You Might be Interested In

The Privacy Act, the federal privacy law requiring federal government bodies to respect individual privacy rights, hasn’t been substantially updated since 1982 – the same year the Commodore 64 was released and we stopped calling July 1 Dominion Day. What’s interesting about these changes is they could be implemented immediately and relatively easily – and the benefit to Canadians would be a privacy law that is modern, responsive and efficient.

As readers of this blog will know we are quite fond of the Top Ten list. So today, we present you with our list of the Top Ten fixes for the Privacy Act:

10. Parliament could create a legislative requirement for government departments to show the need for collecting personal information.

9. The role of the Federal Court could be broadened to review all grounds under the Privacy Act, not just denial of access.

8. Parliament could enshrine into law the obligation of Deputy Heads to carry out Privacy Impact Assessments prior to implementing new programs and policies.

7. The Act could be amended to provide the Privacy Commissioner with a clear public education mandate. PIPEDA contains such a mandate for private sector privacy matters. Why shouldn’t the Privacy Act for public sector matters?

6. The Act could provide the Privacy Commissioner with greater flexibility to report publicly on the government’s privacy management practices. As it now stands, we are limited to reporting by way of annual and special reports only.

5. The Act could grant the Commissioner greater discretion at the front-end to refuse complaints or discontinue complaints if the investigation would serve no useful purpose or is not in the public interest. This would allow the OPC to focus our investigative resources on those privacy issues that are of broader systemic interest.

4. Parliament could amend the Act and align it with PIPEDA by eliminating the restriction that the Privacy Act applies to recorded information only. At the moment, personal information contained in DNA and other biological samples is not explicitly covered. (But fingerprints are, in case you thought otherwise.)

3. Parliamentarians could strengthen the annual reporting requirements of government departments and agencies under section 72 of the Act, by requiring these institutions to report to Parliament on a broader spectrum of privacy-related activities.

2. The Act could be amended to provide for regular five-year reviews of the legislation, as is the case with PIPEDA.

1. Finally, the Act currently does not impose a duty on Canadian government institutions to identify the precise use for which personal information is being disclosed abroad. An amendment to the Act could require the Canadian government to not only identify the precise use for the transfer of personal information to foreign states, but ensure that adequate measures are taken to maintain the confidentiality of shared information.

Read this for more information.

Last Saturday, the French newspaper La Presse published an article about the Nexus program. The article, written by Jean-Philippe Brunet from Ogilvy Renault, highlights the advantages of the program; in particular, its capacity to save travelers some time.

Nexus

The program is an agreement between Canada and the United States to share voluntarily given personal information to produce an identity card that makes the process of crossing the border less of a hassle.

To participate, you simply have to fill out a form that asks for all your addresses, your employment history from the last 5 years, $50 in administration fees and copies of your passport, your driver’s licence (front and back), and your birth certificate. Once the form is filled and signed, it is then evaluated by both countries that decide if you make it to the next (heavy duty) step – an interview where you will be fingerprinted and have your iris scanned. Pass this test and you’ll receive your Nexus Card that will enable you to “go home earlier and spend time with your family or catch up on your sleep”.

The Issue

In Canada, your personal information is yours and the government has to ask you permission to share that information with a third party. Not so in the U.S. In fact, the minute you sign that form, you are authorizing the U.S. government, under section 215 of the PATRIOT Act, to obtain any document or personal information under terrorist claims without your consent or knowledge and to share that information with whomever they chose. (The Information and Privacy Commissioner for British Columbia has published a report on Privacy and the PATRIOT Act as well.)

It’s for you to decide: catch up on your sleep, or have peace of mind knowing your personal information is safe and not shared with anybody.

Two weeks ago, the provincial government of British Columbia announced that it would be making enhanced driver’s licences (EDLs) available to eligible B.C. residents. These licences – a first in Canada – would be recognized as an alternative to a passport at the Canada-U.S. border.

What makes them “enhanced”? The B.C. version of the EDL will feature a Canadian flag, a special code used by border authorities, and most importantly, a radio frequency identification (RFID) chip. These chips contain unique identifier numbers which can be read by RFID scanners at U.S. border entry points.

While the RFID chips in B.C.’s EDLs will only contain unique identifier numbers, it is possible to store other types of personal information on these chips. The technology also makes it possible to track the movements of individuals carrying driver’s licences enhanced with RFID chips.

The potential for misuse of personal information or a breach of security exists, and as other provinces consider whether they want to implement their own EDLs, there’s a need for a public discussion about those risks.

Today, Canada’s information and privacy commissioners kick-started that discussion by issuing a joint resolution outlining the steps that will need to be taken to ensure that the privacy and security of our personal information are respected if and when EDL programs are implemented. (You can also read the news release here.)

“We have a saying in this business: ‘Privacy and security are a zero-sum game.’”

This quote is attributed to Ed Giorgio, a former chief code breaker at the National Security Agency and current security consultant who is working on a plan proposed by the American government to closely monitor all Internet traffic in order to protect their information architecture from attack.

It’s not an uncommon belief among security experts that privacy and security are at opposite ends of a spectrum – in order to have one, you have to give up the other.

The problem with this perspective, though, is that it ignores the complementary nature of the two. As security guru Bruce Schneier responds, “Privacy is part of our security against government abuse.”

Worse, perpetuating this myth forces people to take one side over the other. If you want to protect your country from a crippling attack on its information architecture, you shouldn’t mind having your Google searches and personal emails scanned – or so the logic goes. The flip side of this logic implicates privacy advocates and defenders of civil liberty as ambivalent to national security concerns, or worse, traitors to their country.

It seems the better approach is to recognize that privacy and security can happily co-exist and that governments can develop policies that respect and protect the privacy of its citizens while ensuring national security against the threat of attack.