The Privacy Commissioner of Canada has tabled her annual report on the Privacy Act in parliament today. The Commissioner notes that the Privacy Act became law when the Commodore 64 was new on the shelves and is getting long in the tooth.

Canadians continue to think personal information not well protected: Tabling of Privacy Commissioner of Canada’s Annual Report on the Privacy Act

October 17, 2007

Canadians continue to think personal information not well protected: Tabling of Privacy Commissioner of Canada’s Annual Report on the Privacy Act

Ottawa, October 17, 2007 — Canadians overwhelmingly feel their personal information is less well protected than it was a decade ago, and they are right to be worried, says the Privacy Commissioner of Canada, Jennifer Stoddart.

Commissioner Stoddart’s 2006-2007 Annual Report on the Privacy Act was tabled today in Parliament. At the same time, the Privacy Commissioner’s Office released new research confirming that Canadians are unsure of how their personal information is protected, and by whom.

Increasingly, Canadians’ personal information is being exchanged with law enforcement and security agencies in other countries. The government has claimed that this transborder flow of information will improve transportation safety and enhance our national security. “We are particularly concerned about the number of travel-related security programs that have been put in place,” says Commissioner Stoddart. “Parliament may not be sufficiently informed about how these programs work and their individual and collective impact on the privacy rights of Canadians.”

The increased collection of personal information under these programs increases the risk that Canadians will be the victims of inappropriate data matching, intrusive data mining, or the unintended consequences of the disclosure of personal information. This increases the risk of surveillance, rendition and unwarranted attention from law and security enforcement both at home and abroad.

These concerns could be addressed, in part, by a review and modernization of the Privacy Act. As the Annual Report notes, “Parliament passed Canada’s public sector privacy law back in 1982 – the same year the Commodore 64 computer hit the market. At the time, both were considered pioneering.”

The Privacy Act, unfortunately, is not equipped to deal with the pressures imposed by tremendous technological change. In fact, Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act, provides more protection for Canadians.

As the results of an audit of the government’s Privacy Impact Assessment (PIA) Policy confirm, government departments are not doing enough to protect Canadians’ personal information as they plan new programs or redesign existing programs.

“While we did not identify cases of pervasive non-compliance, many institutions are not fully meeting their commitments under the policy and, by extension, the intent or spirit of the Privacy Act,” says Commissioner Stoddart.

Under the PIA policy, federal institutions are required to assess the potential privacy risks of programs before they are implemented. These institutions must also identify the measures in place to protect personal information as it is collected, stored, used, disclosed and ultimately destroyed.

The Office of the Privacy Commissioner audit found that some institutions made serious efforts to apply the PIA policy but many are lagging behind. PIAs are sometimes completed well after the program has been implemented and, in some cases, not done even when potential privacy issues are evident.

“Privacy protection should be a key consideration in the initial framing of a program or service,” says Commissioner Stoddart. “Current PIA reports offer little assurance to Canadians who want to understand how a government service or program will affect their privacy.”

Canadians not only want to be reassured that their personal information is being protected; they also want to be informed when it is disclosed inappropriately.

Research conducted for the OPC shows that a majority of Canadians (seven in ten) expect to be informed if a security breach leads to the disclosure of information – whether that information is sensitive or not.

That research, a survey of 2,001 Canadians conducted by EKOS Research Associates earlier this year but released for the first time today, also found that:

• Seven in ten Canadians feel their personal information is less protected than it was ten years ago.
• A bare majority of Canadians agree that they have enough information to know how new technologies might affect their personal privacy.
• About seven in ten Canadians believe that they are doing a relatively good job of protecting their own personal information.
• Despite this, almost half of Canadians (46 per cent) carry a Social Insurance Number (SIN) card in their wallet, although this number is a key piece of information used by identity thieves.

“These survey results underline that we – my Office, privacy advocates, regulators and consumer protection authorities – have to work harder to reassure Canadians that their privacy rights are protected,” says Commissioner Stoddart. “We also have to give them the information and tools so they can better protect their own information.”The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.

To view the reports:

• Annual Report to Parliament 2006-2007 – Report on the Privacy Act (Adobe format)
• Backgrounder: Findings of a 2007 poll commissioned by the Office of the Privacy Commissioner of Canada
• 2007 EKOS Research Associates survey: Canadians and the Privacy Landscape
• Assessing the Privacy Impacts of Programs, Plans, and Policies (Adobe Format)

Labels: privacy, privacy act, surveillance