Skip to main content


CHAPTER 4: BUILDING UP PROTECTION: FROM BLUEPRINT TO BRICKS AND MORTAR


FRAMEWORK AND BEYOND

The technology is making it possible to introduce more and more forms of intrusive surveillance of people conducting their lives in ordinary ways. And unless we're prepared to see ourselves being looked at, spied upon, probed and tested, we had better get a grip on this.1
Bruce Phillips, Privacy Commissioner of Canada

In the previous chapter, we created a blueprint for the foundational principles upon which a sturdy privacy protection system could be built. Designing them from a human rights perspective, we developed a list of core principles that described basic rights and responsibilities. In this last chapter of our report, we will outline the Committee's proposal for the overarching framework that would incorporate and breathe life into these core principles - a charter of rights for privacy. Once we have roughed out this framework or charter, we will describe the mosaic of measures required to supplement it . At the same time, we will suggest allocations of responsibilities - who needs to do what to ensure the job gets done and gets done well.

As we map out our plan for providing full and fair protection for individuals' personal privacy, we will continue to approach our task from a human rights perspective. To draw on the analogy used by Ursula Franklin, our aim is to propose that the regulation of privacy be treated more like maintaining a garden than managing a production site. When she spoke last September, about how people could live in a technological society, she painted a picture of stark contrasts between a world where justice and rights prevail, portrayed as a garden, and a world where technology rules, pictured as a production site. She concluded by suggesting a way to bridge these seemingly irreconcilable worlds: look for an "adequate" balance.2

Finding the right or adequate balance between individuals' privacy rights and all the other interests at play in an increasingly complex, high-tech world is a dynamic process that involves everyone. In terms of processes, it involves public debate, research, education, sensitization, legislation, regulation, codes of practice, privacy enhancing technologies, pilot projects, and more. In terms of players, it requires everyone to join the team: politicians at all levels of government, corporations, educators, the media, privacy commissioners, technology and systems designers, bureaucrats, rights advocates, individual members of the public, and so on. Thus, protecting everyone's privacy rights becomes everyone's responsibility.

But how do we prevent this dynamic and collaborative process from degenerating into chaos? To begin with, the Committee proposes that it be framed by a charter of privacy rights - overarching human rights legislation that would guide the development and implementation of the various measures devised to adequately protect this priceless right.

THE PRIVACY CHARTER

Everywhere the Committee travelled, participants in our townhall discussions asked that the government create a legal framework to establish ground rules for the protection of privacy. Usually, when people spoke of such legislation, they were in fact referring to a data protection framework. However, some, such as the Manager of Metro Toronto's Privacy Office, Rita Reynolds, summarizing one group's discussion, suggested a broader approach - a genuine privacy protection framework:

There was a concern very strongly expressed about the fact that existing privacy legislation - federally, provincially, municipally - has no teeth and that rather than trying to go back and build greater strength into these laws, what is needed is overarching umbrella legislation that would give very clear protections to individuals over the collection of genetic information, things like video monitoring, biometric technologies ... 3.
The Committee prefers this broader conceptualization of the overarching framework. We do not believe that Canadians want ground rules to protect only their informational privacy, leaving the rest of their privacy rights to languish in a lawless frontier. Consequently, the protective framework we are proposing here will capture the full breadth of privacy, like a wide angle lens taking in a panoramic view, as opposed to the data

protection framework toward which the Industry and Justice Ministers are working that focuses, like a close-up lens, tightly on informational privacy rights.4

Furthermore, given our human rights perspective, we have chosen a human rights model as the prototype for our overarching privacy protection framework. We considered, but for practical reasons rejected, adopting a constitutional structure for our overarching framework, that is, the one offered by the Canadian Charter of Rights and Freedoms. Instead we elected to propose a quasi-constitutional framework, a bill of rights type of model.

The Canadian Charter of Rights and Freedoms did not suit our present purposes, for two reasons. First of all, constitutional amendments can be difficult to orchestrate and are unlikely to come about quickly. Considering the pressing need to develop suitable overarching legislation, the Charter of Rights did not present a realistic solution. Secondly, since the Charter applies only to government actions, even if a swift constitutional amendment to enshrine explicit privacy rights in it were possible, the effect would be to prevent only government policies, practices and legislation from unreasonably infringing on these rights. Policies and practices developed in the federally regulated private sector that adversely affect privacy rights would not have to comply with the Charter of Rights. Consequently, more than a Charter of Rights amendment would be required in any event.

We do not wish our proposal, which discards the constitutional option, to be interpreted as meaning that the Committee does not support entrenching an explicit right to privacy in the Canadian Charter of Rights and Freedoms. We wholeheartedly endorse the view expressed 10 years ago by Members then serving on the Standing Committee on Justice and Solicitor General: "When the time arrives to consider amendments to the Canadian Charter of Rights and Freedoms, the Committee believes that serious consideration should be given to creating a simple constitutional right to privacy."5 Indeed, we think such a right should be entrenched.

The advantage of the framework we are proposing, a charter of privacy rights based in ordinary legislation like a bill of rights, is that it would be created through the usual legislative process like any other Act of Parliament, and so could be enacted faster than constitutional amendments. Secondly, as a federal statute, it could be made to apply to the federally regulated private sector and, therefore, have a broader reach than the Canadian Charter of Rights and Freedoms. Last but not least, like the Canadian Bill of Rights and other human rights codes, this statute would have what is referred to by the courts as "quasi-constitutional status," meaning it would have primacy over ordinary laws.6

The purpose of this proposed charter of privacy rights, which we refer to as the Canadian Charter of Privacy Rights, would be similar to Australia's Privacy Charter: to provide a statement of general principles concerning privacy rights and responsibilities in Canada that would serve as a benchmark against which the policies and practices of businesses and the federal government, as well as the adequacy of federal legislation and regulations could be assessed. Our hope would be, that ultimately this Privacy Charter would be adopted, in one way or another, as a guidepost for use, also, in the provinces and territories.

The Privacy Charter would not attempt to prescribe specific measures to protect the rights entrenched in it. It would, however, outline general requirements to ensure appropriate privacy protections are put in place through secondary instruments, whether they be other legislation, regulations, sectoral codes, guidelines, or any other regulatory mechanisms. In conclusion, the Committee believes an overarching legislative framework is needed to protect the full spectrum of privacy rights and the most appropriate model for this legislation would be a quasi-constitutional Act of Parliament.

A. The Elements of the Privacy Charter

The shape, size and contents of the Privacy Charter, ultimately, should be decided through public consultation and with the collaboration of a broad range of Canadians. The Committee does not believe such an important instrument should be cobbled together exclusively by bureaucrats and "stakeholders," working behind closed doors. Our intention, here, is to make recommendations about the basic contents of our proposed Privacy Charter, not to suggest the actual wording that should be employed.

1. The Core Privacy Principles

The first, key inclusion in the Charter would be the core privacy principles set out in the previous chapter of this report. These core principles should be subjected to public scrutiny and comment, revised and refined accordingly, and then be entrenched in the Charter of Privacy. The core principles could be preceded in the Charter by a preamble, declaring the importance of privacy as a human right and recognising the primacy of the Charter over ordinary legislation given its quasi-constitutional status.

2. Other Key Elements of the Privacy Charter

The core principles would obviously constitute the heart of the Privacy Charter. But, in our view, establishing at least five other elements of privacy protection in this Charter is also critical. In particular, it should include declarations (1) identifying the basic measures required to promote proper respect for privacy rights, (2) recognising that proper compliance and enforcement measures must be put in place, (3) recognising also that appropriate remedies to redress violations of privacy rights must be established, and (4) recognising that Privacy Commissioner of Canada is the general overseer and protector of privacy rights in all areas within federal jurisdiction. Finally, the Privacy Charter would impose legislative review requirements on the Minister of Justice. We believe it is important to entrench these elements of privacy protection in the Charter because they signal the basic steps that must be taken to properly protect privacy rights and indicate that privacy protection is not simply the job of the federal government.

From the townhall discussions, the Committee was able to identify at least three steps to achieving proper respect for privacy values: research, public awareness and education, and public consultation. Research must take place on several fronts - for example, from sociological, economic, technological, and legal perspectives - and must be carried out by people in all fields, government, industry and academe. It must also be carried out using practical and innovative techniques, the Rimouski health card pilot project being one example of such an approach. Public awareness involves raising the consciousness of Canadians about their privacy rights and education involves teaching everyone, from government employees to technology designers and users, how to promote and respect privacy. Education, like research, must take place on all fronts and involve as many people as possible. Finally, in terms of measures to promote privacy, public consultation is critical every step along the way, whether its in developing legislation or policies, preparing a data matching proposal, developing a new product or rolling out a new service.

By discussing privacy issues with Canadians, the Committee was able to identify the measures which people considered to be fundamental to ensuring that their privacy rights would be properly protected: compliance, enforcement and remedial action. We believe compliance measures should include adopting suitable tools to ensure that policies, regulatory instruments, practices and technologies fall in line with basic privacy values. For example, privacy impact analyses should be introduced to the processes of developing legislation, as well as to the development of government and business policies and practices. Privacy audits should be carried out to determine whether existing policies and practices comply with privacy principles. To govern new practices which could potentially affect privacy, such as data matching or video surveillance, transparent processes must be put in place involving consultation with the public and weighing the evidence to see if the privacy invading practice could be justified. And, in the case of technology, to ensure it complies with privacy values, again, privacy impact analyses should be carried out, preferably at the design stage of new technologies and systems to ensure that privacy issues are adequately addressed from the outset.

With respect to enforcement, the Committee concurs with the people who told us they wanted real incentives and disincentives put in place to reward those who protect privacy and punish those who do not. In particular, we agree sanctions should be introduced for serious violations of privacy rights that are commensurate with the gravity of the infringement. Also, we feel sufficient legal recourse and remedies must be provided through some kind of independent complaint-resolution mechanism, tribunal or civil action, to resolve situations where administrative or non-judicial solutions cannot be found. Last but not least, we think the time has come to declare in law what has been the de facto situation for years - that the Privacy Commissioner of Canada is responsible for the general oversight and protection of individuals' privacy rights within the federal realm. The proposed Privacy Charter seems to us to be the appropriate place to recognise this important function.

A final, critical feature of the Privacy Charter would be a provision for the review of legislation to ensure it conforms with the Charter. The Committee believes that, in addition to containing a general declaration that appropriate compliance mechanisms be put in place, the Privacy Charter should impose the specific statutory duty on the Minister of Justice to review existing and new legislative instruments for compliance with the Privacy Charter's principles.

The Department of Justice already reviews proposed legislation and new practices for consistency with sections 7 and 8 of the Canadian Charter of Rights and Freedoms. But, as we noted in Chapter 2, these sections address certain expectations of privacy but not necessarily the full spectrum of privacy rights. Indeed, the exact scope of privacy protection under the Charter of Rights is being determined daily, on a case-by-case basis, and Canadians do not yet know the full extent of its reach. The Committee believes that the proposed Privacy Charter could fill this void because it would identify the full range of Canadians' privacy rights and clarify the reciprocal obligations attaching to these rights. Consequently, it would provide an additional benchmark against which to assess federal legislation, legislative proposals and other legislative initiatives. The Privacy Charter should become integral to the Justice Department's legislative review process.

Furthermore, the Justice Minister should be required to notify the Privacy Commissioner of Canada of all new legislation and regulations having a potential impact on privacy rights. At any one time, a substantial amount of legislation and regulations is before Parliament which has the potential to affect Canadians' privacy rights. By way of example, during the current session of Parliament, more than 50 new laws and regulations with possible ramifications for privacy were before Parliament. The Privacy Commissioner is not systematically informed of each instrument with a potential privacy impact, in spite of past directives from Treasury Board and the Justice Department to federal government departments to provide such notification. The Privacy Commissioner's Office carries out the time-consuming and inefficient process of tracking all new federal legislation and regulations, in order to detect any matters which could affect Canadians' privacy. Given the Privacy Commissioner's important role as the privacy ombudsman for the federal sphere, it is imperative that his Office be officially brought into the legislative loop through a formal notification process. Ideally, the Privacy Commissioner should be consulted at the development stage of legislation; but, at a minimum, consultation must occur once legislation is tabled in Parliament.

To summarize, the overarching legislative framework which this Committee has proposed, the Privacy Charter, would outline everyone's fundamental privacy rights and obligations, set out the ground rules to ensure privacy rights are respected, and measures to protect these rights are complied with and enforced. Also it would require that adequate remedies be put in place to enable people to pursue breaches of their privacy rights, would identify the Privacy Commissioner of Canada as the ombudsman for Canadians' privacy rights, and would make the Minister of Justice responsible for reviewing legislative instruments for privacy implications.

B. Leading by Example

One of the most important functions that the federal government could perform, to safeguard Canadians' privacy rights, would be to become a strong advocate of this Charter and encourage the provinces and territories to develop and adopt a similar framework for privacy protection in their respective jurisdictions. Clearly, a huge disparity exists across the country among federal, provincial and territorial privacy laws. Quebec's laws are the most advanced, providing extensive privacy protection to people in Quebec. On the other hand, certain Atlantic provinces provide such poor protection to their citizens that they were singled out for criticism:

I would like to point out to some of your members from Atlantic Canada, by the way - and I happen to be a fifth generation New Brunswicker - that I am very concerned as a Canadian with the existence of data havens in the Atlantic provinces. None of them has even the beginnings, except perhaps Nova Scotia, of adequate privacy protection, never mind the private sector, but also in the public sector. I'm particularly disappointed with the Province of New Brunswick, if I may be so bold as to say so, as an academic. That province has been promoting the information highway, but has been doing nothing for privacy protection in either the public or private sectors.7
The unevenness in privacy laws across our country means that only in one province, Quebec, do Canadians have first-class privacy protection. In other jurisdictions, they have either second-class or no privacy rights. The Committee finds this situation appalling. Antidiscrimination laws in this country were harmonized over 20 years ago to ensure that Canadians would be accorded equal dignity and human rights no matter where they live or work in Canada.8 Canada does not have "havens" or "lawless frontiers" where Canadians can be subjected to racism, sexism or other discrimination without adequate legal protections. Privacy is a human right as well. Canadians should not have different degrees of protection for this right, depending on where in Canada they have the good fortune to live and work. The Committee calls on the federal government to take a leadership role by promoting a uniform approach to privacy protection across all jurisdictions. We note that the starting point or the framework for the harmonization of privacy protections could be the Privacy Charter, which could serve as a guidepost and benchmark across the country.

The federal government is a very large employer and handles massive amounts of Canadians' personal information. Also, it has jurisdiction over industries, such as banking, telecommunications, and transportation, which are pillars of our economy. It is the opinion of this Committee, that it is critical that the federal government, in its various capacities - as employer, provider of public programs and services, and industry regulator - set an example for other sectors and employers by becoming a model user of the Privacy Charter. With respect to applying the proposed Privacy Charter to its handling of personal information, the next section of this chapter will suggest a new data protection regime that accords with the proposed Charter's values. However, we are concerned that stronger federal data protection legislation may not address all the privacy issues arising in the federal government's workplaces. As a result, we are calling on the federal government to set a proper example by taking steps to apply the principles of the Charter in this field as well.

SECOND GENERATION PRIVACY PROTECTION

Having developed our proposal for a legislative framework to protect privacy, the Privacy Charter, the remainder of this chapter will focus on the second-generation of privacy protections, the specific privacy laws, regulations, sectoral codes, privacy enhancing technologies, research, education, public awareness programs and other protective measures that must be instituted to adequately safeguard privacy.

A. Data Protection: A New Regime

An urgent need for broad data protection legislation in this country is clearly illustrated throughout this report. We heard calls across the country for a comprehensive and uniform set of rules to safeguard our informational privacy. While data protection legislation already exists in the form of the current Privacy Act, as noted in Chapter 2 of the report, it is limited both in terms of its application and enforcement. The Committee believes that these limitations must be eliminated through the enactment by Parliament of a new piece of specific legislation, known as the Data Protection Act. This Act would reinforce the principles set out in our proposed Charter of Privacy Rights by guaranteeing the right of informational self-determination - the right to control and thereby determine the uses of one's own personal information.

In order to ensure that the security of personal information is taken seriously in the federal domain, the provisions of the Data Protection Act must have as wide an application as possible. The Committee therefore believes that it must extend to Parliament, all federal government departments, agencies, Crown corporation, boards, commissions and other institutions.

Any legislative action in relation to data protection must also extend to the federally-regulated private sector. We heard time and again from participants in our townhall discussions that voluntary compliance with privacy codes of practice does not work. As one participant pointed out, "the profit motive is very strong. Companies in the private sector are not going to act to protect citizens' privacy unless they're absolutely forced to." 9 Moreover, as noted earlier in the report , there is an urgent need for data protection legislation that extends to the private sector in order to meet the requirements of the European Union's Directive.10

In determining the best legislative model to adopt in the case of data protection, we are mindful of the Canadian Standards Association's Model Code for the Protection of Personal Information (referred to in Chapter 2). We like the fact that the fair information principles contained in this Code have been negotiated openly by industry, consumer representatives and government with the result being a national consensus on the standards of data protection.11 While we have some concerns about simply legislating these standards into some kind of regulatory regime for the reasons we set out in Chapter 212, we still think that this Model Code is a good starting point in the development of a Data Protection Act.

Due consideration must also be given to the data protection approaches taken in other jurisdictions. We are aware, for example, of the Netherlands and the New Zealand approaches which are quite unique, particularly with respect to how they treat sectoral codes. For example, the New Zealand Privacy Act 199313 applies universal information privacy principles to both the public and private sectors, it has strong enforcement provisions, it pays special attention to the issue of data matching14, and it even deals in an interesting way with codes of practice. The New Zealand legislation requires all public and private sector agencies to designate individuals as privacy officers so as to encourage compliance with the principles set out in the Act, and to co-operate with the Commissioner's requests and investigations.

The New Zealand Privacy Act grants strong enforcement powers to a Privacy Commissioner who is mandated to receive complaints, carry out investigations and mediate/conciliate disputes. Complaints may be made to the Commissioner by anyone alleging what is, or appears to be, an invasion of personal privacy. Broad investigative powers are granted to the Commissioner and, where a matter cannot be resolved through the dispute resolution process, appeal may be had to a complaints review tribunal which can grant enforceable remedies and award damages. Interestingly enough, the Commissioner may at any time ask for a declaratory judgement from the courts regardless of whether the matter in question is within the Commissioner's statutory mandate. The Commissioner also has the power to issue codes of practice that modify any of the legislated privacy principles as long as certain requirements are met. These codes become regulations which are enforceable as such under the legislation.

It is evident that we are well into an age where the marketing of personal information has reached new heights. As Privacy Commissioner, Bruce Phillips, told us:

We are in fact buying and selling large elements of our human personae. The traffic in human information now is immense. There is almost nothing the commercial and governmental world is not anxious to find out about us as individuals.15
As we travel along the information highway, most of our every day activities leave an electronic trail that can be stored in numerous databases. Businesses have been only too quick to realise the value of these information holdings and their potential to be tapped into, manipulated and sold without the individual's knowledge or consent. At the same time, governments are seeking leaner, more efficient and cost-effective administrations. As a consequence, we see more and more comparisons and integration of what were once discreet databases. This so-called "data matching" and "data warehousing" is now occurring both within and between governments.

At the federal level, we were astonished to learn that not only are government departments comparing personal information with one another ("data matching"), but that they are even cross-referencing this kind of information between programs within a single department. In terms of intradepartmental information sharing, we are aware that the Department of Human Resources Development Canada has implemented a data matching program with Revenue Canada that uses customs records to catch employment insurance "cheaters" who leave the country while still collecting benefits. Interestingly, when the Department consulted with the Office of the Privacy Commissioner, it received advice not to proceed with the proposed matching program. It was not so much that the Privacy Commissioner did not approve of the data matching per se; it was that persons who gave personal information to Revenue Canada at border crossings were not aware at the time this information was collected that it would be used in the future for purposes other than those for which it was originally presented. It was the violation of this fundamental privacy principle - the right to informed consent to secondary uses of personal information - that concerned the Privacy Commissioner.

Despite the advice of the Privacy Commissioner, the Department went ahead and implemented the matching program. It chose to rely instead on the advice of the Department of Justice that its program was in compliance both with the Privacy Act and with Treasury Board policies and guidelines on data matching.

While we accept that lessening the burden of employment insurance (EI) fraud on the public purse is in the interests of Canadians, we are concerned that people be fully informed in advance, not after the fact, of the uses to which their personal information might be put by government officials. Moreover, we are generally concerned about the negative presumptions that all too often can be drawn from these sorts of matches. As Privacy Commissioner Bruce Phillips once stated:

Computer matching turns the traditional presumption of innocence into a presumption of guilt: in matching, even when there is no indication of wrong-doing, individuals are subject to high technology search and seizure. Once the principle of matching is accepted, a social force of unyielding and pervasive magnitude is put in place.16
Clearly, the current Privacy Act contains little in the way of express controls on data matching. Indeed, if one examines sections 7 and 8 of the legislation, it is not difficult to see how departments, such as Human Resources Development Canada, can find legal support for their data matching activities.

The Department of Human Resources Development has also of late been chastised for its "laissez-faire" attitude about handling sensitive personal information and other security measures at its employment offices.17 We cannot help but wonder how safe is the wealth of personal information (e.g. Income Security Program information, Canada Pension Plan information, Employment Program information, student loan information) contained within this single government institution. Certainly, cross-matching is occurring amongst these departmental programs.18

Where are the "firewalls" and the protective barriers against unnecessary intradepartmental and interdepartmental data matching? Where are the standards for acceptable data matching practices? The holes in the federal Privacy Act appear big enough to drive a truck through, and little more than bureaucratic assurances and goodwill seem to stand between databases residing within a single institution. To use Simon Davies'19 analogy, the lack of effective safeguards here is the equivalent to the imposition of a general warrant on all personal information in the hands of the federal government. This practice must be stopped. Data matching in the federal public sector must be justified, and in those cases where it can be justified, there must be strict adherence to the principles of fair information practices that we want to see in a Charter of Privacy.

While there is a blurring of national and international borders in this informational age, the lines between the public and the private sectors are also becoming increasingly fuzzy. Governments are not only looking at ways to share service delivery with other levels of government, but are also looking to the private sector as well. This is all being done with very little consideration being given to privacy protection. In a shared governmental service delivery system, under which government's privacy protection laws would personal information records fall? What happens to the security currently provided by the Privacy Act when personal information is transferred or contracted out to the private sector? Until such time as data protection laws are uniformly extended to the private sector, compliance with the proposed Data Protection Act must be a condition of any privatisation agreement, as is often the case with Official Languages Act guarantees. Moreover, all federal government contracts for services should be required to comply with the provisions of the proposed Data Protection Act.

Needless to say, a carefully crafted piece of data protection legislation is strengthened by effective implementation mechanisms. As we will elaborate below, we do not see any point in re-inventing the wheel in this regard. As spelled out in the proposed Privacy Charter, the Privacy Commissioner of Canada should exercise general oversight and protection of privacy rights within all areas of federal jurisdiction. This does not mean, however, that responsibility for implementation of the proposed Data Protection Act should rest solely with the Privacy Commissioner. There are other players here that must take an active part in ensuring that data protection is not just pious hope - it must also be a reality.

To this end, we believe that under the proposed Data Protection Act, the Treasury Board Secretariat, as a central agency of government, should take responsibility for working with, and monitoring the compliance of, all federal government institutions. In the same vein, we believe that Industry Canada should work with, and monitor the compliance of, all Crown corporations and the federally-regulated private sector under the proposed legislation. The Privacy Commissioner would then be responsible under the proposed Act for working with and monitoring the compliance of Parliament, all federal agencies, boards, commissions and other government institutions. The Commissioner would also be ultimately responsible for ensuring the enforcement of the proposed Data Protection Act across the federal spectrum.

B. New Technologies and Other Specific Measures

When the Committee undertook this study, we focused on the threat to privacy posed by three new technologies: genetic testing, smart cards and video surveillance. Our meetings, both the roundtables and the townhalls, revealed to us that these three technologies raise critically important and complex issues. Our consultations also convinced us that each of these three technologies need to be addressed immediately but perhaps treated differently.

We recognise that the federal government does not have complete jurisdiction over the regulation of these technologies. That does not, in our view, excuse the Government of Canada from exercising leadership and foresight in finding appropriate ways to protect the fundamental right of privacy as Canadian governments and the private sector grapple with ways to deal with physical monitoring, biological surveillance and personal identification practices.

It is also important to point out here, that we also believe that technologies can, in fact, be a force for social good. This is not just using existing genetic, video and biometric technologies in an appropriate way. It is also proactively promoting the development of technologies that can empower individuals and protect their privacy.

1. Biometrics

The issue of appropriate personal identification systems has bedeviled business and governments for decades. When the federal government introduced the social insurance number (SIN), issues about its possible abuse were raised but the government felt quite confident that those fears were not well founded. Although in the recent past, the federal government has greatly restricted its own requests for the SIN number, the government's expectations proved to be quite wrong. By then, however, the cat was out of the bag, because the business community and other levels of government already were using the social insurance number of individuals for purposes that its originators had not intended.20 There still is no prohibition against people, businesses, or non federal institutions or governments demanding an individual's SIN number, although a person can refuse if he, or she, wants to - or is allowed to.

Traditional biometric technologies such as digitized handprints that allow access to databases raise serious privacy problems because of the link between the individual to a unique number that is unquestionably that particular person. These are more definitive and indisputable links than even a social insurance number can provide. The dangers of biometric technologies arise with the temptation that they present for data matching especially in the provision of government services.

The Committee believes that the introduction of biometric identification systems to provide access to various services raises enormous questions of privacy and human identity that need to be addressed now. For example, these technologies should be carefully regulated. Such systems should be introduced only for specific purposes and other uses should be strictly prohibited.

We were pleased to have had the opportunity to speak with the Privacy Commissioner of Quebec, Paul-André Comeau, about an experiment with microcircuit, or smart cards in the Rimouski area that was used to store different types of health information: administrative, emergency, vaccination history, medical records and medical information.21 His cautionary words convinced us of the value of pilot experiments before any large-scale introduction of similar cards within the area of federal jurisdiction.

Our decision-makers do have choices. For example, smart cards do not have to store data but can simply store the key that allows an individual - and no-one else - to gain access to data banks elsewhere. Should there be over-rides that permit others' access in certain restricted circumstances?

2. Genetic Testing

The implications of genetic testing touch the issue of discrimination, and basic justice. The very first concern must be to address the issue of what actions are ethical and which are unethical. Genetic testing issues are unique among all the questions related to new technologies that we considered. The personal characteristics that are revealed through DNA testing set it apart in nature and in importance from biometric identification and video surveillance. What distinguishes it is not just the potential for predicting the onset of disease for the individual but its intrusive nature. Any genetic test of an individual provides similar information about his or her children, siblings and parents. The ownership issue is critical and each individual should retain ownership and control of his or her own genetic information.

This Committee shares the strong consensus which emerged from our consultations that an overarching human rights framework must guide all decisions regarding the human genome. We also believe that Canada needs very separate and special protections to regulate the collection, use and ownership of genetic information because of its very private, personal nature and its potential intrusiveness. Privacy legislation is essential but not necessarily sufficient because of the power that genetic information can provide to the holder of the information and the unequal power relationship between the individual and commercial interests, like insurance companies, who may be requiring genetic tests. This Committee believes that insurance companies need to establish a balance between the information that is truly essential for insurance underwriting and the basic equity in society where people are not discriminated against on the basis of susceptibility.22 Human rights legislation is also necessary to protect individuals against adverse discrimination on the grounds of their genetic inheritance. What is required is a comprehensive approach that involves privacy, human rights and also specific prohibitions against genetic testing except under particular, and well understood circumstances. This Committee tends to share Margaret Sommerville's view that the basic premise should be that there is a basic presumption against genetic testing unless it can be justified under very specific conditions and circumstances.23

Other countries are grappling with the same problem. The member countries of UNESCO will be considering a draft declaration on the human genome. We know that the United States Congress and many American state legislatures are dicussing genetic privacy and other protective bills. People with genetic disorders are also protected under the Americans with Disabilities Act. In addition, there are model acts proposed in the United States that, for example, hold companies that carry out genetic testing and their staff liable unless they are assured that a genetic test has been carried out voluntarily. Several European countries have legislation that prohibits the use of genetic information for insurance purposes.

In the United Kingdom an advisory committee on genetic testing has been established. This approach, embodied in a federal/provincial/territorial committee could look into the issue of quality control and the reasonableness of particular genetic tests in the areas of insurance and employment. The structure of human rights commissions might be an appropriate model. There is an important distinction, however, because human rights commissions work reactively and any body with authority to deal with genetic testing model must be proactive and have the power to prohibit any particular test.

The very fundamental question that needs to be addressed is the requirement for different treatment than other health information. This issue must be dealt with in the near future because it will become increasingly difficult to distinguish health data from genetic data. Genetic information cannot be dealt with like health information because it is both qualitatively and quantitatively different.

3. Video Surveillance

This Committee has come to the conclusion that the Government of Canada should move quickly to introduce legislation to protect Canadians from unwarranted, surreptitious video surveillance. Representatives of the private security industry told us that the industry has failed in terms of applying moral, ethical and other standards to itself. The industry is motivated by profits. Obviously, a licencing system to purchase equipment would not be appropriate given that any member of the public can purchase surveillance technology from catalogues.24. In addition, there are no standards and guides on the storage, use and access to videotapes. Video surveillance is one area where a strong consensus about the need for legislative action emerged from our consultations.

Technological developments in the video field permit ever more intrusions into personal pivacy. For example, computerized facial recognition, which is in its infancy, permits video images to be scanned into a computer and whenever the same face is seen by a video camera, it will track the appearances of an individual in a series of locations.

We know that most of the video surveillance systems take place on private property and therefore do not fall within the purview of federal legislation. At the same time, it has gone beyond the purview of dealing with national security interests and law enforcement agencies. Because it is cheap and easy to instal it is being used by employers, commercial interests and service providers. Nonetheless, we believe that it is important that the Government move quickly to amend the Criminal Code to provide an enforcement mechanism and penalties to deter abuse wherever possible. The justification for warrants under the Criminal Code might be narrowed so that intrusive surveillance by the police can be authorized only where there is a serious national security issue or imminent peril to life and limb. On the other hand, the offence provisions of the Code regarding the interception of private communications must be broadened to cover surreptitious video monitoring.

4. Privacy Enhancing Technologies

The Committee believes firmly that technology should adapt to privacy rights and not the other way around. We also know the futility of pretending that our society can stem the pace of technological change - but we can make technologies work for us. One method of ensuring this is the encouragement of privacy enhancing technologies. Like legislation, these take as their starting point the problem of the collection and use of personal data. In order to protect privacy, these technologies must limit or eliminate the collection of personal information and still ensure that personal information can flow without the risk of unauthorized use or interception.

These technologies can, for example, provide an individual with a means of controlling the information that is collected by the use of encryption that can protect information in sensitive databases. Regarding biometric identification systems, for example, finger patterns are unique but retaining an actual copy or fingerprint is not necessary to develop the access code. Encryption technology allows the conversion of finger patterns to an algorithmic code with no connection with the finger pattern whatsoever. It disguises the number so that it is unreadable without the finger pattern and the fingerprint itself is not stored anywhere in the process. Privacy enhancing technologies can permit personal data to be rendered anonymous. They can, therefore, enhance an individual's privacy without limiting access to information.25 Technology can also encrypt the data on a smart card so that a finger pattern becomes the key to the information on the card.

The system can protect the privacy of the individuals and at the same time reduce fraud.26 The problem is to ensure that private enterprise uses privacy enhancing technologies and this might best be achieved in legislation. Abuses of stored personal information can be better dealt with. For example, tracing systems can provide a better way of tracking who has been accessing. But Canada has only a limited opportunity to influence the development of privacy enhancing technologies because much of the technology is foreign-made and imported to Canada from many different countries.

There is a huge task of education ahead with regard to privacy enhancing technologies. Not only does the public need to know what they are and how they can help preserve individual privacy, but also businesses and technology developers and promoters need to understand the potential - social as well as economic - of these developments. Both sides can benefit and privacy enhancing technologies can meet the needs of all three parties.

5. Public Awareness, Consultation and Education

A consistent theme of this report from its introduction to its conclusion has been the critical need for public awareness and education with regard to privacy rights and democracy in general, and the implications of new technologies and their impact on human rights and privacy, in particular. During our initial roundtables we heard that the level of knowledge was so low that in itself, it has become a threat to privacy rights. How can we understand our world, if we do not understand the implications of technological development? In reality, this Committee needed no convincing. But it was gratifying to see that our consultation process itself became an educational tool and we believe that the process we undertook needs to continue. Governments at all levels have a role in this; the media have a part to play; the private sector must be involved; privacy commissions need the capacity for outreach; educational institutions have an obligation to teach ethical behaviour to their students.

Education is the only way that individuals can be empowered to make choices. People need to know that they do not have to provide their social insurance number under many circumstances. They are under no obligation to provide personal information on warranty cards. They can refuse to allow businesses to share information about them by filling in an opt-out box. In many ways, education is the major way to restrict the dissemination of personal information and to prevent secondary uses - a major concern raised during our consultations. Businesses need to know that it is to their advantage to respect the wishes of their customers with regard to personal education. There is an opportunity for a competitive edge.27

The education function is perhaps one of the most neglected elements related to privacy. The resources of the federal and provincial privacy commissions are very scanty. The Privacy Commissioner of Canada has no budget for this purpose. This Committee has come to the conclusion that obligations to perform this task must be more formalised.

C. Enhanced Role of the Federal Privacy Commissioner

As noted in Chapter 2 of the report, the title of the current Privacy Act is a misnomer. In setting out the minimum standards for the collection, use, disclosure and disposal by federal government institutions of clients' and employees' personal information, the law deals only with data protection. Broader privacy issues, such as genetic testing, electronic surveillance in the workplace and biometric identification are not covered. Any ongoing work on the privacy implications of these new technologies is due to the commitment and, to a large extent, initiative, of the previous and current Privacy Commissioners, and their staff, and not to any suitable legislative mandate.

The Privacy Act is not only limited in scope, but also in its application and enforcement provisions. Despite recommendations made in March 1987 by the House of Commons Standing Committee on Justice and Solicitor General in its report Open and Shut28 and undertakings made by the federal government of the day in its response, The Steps Ahead, in October 1987, the limitations remain.

In Open and Shut, the Standing Committee recommended, among other things, that the Privacy Act be amended to include a mandate for public education; that the Act be extended to all government institutions, Crown corporations and their wholly-owned subsidiaries, and the federally-regulated private sector; that the Privacy Commissioner have the power to issue binding orders and that civil remedies and criminal penalties be awarded for breaches of the legislation; that the Act be amended to explicitly deal with electronic surveillance, drug tests and polygraphs and that the Privacy Commissioner monitor developments in these areas. In response to these recommendations, the federal government of the day undertook only to give the Privacy Commissioner a public education mandate and extend the Act to Crown corporations.29 Neither of these undertakings was implemented.

With respect to the other recommendations, the government of the day felt that there was no justification for additional sanctions in the Privacy Act as ample administrative remedies already existed within the legislation. As well, the government felt that it would be inappropriate to amend the Act to deal with topics such as drug testing, electronic surveillance and polygraphs since these issues extended beyond data protection. The then government stated that it would monitor developments in this area.

Finally, a key recommendation, to extend the reach of the Privacy Act to the federally-regulated private sector, was not accepted. Since 1987, however, international and commercial pressures, such as the European Union's Directive, have interceded and the current federal Minister of Justice, Allan Rock, has announced that the government aims to have effective, enforceable privacy protection federal legislation in place by the year 2000 and that it will extend to the private sector.30

Clearly, privacy in its broadest sense is a widely-accepted fundamental value in this country that is worthy of proper legislative protection. The principles set out in our proposed Privacy Charter must not only be reflected in all federal legislation pertaining to issues of privacy, but also require that a strong, independent mechanism be put in place to oversee and ensure the full implementation of these laws. While this mechanism already exists to some extent in the form of the federal Office of the Privacy Commissioner, we do not feel that it is being utilised to its maximum potential. The mandate of this office must be both broadened and significantly strengthened - to this end we propose that new legislation, to be known as An Act Respecting the Office of the Privacy Commissioner of Canada, replace the current Privacy Act.

The Office of the Privacy Commissioner must have the power to deal with all privacy issues within the federal public and private sectors, and it must have adequate enforcement mechanisms at its disposal to carry out this oversight role. We propose that consideration be given to granting the Commissioner powers to enable him or her to react to perceived privacy invasions by means of a complaint investigation and resolution process that would include review mechanisms in the form of an administrative tribunal and the provision for judicial review.

Privacy invasions cannot, however, always be addressed in isolation, on a case-by-case basis. Sometimes a broader, more proactive approach must be adopted. To this end, we believe that the Privacy Commissioner should play a role in assessing the privacy implications of new technologies. This would have the benefit of identifying risks before systems develop, with obvious cost savings. As well, we believe that the Privacy Commissioner should be able to initiate his or her own privacy investigations through the use of privacy audits.

While it may be necessary in some cases to ensure compliance by means of complaint resolution and coercive measures, these mechanisms are rarely effective in the resolution of human rights issues. Persuasion and education are still the best methods of achieving our privacy objective and this has clearly been the tack taken by Privacy Commissioner Bruce Phillips. We do not wish to diminish these privacy enhancing tools. They are still a vital part of the process. As was recommended in Open and Shut,31 a public education mandate must therefore be accorded to the Privacy Commissioner and this mandate must be spelled out in the new legislation.

In order for the Privacy Commissioner to adequately carry out his or her new duties and responsibilities under the proposed Office of the Privacy Commissioner Act, sufficient resources must be made available. Failure to fund and staff an office that is already stretched to the limit in terms of meeting its current mandate, would only render the proposed powers and responsibilities of the Office of the Privacy Commissioner meaningless.

Finally, the introduction of a new Privacy Act cannot be undertaken without an open and broad public consultation process. The message that we heard loud and clear across this country was that the speed with which we need comprehensive privacy protection legislation should not be used as a reason to run roughshod over the need for public input and collaboration. Moreover, it is vital that this public consultation or dialogue continue after the enactment of new privacy legislation. We therefore believe that a mechanism for regular public review should be contained in the proposed Act.

CONCLUDING REMARKS

The Members of this Committee have come to understand that privacy rights in Canada are in danger. The threat is not from a mighty, untameable monster called "technology" but from us, if we blindly join behind the steady march of technological "progress." In Bruce Phillips' words, the potential harm is: "the tyranny of ignorance, of unthinking acceptance of technology without regard to the consequences."32

We believe the time has come for governments to exercise greater vigilance to ensure "technology" and "progress" are not contradictory notions - that technological progress and social values develop synchronistically. Technolgy and its impact on privacy rights provide a prime example of a field where this work, this readjustment, must take place immediately.

David Flaherty once wrote: "Privacy is like freedom; we do not realize its importance until it is taken away."33 The more our privacy erodes, the more high-tech surveillance permeates every facet of our daily lives, the more we come to prize our right to privacy and to understand that, indeed, it is a fundamental human right. Unfortunately, the more privacy we give up, the more we also come to realize the truth in Bruce Phillips' admonition that privacy is not a renewable resource, once lost it cannot be recaptured.

We hope that this report will convey a strong sense of both the urgency and importance of developing suitable means to protect privacy rights in Canada. It offers a useful strategy and realistic ground rules to pull privacy rights out of their downward spiral.

Ultimately, this report is about taking privacy seriously as a human right. To do that, we must invoke recent history and remind ourselves why the right to privacy was entrenched in the Universal Declaration of Human Rights and subsequent human rights instruments. Otherwise, we may be seduced into believing that privacy is simply a consumer rights issue that can be fixed by a few codes of conduct and some new, privacy enhancing technology.

The stakes are very high. If we lose site of the rights-connection, and if we do not use a rights-based approach to safeguard our privacy, we will embark down a slippery slope that diminishes other fundamental rights, such as the freedoms of association and expression. For, as German law professor Spiros Simitis pointed out to American law students over 10 years ago: "(C)onsiderations of privacy protection involve more than any one particular right: they determine the choice between a democratic and an authoritarian society."34

If we let technology, convenience and efficiency dictate the limits of privacy rights in Canada, we will have a very orderly country. But, in the process, we will lose something fundamental to democracy - individual autonomy and dignity - and "Big Brother" will have triumphed.


1
Toronto Star, 10 May 1996.

2
Ursula Franklin, Stormy Weather.

3
Evidence, 36:16

4
Government of Canada, Building the Information Society: Moving Canada Into the 21st Century, Supply and Services Canada, Ottawa, 1996, p. 25: "As a means of encouraging business and consumer confidence in the Information Highway, the ministers of Industry and Justice, after consultation with the provinces and other stakeholders, will bring forward proposals for a legislative framework governing the protection of personal data in the private sector." (This undertaking is part of the federal government's response to the Information Highway Advisory Council's Final Report, Connection, Community, Content - The Challenge of the Information Highway, released September 1995.)

5
House of Commons, Standing Committee on Justice and the Solicitor General, First Report, Open and Shut: Enhancing the Right to Know and the Right to Privacy, 2nd Session, 33rd Parliament, March 1987, p. 91.

6
Hogan v. The Queen, [1975] 2 S.C.R. 574 at 579, Laskin, J. stated, "The Canadian Bill of Rights is a halfway house between a purely common law regime and a constitutional one; it may aptly be described as a quasi-constitutional instrument."

7
Evidence, 21:14-15

8
W. S. Tarnopolsky, "Discrimination and the Law in Canada," UNB Law Journal / Revue de droit de l'UNB, Vol. 41, 1992, p. 215 at 228: "By 1975, every province in Canada had established a Human Rights Commission to administer antidiscrimination legislation and, in 1977, the Canadian Human Rights Act established a federal commission. With minor variations, all the legislation is similar except that Saskatchewan and Quebec have additional protections."

9
Evidence, 34:24-25

10
The European Union Directive on Data Protection requires all member countries to adopt or adapt national data protection laws to comply with its provisions. Specifically, Article 25 prohibits member countries (and businesses within those countries) from transferring personal information to non-member countries, such as Canada, that do not adequately guarantee protection of that information.

11
Colin Bennett, ``Rules of the road and level playing-fields: the politics of data protection in Canada's" private sector, International Review of Administrative Sciences, Vol. 62 (December 1996), p. 486.

12
See p. 30 of the text.

13
The following information on the New Zealand legislation is taken from Ian Lawson's, Privacy and the Information Highway: Regulatory Options for Canada, A Study Prepared for Industry Canada, 1995, p. 21-22.

14
The New Zealand Commissioner's approval is required for any data matching operations other than some pre-approved government programs. The complaints review tribunal under the legislation can hear appeals where the Commissioner has refused to approve a data matching operation.

15
Evidence, 15:12-13

16
Privacy Commissioner of Canada, Annual Report, 1985-86.

17
Globe and Mail article, April 14, 1997.

18
Privacy Commissioner, Annual Report, 1995-1996.

19
Evidence, 22:21

20
Evidence, 24:23

21
Evidence 21:11. The smart card experiment in Quebec was launched by the Regie de l'assurance-maladie du Quebec with the collaboration of researchers from Laval University and medical practitioners. It covered approximately 7,500 people, the majority over 60 years of age, pregnant women and babies under 18 months.

22
Evidence, 28:32

23
28:17

24
Evidence, 27:23-27

25
Evidence, 29:5

26
29:17-26

27
Evidence, 21:16-18

28
Section 75 of the Privacy Act required that the administration of the Act be reviewed on a permanent basis by a Committee of Parliament and that this review be undertaken within three years of proclamation of the Act and be completed within a year of that date. The Standing Committee on Justice and Solicitor General was the parliamentary committee that carried out this review in 1986 and 1987.

29
The Steps Ahead, 1987, p. 15 and 55.

30
Address by the Honourable Allan Rock, Minister of Justice and Attorney General of Canada to the Eighteenth International Conference on Privacy and Data Protection, Ottawa, September 18, 1996.

31
The Committee on Justice and Solicitor General proposed in recommendation 2.1 of Open and Shut that for the purposes of clarification, the Privacy Act must mandate the Treasury Board and the Privacy Commissioner to foster public understanding of the Act and of the general principles contained therein. It also recommended that education must be directed towards both the general public and the personnel of government institutions and it is in the latter area that the Treasury Board would play a key role.

32
Privacy Commissioner of Canada, Annual Report 1995-96, Office of the Privacy Commissioner, Ottawa, 1996, p.1

33
David Flaherty, Entrenching A Constitutional Right to Privacy for Canadians: A Background Paper (part of the Privacy Commissioner of Canada's submission to the Special Joint Committee on a Renewed Canada, 1991), p. 2.

34
Spiros Simitis, "Reviewing Privacy in an Information Society," University of Pennsylvania Law Review, No. 135, March 1987, p. 707 at 734.


;