Information & Ethics Committee on Jan. 31st, 2019

Thank you, Mr. Chair.

Members of the committee, thank you for inviting me to provide my views in the context of your study of the privacy implications and potential legal barriers relating to the implementation of digital government services in Canada.

A good starting point for this study, given that it defines the government's approach, is the government data strategy roadmap, published in November 2018, which was shared with us late last year.

In that document, the government indicates:

Data have the power to enable the government to make better decisions, design better programs and deliver more effective services. But, for this to occur, we need to refresh our approach.

Today, individual departments and agencies generate and hold a vast, diverse and ever-expanding array of data. These data are often collected in ways, based on informal principles and practices, that make it difficult to share with other departments or Canadians. Their use is inconsistent across the government and their value sub-optimized in the decision-making process and in day-to-day operations.

We of course support the use of technology to improve government decision-making and service-delivery but, as mentioned in your mandate, this must be done while protecting Canadians' privacy. In that regard, it is important to remember that privacy is a fundamental human right and that it is also a prior condition to the exercise of other fundamental rights, such as freedom, equality and democracy.

The government's roadmap underlines the difficulty of sharing data across departments and attributes this either to informal principles and practices or, in other circumstances, to legal barriers. I understand that there is in fact an exercise within government to identify these legal barriers with a view to potentially eliminating those found inconsistent with the new approach that the government feels is required to extract value from data.

I would say that what is a legal barrier to some may be seen as a privacy safeguard by others. The terminology that the government or other interveners use in this debate is not neutral. Many of the presumed barriers are found in sections 4 to 8 of the current Privacy Act. Should these rules be re-examined with an eye to improved government services in a digital age? Certainly. Should some of these rules be amended? Probably.

But, as you go about your study, I would ask you to remember that, while adjustments may be desirable, any new legislation designed to facilitate digital government services must respect privacy as a fundamental human right. I can elaborate on this point in the question period, if you wish. In other words, modalities may change but the foundation must be solid and must respect the rights to privacy. The foundation must be underpinned by a strengthened privacy law. As you know, we made recommendations to that effect in 2016. I would add a new recommendation here: that the public sector adopt the concept of protecting privacy from the design stage.

I reviewed with interest the testimony before you by officials from Estonia at the launch of your study. While the Estonian model is often discussed for its technological architecture, I was struck by the fact that officials emphasized the greater importance, in their view, of attitudinal factors, including the need to overcome silos in state administration leading to reuse of personal information for purposes other than those for which it was collected.

This could be seen as validation of the view that our Privacy Act needs to be re-examined and that—quote, unquote—“legal barriers” should be eliminated. I would note, however, that in Estonia the elimination of silos did not lead to a borderless, horizontal management of personal data across government. Rather, in the Estonian model, reuse, or what we would call sharing of information, appears to be based on legislation that sets conditions generally consistent with internationally recognized fair information practice principles and with the GDPR, although I would encourage you to follow up with Estonia as to what these legal conditions actually are.

As to the technological aspects of the Estonian model, our understanding is that there is an absence of a centralized database. Rather, access is granted through the ability to link individual servers through encrypted pathways with access or reuse permitted for specific lawful purposes. This purpose-specific access by government agencies likely reduces the risk of profiling.

We understand that further privacy and security safeguards are attained through encryption and the use of blockchain. This is in line with one of our recommendations for revisions of the Privacy Act in 2016, namely, to create a legal obligation for government institutions to safeguard personal information.

I note that the Estonian model is based in part on a strong role for their data protection authority, which includes an explicit proactive role as well as powers to issue binding orders, apply for commencement of criminal proceedings and impose fines where data is processed in an unlawful manner or for violations of the requirements for managing or securing data. Similarly, the OPC should have a strong oversight and proactive role in line with our Privacy Act reform recommendations.

I'd like to conclude with some questions for you to consider as you take a deeper dive into the Estonian model or discuss its applications in a Canadian context.

First, we've heard officials say that the success of the system is based on strong trust, which requires strong safeguards. But no system, as you know, is totally safe. What mitigation measures are in place in Estonia when, and not if, there is a breach?

Second, Canada's data strategy road map posits that one of the valued propositions of a model such as Estonia's is the intelligence to be gathered from data analytics, but it is unclear to us how, given the segregated set-up of the data sets and the legislative regime in which it operates, providing for specific reuse for specific purposes, this could be accomplished. You may wish to explore this issue further.

Finally, we would suggest that obtaining clarity from Estonian officials on the legal conditions for reuse of data would help, because that's an important safeguard to ensure there is no overall profiling and what I refer to as borderless, horizontal data sharing.

Thank you for your attention. I'll be glad to answer your questions.

Yes. We have long-standing rules, of course, to govern the conditions under which data can be shared between departments. Those are essentially sections 4 to 8 of the current public sector Privacy Act.

Your mandate speaks to legal barriers. The federal government's data strategy road map talks about potential legal barriers. I assume that when the government refers to barriers, they are referring to revisiting or reviewing whether sections 4 to 8 are still fit for a purpose. I accept that, but I say at the same time that these are important rules, and although certain adjustments and modalities can be envisaged, let's not lose sight of the main principle, which is that privacy should be respected.

We had some discussions with government late last year about their data strategy road map, at a high level of generality, I would say. We were invited recently to offer views on strategies that individual departments are required or invited to adopt pursuant to the road map. That process has not started, but I welcome the invitation by government for us to give our advice.

This has been going on for a number of years. Perhaps Ms. Ives wants to add to this.

Yes. I'll just add that there have been various iterations over the years. I think the most recent was in 2012. We reviewed privacy impact assessments for authentication rather than a digital ID: means to access online government services. One of them is issued by the Government of Canada and the other one utilizes banking credentials, but it's not exactly on point with the digital ID.

Oh, oh!

In the spirit of being optimistic and positive, I would say that the Estonian model is interesting to look at from that perspective. It has many positive features. The devil is in the details, obviously, but it's not a bad place to start.

I will assume that your question is based on the principle that this is information in the public domain. Licence plates are public, in a sense, because the cars are travelling on public roads. People—the government, but companies too—rely on the public nature of that environment to collect data and then to use them in a way that does not see them as personal information. In that case, the rules on the use and disclosure of that information are more permissive.

We have to be careful in calling this information public. As you have just said, it is still possible to identify the person associated with a car, their behaviour, and so on. So, even if the information is called public, we have to wonder whether the information is actually personal, and what authority a given department has to collect it. It varies from department to department. Even though the information is in the public domain, collecting it has to be linked to a mandate of the department in question. That is a very important condition in the current legislation. It could be made stronger, along the lines of some recommendations we made in connection with amending the Privacy Act.

In summary, we have to be careful with data in the public domain. We have to make sure that each department collecting and using the information actually has a mandate to do so.