other words, modalities may change but the foundation must be solid and must respect the rights to privacy. The foundation must be underpinned by a strengthened privacy law. As you know, we made recommendations to that effect in 2016. I would add a new recommendation here: that the public sector adopt the concept of protecting privacy from the design stage.
I reviewed with interest the testimony before you by officials from Estonia at the launch of your study. While the Estonian model is often discussed for its technological architecture, I was struck by the fact that officials emphasized the greater importance, in their view, of attitudinal factors, including the need to overcome silos in state administration leading to reuse of personal information for purposes other than those for which it was collected.
This could be seen as validation of the view that our Privacy Act needs to be re-examined and that—quote, unquote—“legal barriers” should be eliminated. I would note, however, that in Estonia the elimination of silos did not lead to a borderless, horizontal management of personal data across government. Rather, in the Estonian model, reuse, or what we would call sharing of information, appears to be based on legislation that sets conditions generally consistent with internationally recognized fair information practice principles and with the GDPR, although I would encourage you to follow up with Estonia as to what these legal conditions actually are.
As to the technological aspects of the Estonian model, our understanding is that there is an absence of a centralized database. Rather, access is granted through the ability to link individual servers through encrypted pathways with access or reuse permitted for specific lawful purposes. This purpose-specific access by government agencies likely reduces the risk of profiling.
We understand that further privacy and security safeguards are attained through encryption and the use of blockchain. This is in line with one of our recommendations for revisions of the Privacy Act in 2016, namely, to create a legal obligation for government institutions to safeguard personal information.
I note that the Estonian model is based in part on a strong role for their data protection authority, which includes an explicit proactive role as well as powers to issue binding orders, apply for commencement of criminal proceedings and impose fines where data is processed in an unlawful manner or for violations of the requirements for managing or securing data. Similarly, the OPC should have a strong oversight and proactive role in line with our Privacy Act reform recommendations.
I'd like to conclude with some questions for you to consider as you take a deeper dive into the Estonian model or discuss its applications in a Canadian context.
First, we've heard officials say that the success of the system is based on strong trust, which requires strong safeguards. But no system, as you know, is totally safe. What mitigation measures are in place in Estonia when, and not if, there is a breach?
Second, Canada's data strategy road map posits that one of the valued propositions of a model such as Estonia's is the intelligence to be gathered from data analytics, but it is unclear to us how, given the segregated set-up of the data sets and the legislative regime in which it operates, providing for specific reuse for specific purposes, this could be accomplished. You may wish to explore this issue further.
Finally, we would suggest that obtaining clarity from Estonian officials on the legal conditions for reuse of data would help, because that's an important safeguard to ensure there is no overall profiling and what I refer to as borderless, horizontal data sharing.
Thank you for your attention. I'll be glad to answer your questions.
3:40 p.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you again, Mr. Therrien.
First up for seven minutes, we have a combination of Nate and David to start.
Go ahead.
3:40 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Thanks very much.
My first question is about the Estonian model and legal pathways.
When Michael Geist was before us, he said that technological measures put in place sound great, but we couldn't trust in those measures and we needed to revisit the Privacy Act. I take it you are of the same view.
Revisiting the Privacy Act and the clarity of pathways for sharing of information, I understand in Estonia, yes, they have a tell-us-once model, but you require specific statutory authorities for that reuse, so your point about our clarifying what the Estonian legislation says is important.
With respect to the Privacy Act, it's also your view, I suppose, that we should clarify the pathways of sharing information here in Canada as well.
3:40 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes. We have long-standing rules, of course, to govern the conditions under which data can be shared between departments. Those are essentially sections 4 to 8 of the current public sector Privacy Act.
Your mandate speaks to legal barriers. The federal government's data strategy road map talks about potential legal barriers. I assume that when the government refers to barriers, they are referring to revisiting or reviewing whether sections 4 to 8 are still fit for a purpose. I accept that, but I say at the same time that these are important rules, and although certain adjustments and modalities can be envisaged, let's not lose sight of the main principle, which is that privacy should be respected.
3:45 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Has the government come to you at all to discuss a digital ID project in any way?
3:45 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We had some discussions with government late last year about their data strategy road map, at a high level of generality, I would say. We were invited recently to offer views on strategies that individual departments are required or invited to adopt pursuant to the road map. That process has not started, but I welcome the invitation by government for us to give our advice.
3:45 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
With respect to digital ID specifically, I understood that maybe there were some conversations under way at the federal level to pursue a digital ID project in concert with provinces. Have you been consulted on this specifically?
3:45 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
This has been going on for a number of years. Perhaps Ms. Ives wants to add to this.
3:45 p.m.
Lara Ives Executive Director, Policy, Research and Parliamentary Affairs Directorate, Office of the Privacy Commissioner of Canada
Yes. I'll just add that there have been various iterations over the years. I think the most recent was in 2012. We reviewed privacy impact assessments for authentication rather than a digital ID: means to access online government services. One of them is issued by the Government of Canada and the other one utilizes banking credentials, but it's not exactly on point with the digital ID.
3:45 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
I have a last question and then I'll turn it over to David.
Simply, are there examples of this government or previous governments implementing and moving off-line services online, providing greater digital services and doing it right by coming to you and saying, “Let's address privacy concerns”? Can we point to any Canadian example where there's been a service that's gotten it right? Take your time.
3:45 p.m.
Voices
Oh, oh!
3:45 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
In the spirit of being optimistic and positive, I would say that the Estonian model is interesting to look at from that perspective. It has many positive features. The devil is in the details, obviously, but it's not a bad place to start.
3:45 p.m.
Liberal
January 31st, 2019 / 3:45 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Thank you.
I think data is easier to share than time, but we'll do what we can.
I would like to understand how we can define the parameters for the permission that people give. On Tuesday, I used automatic vehicle licence plate readers as an example. When a car goes by, the reader records the plate number. That is being done by the government. We provide that data in a way that is not really voluntary, given that we have no other choice.
If departments or police services all over the country use that data without really having obtained people's permission to do so, how can we determine whether they have given their consent? Where do we draw the line?
3:45 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I will assume that your question is based on the principle that this is information in the public domain. Licence plates are public, in a sense, because the cars are travelling on public roads. People—the government, but companies too—rely on the public nature of that environment to collect data and then to use them in a way that does not see them as personal information. In that case, the rules on the use and disclosure of that information are more permissive.
3:45 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
At each stage of a trip, the plate number can be read, revealing who it belongs to, where they live, and their record. Even if the data is not collected every time, individuals can be followed from one end of the country to the others, and their travels known.
That is not what licence plates are for, but, if we say they are in the public domain, are we allowed to use the data in that way? The United States is already doing it.
3:50 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We have to be careful in calling this information public. As you have just said, it is still possible to identify the person associated with a car, their behaviour, and so on. So, even if the information is called public, we have to wonder whether the information is actually personal, and what authority a given department has to collect it. It varies from department to department. Even though the information is in the public domain, collecting it has to be linked to a mandate of the department in question. That is a very important condition in the current legislation. It could be made stronger, along the lines of some recommendations we made in connection with amending the Privacy Act.
In summary, we have to be careful with data in the public domain. We have to make sure that each department collecting and using the information actually has a mandate to do so.
