[Recorded by Electronic Apparatus]
Thursday, November 28, 1996
[English]
The Chair: I'll call this meeting to order.
Mr. Reddick, I would like to underscore that we're looking to you for some very helpful guidance in the field of values measurements. We will be looking at three particular areas of human rights and the implications with privacy rights, particularly in the field of physical surveillance. That's like the new closed-circuit video cameras for surveillance or monitoring behaviour. Who should know this? How should they know it? What do we want to know? What should we be allowed to know? How do we use this stuff?
Here's the second area of our serious concerns. We're approaching this whole matter from a human rights perspective, not from an economic model perspective; although that of course plays a very important part in the decision-making.
The second aspect we would be looking at in the case studies we're going to be using will be the issue of these advanced identification cards. This invloves ID cards; personal information; biometric technology; fingerprinting; digitized photographs so they can locate you in a crowd, which is quite scary; smart cards and things of that nature.
How does the public feel about being so easily identified given the new technologies that are beyond snooping? There's the whole question of data-matching in that sense, which is a different sense from what is generally thought of as data-matching.
The third field in which we'd appreciate your sense of whether or not values can be measured and just how far is too far, is biological surveillance, which is the whole question of genetic testing and the implications for genetic technology.
I think you could help us really answer this issue: what is the awareness, experience and level of concern among members of the public with regard to a variety of situations dealing with personal information? I could give you a copy of this question if you would like.
The second thing is which personal information practices are considered by the public to be privacy-invasive, and which are nevertheless considered to be justified? We've had some indication that there is sort of a conflict with the comfort level. Some people feel there is a great justification for an invasion of privacy given the outcome. How do you measure the outcome value versus the inputs? What actions are currently being taken by Canadians to protect their interests in relation to the use of their personal information?
The next to last one is how aware are Canadians about available tools and existing efforts to protect their personal information? Do people really know that with the new high-tech technology they can really go beyond the brick walls and through the windows? Do they know they can be identified with a digitized picture and picked out in a crowd of thousands? This is pretty scary stuff, and I don't know whether we all know about it.
What are Canadians' policy preferences for managing the protection of personal information? What do people feel about the fact that the cards you fill in when you cross the border - say you had a holiday somewhere in the joyous warmth away from this cold-winter country - can be used to detect whether you've been fraudulently collecting unemployment insurance cheques? Where are the walls that should be the barriers to the sharing of information?
I think that pretty well explains the areas we'd like to look at. We're well aware of the fact that there are models in the OECD constitution and in the European communities that indicate and link, without any difficulty, human rights, and particularly privacy rights. Those are the fields.
Mr. Bernier, would you like to add anything perhaps? We're going to invite Mr. Reddick to speak.
[Translation]
Mr. Bernier (Mégantic - Compton - Stanstead): No, it's okay.
The Chairman: Is it okay?
[English]
Mr. Scott, would you like to add something?
Mr. Scott (Fredericton - York - Sunbury): No.
The Chair: Madam Augustine?
Ms Augustine (Etobicoke - Lakeshore): No.
The Chair: Mr. MacLellan?
Mr. MacLellan (Cape Breton - The Sydneys): No.
The Chair: That's basically what we'd like to hear from you. Is it possible for you, with the studies that Ekos has undertaken, to give us some sense of direction as whether we can do this or not?
Mr. Andrew Reddick (Director of Research, Public Interest Advocacy Centre): Yes. In the studies, we've covered off some of those ideas and questions. I'd have to sort of think about some of the questions you raised about the level of detail you may have looked at.
I think the best thing is for me to go away and come back on the 12th so as to address them in more detail. I'll talk to some of the researchers between now and then about which ones we're more comfortable with and which ones may be new territory, as it were.
For today, I was going to present you with sort of a general overview on some of these issues and some of the perspectives we've taken out of the surveys and research studies we've done on general attitudes and themes in the public. Then perhaps on December 12 I could speak more specifically to these questions and issues and the technologies.
The other option is for me to submit a copy, rather than speaking to it. If you want to photocopy it and submit it to the different members, that's the other option.
The Chair: Perhaps you might just give us an overview, if you don't mind. Then if you would submit it, it would be very helpful. We can table it and attach it to the minutes.
Mr. Reddick: Okay, this will be my overview for December 12 then.
First, I want to thank the committee for inviting me to speak here today. We're very pleased Minister Rock has announced that the government will be taking some sort of legislative action in the future. We're also very pleased this committee is researching and studying this issue.
Over the past 20 years, there has been an increasing call by those of us involved in privacy to make sure that some real social action is taken to deal with these very complex and important issues.
One of the reasons we think it's important to be here is that we believe the fundamental right of privacy has not been sufficiently respected or enforced in our socio-economic relations.
Over the past few years I've had the opportunity to work on two different national studies. One was ``Privacy Revealed'', which was in 1992. This was the first major public research on the issue. It sort of set a benchmark for understanding privacy and what Canadians thought about these issues. We did ``Surveying Boundaries'' last year. It was sort of a follow-up. It extended much of our understanding by looking at questions of justification and what people think about different types of activities.
I'm not going to speak in detail about these studies at this point, but I just want to raise a few general themes about Canadians' views on privacy. I think there are copies of both of these here.
As a complex issue, privacy, as you know, covers a range of different types of information and activities. Types of information could be financial buying habits, employment history, demographics, health and so on. Activities, as you mentioned already, could include surveillance, data exchanges, intrusions, records management and access to goods and services.
Our research has shown there continues to be a serious level of concern by Canadians about their privacy in the use and protection of their personal information. People consider privacy to be a right, but they also recognize that in order to fully participate in society as citizens or consumers, they must be prepared to allow others to access and use certain types of personal information.
There are a number of values, attitudes and expectations that go along with this. These are central to our understanding about what type of protection, safeguards or rules of the road should be inherent in any legislation.
Privacy perceptions by the public are based on an uneasy mix of values, interest, knowledge and experience. The acceptability of an information transaction is a product of such factors as the social or personal benefit of a transaction. For example, where there are clear social or personal benefits, individuals are much more likely to view the transaction as justified.
Consider the type of information involved. For example, people are less concerned about the use of general information, as opposed to personal, sensitive information, such as income or health.
There's the familiarity with the practice or organization involved. For example, previous experience in a type of transaction can ease concerns in the level of trust. In some organizations, it's higher than in others. For example, Canadians tend to be much more comfortable with their information if it's used by government or their doctor, rather than by business.
There's transparency, which is why the information is being collected, how it will be used and who is using it. These are also important questions in this matrix.
Probably the most important factor is informed consent. Canadians clearly demand - they have done this in both studies - that they have informed consent on the control of the collection - this is primary and secondary use - and storage of their information.
While these are all important, the two factors that stand out the most are consent control and rationale benefit. Activities that consistently raise concerns by the public have to do with the collection, exchange and use of their information when they have not given their informed consent. This could be surveillance, data-sharing or data-selling between companies or by government, data-matching and related activities.
When people engage in a transaction, the primary use of their data is transparent and central to the activity. For example, to get a loan or buy a product, one must give up certain information. The expectation is that this information will remain confidential and limited to this transaction.
The secondary, behind-the-scenes use of this information for other purposes without their consent is most troubling. The concern about this increases if it involves what is considered more personal types of information, such as health or financial information, or if it leads to some decision-making about the person. There also tends to be much less concern about activities that are considered nuisances, such as phone calls from pollsters or someone trying to sell something.
Interestingly, while such activities are not considered serious and while the use of a person's name and phone number, for example, are considered less serious than sensitive personal information, the means by which some organization got a person's name in the first place, such as through data-sharing or data-selling without permission, is much more offensive to the public.
For example, I received in the mail yesterday a little notice from The Bay. I buy only socks at The Bay, nothing else. It says ``Celebrate your birthday in December with peace of mind. You can now protect yourself and your family's future with $100,000 in term life insurance from Manufacturers Life.'' My bargain with The Bay is to buy socks, not get life insurance.
Now this may be of some benefit to some consumers, but it's nice to be able to give my consent ahead of time and know that my information about my socks is going to be traded to a life insurance company. It's those kinds of things that upset people.
The Chair: Do you know if there's anything on the card from The Bay saying that they would send you a bill that says they can trade that information?
Mr. Reddick: Not to my recollection. When I got my card, I signed some little form that somebody had on a clipboard in the store. I don't remember anything saying they were going to buy, sell or trade anything or that I was going to have all these wonderful goodies.
Now that's fine. If I knew that ahead of time, I'd say that maybe this was in my best interests, but I find this a little problematic without consent. With consent, that's fine.
At the same time, the rationale benefit of these activities can mediate people's views on these activities. For example, while data-sharing by government to prevent a crime is considered invasive, at the same time, it can be considered justified given the broader social benefit. The same can hold true for personal benefits such as health information.
I just want to step back and offer a more general view of the issue.
The tension in the debate over the notion of privacy in personal information is largely driven by the nature of our modern society in which property relations play a significant role. There is a view that those who hold and own the information can therefore do as they like with it.
Such information can be used as a resource in some other activity, such as marketing, or it may be a commodity itself. On the other hand, privacy in one's personal information is also a property right of the individual.
In fact it is more than this: it is also a human right. This view is much more in accordance with the values and expectations of the public and our notions of democracy. When I think of a human right as property, I'm using the historical, much broader sense of the notion of property than our contemporary - largely commodity - interpretation.
Consider the works of such writers as Thomas Hobbes or John Locke in the 17th century. Both saw human rights as property in a broad sense in terms of people's lives, liberties of their own person, capacities, rights, and means of living. In other words, this was the security of one's person, to be fully in control of themselves and their lives, and to live a full, free, and productive life.
When we share our personal information as part of being able to participate in society, we are not giving up that information on an exclusive basis, as the narrow concept of property would suggest.
The provision of personal information then is not seen as alienable whereby one's property rights are surrendered. Instead, those collecting the information are viewed as the custodians of the information. It's the property of others, of individuals, and it should be treated and respected as such accordingly. Canadians' rights over their information are not given up in a transaction. There clearly are expectations for the conditions of use, access, limits, and permissions.
So how do we rectify these differences? Obviously, some balance between these sets of rights needs to be established. At the moment, there is no balance. The human right, the individual right, is not being respected or protected.
By balance, I mean that some setting of limits must exist. These are the rules of the road, if you will, and this is clearly a role for government. While individuals, companies and others have claims on these rights of property, it is the government that creates or sets the terms of the rights and how they're played out in the course of everyday life.
Because privacy is a human right, it exists a priori to commercial property rights. As such, the default to preserve this right should be anonymity. A default of disclosure, which seems to be the case increasingly as we move into the information society, is not appropriate. Canadians should have the positive freedom of consent respected in the collection, storage, and use of their information.
Returning back to the studies, our research has shown that Canadians are very clear about what they want done about their privacy. We live in an increasingly complex society in which many activities operate behind the scenes and at levels not apparent to individuals. Canadians are not comfortable with the idea of relying on their own resources or the good faith or organizations or business to protect their privacy.
Across both studies, the majority of people see privacy as a priority role for the government. There is a need for government to manage the store, as it were. At the same time, people are not looking for a draconian approach to legislation. They recognize the need for flexibility and some responsibility by individuals and business.
People are pragmatic. In order to participate in society and have society operate in a way that good sense would dictate, there will be the collection of, access to, and use of their information; however, they want clearly defined rules of the road.
A voluntary approach or codes are not sufficient. People are looking for a government response that addresses their concerns of security, protection, and redress.
The next step for government ideally would be some general framework legislation that clearly affirms Canadians' basic rights and lays out the ground rules on consent control. This should be the first order of business.
The framework legislation, however, must be flexible enough in application such that it can accommodate the different needs and vagaries of the different sectors of society, federal and provincial jurisdictions, and the different types of privacy and information activities.
I'm going to leave it there.
The Chair: Do you have a copy of the OECD documents?
Mr. Reddick: Not with me, but I do.
The Chair: With the remarks you've just made, before you come back on the 12th, I wonder whether you would have the opportunity to look at the OECD material and perhaps the European Union outline so as to give us some idea of whether that meets with what you've just outlined in your overview for us.
Mr. Reddick: Okay. I'll leave that as my introduction for now. I don't know if you want to field any questions today or wait until December 12. We can circulate the document in the meantime.
I sort of rushed it a bit because of the time.
The Chair: I realize we put you under stress.
Mr. Reddick: That's okay.
The Chair: I appreciate your good grace in doing that service for us. We look forward to seeing you again on December 12.
Mr. Reddick: Okay.
The Chair: The committee members get copies of the blues, so they can catch up to where you were. So you can start again without starting from scratch.
You've been very helpful to us. Thank you for your good patience.
Mr. Reddick: Thank you.
The Chair: Thank you.
The meeting is adjourned.