The Acting Information and Privacy Commissioner, Paul Fraser, to his credit, has pointed out the governments inability to protect personal information. This was shown in a report, dated February 9, 2009 (I believe they mean’t 2010), from the Office of the Information and Privacy Commissioner for BC, on an investigation on the large-scale privacy breach by the Ministry of Children and Family Development (MCFD). In the report “Commissioner Fraser found MCFD and MHSD failed to make reasonable security arrangements to protect personal information from risks such as unauthorized access, collection, use, disclosure or disposal as required by the Freedom of Information and Protection of Privacy Act (FIPPA). In addition, “Commissioner Fraser found a troubling lack of knowledge within the Ministries about the rules respecting the protection of personal information”. So, not only do they not protect personal formation, they don’t even know the privacy rules.
Some of the recommendations in the report by the Special Committee to Review the Freedom of Information and Protection of Privacy Act (based on recommendations of various groups/individuals) are:
Recommendation 20: Amend the Act to allow an individual to consent to the collection, use and disclosure of their personal information by a public body (similar to the Personal Information Protection Act).
“OIPC and privacy advocates….questioned whether the concept of consent was meaningful because of the power imbalance between the clients and providers of on-line, integrated government services.”
This was from OIPC – Cantelon letter 21 Apr 10 – From Paul Fraser under Consent, Collection and Disclosure:
“We strongly disagree with government’s submission that FIPPA should permit collection of personal information with consent. One of the internationally recognized privacy principles is that the collection of personal information must be limited to that which is necessary for the purposes identified by the organization. Permitting government to collect more than is necessary via a consent mechanism violates this privacy principle and would be inconsistent with all other public sector privacy legislation in Canada. Any “consent” would be meaningless given that citizens would not have any genuine or real choice to consent if they want or need to obtain government services.”
As you will note in a later post on the children, this can result in a situation tantamount to blackmail, i.e. give us your consent or we will deny you medical service.
Recommendation 22: Consider holding public consultations on data sharing initiatives.
The OIPC submission, presented to the Special Committee on March 31, 2010, also focused on the privacy provisions of the Act. The submission pointed out that new information technologies enable data sharing initiatives on a scale and frequency that were never contemplated at the time the Act was drafted. The new ways in which the personal information contained in electronic databases is being collected, used and disclosed in data sharing projects raise significant privacy issues. When there is a bulk disclosure of personal information from a large database of one public body to another public body, citizens usually do not know how their personal information is being reconfigured, who is accessing it, for what purpose, whether it is accurate and how they can access it. This is particularly true where the transferred data is linked with personal information in other databases.
For this reason, the OIPC argued the public must be engaged in discussions around protecting privacy rights in data sharing projects. Its submission recommended that a code of practice be
developed by government in an open and transparent manner with stakeholder consultation through something like a White Paper process. A public consultation process on data sharing was successfully conducted by government and the Commissioner’s office in Britain in recent years.
The Special Committee supports the idea of a consultation process because we see it as a way to educate British Columbians on how the Act works now and how requests are treated by public bodies. We have concerns, though, about the prescriptive tone and broad scope of this OIPC amendment (as well as the one requiring the Commissioner’s approval for data-sharing initiatives).
Our own recommendation to government in regard to consultation is more modest.”
“Recommendation 23: Appoint a Government Chief Privacy Officer.
The OIPC submission also stated that a government-appointed Chief Privacy Officer is urgently required to act as a privacy advocate in the decision-making process and to ensure that privacy is fully considered and respected in any new initiative. This recommendation had been made by the former Information and Privacy Commissioner, and the current A/Commissioner in his investigation report into a recent privacy breach.
While the Special Committee is reluctant to create a new layer of bureaucracy, we think there is a need to educate ministries about what they can and cannot do in regard to privacy matters.”
If the public servants haven’t learned to read, to take courses or have an interest in protecting privacy by now, or interprets the Privacy Act in a self-serving way, I wonder if adding another layer of government bureaucracy will have any value. I still believe that we need transparency. I believe the public servants need to know we are monitoring them, holding them accountable. We need to know exactly what information is being collected, why it is being collected, specifically who has access, and specifically what measures are taken to protect that information. This should be followed up by independent reviews.
“Recommendation 24: Amend the Act to require that data sharing projects for the purpose of research must be subject to ethics review by an arm’s length stewardship committee.
The OIPC submission suggested too that some form of specific ethics review is necessary and desirable for government’s data sharing activities for the purposes of research. Complementary research-governance measures should be adopted in addition to the approval role for the OIPC. A committee of experts should be appointed by government that would function in a manner similar to research ethics boards of universities and the stewardship committees of the Ministry of Health Services. It would apply the criteria in s. 35(1) of the Act and such other criteria as are considered desirable in the committee’s terms of reference. The committee’s approval should be a mandatory precondition to disclosure of personal information by any public body for research purposes.”
This comes back to transparency and accountability. A committee of unknown individuals, agreeing to share our information with unknown research organizations, for unknown purposes – unknown to the individuals whose information will be shared. Why not recommend that consent be obtained from the people whose information is being shared? Why not identify who the researchers are, who they work for, what type of research they are doing with our information, and who will have access to our information, and who profits. After all, who selects these committees – not us!! Whose interests will these committee members serve? And if everything is above-board, then there is no need to hide this information. I just see this as another form of secrecy, and if you have secrecy you must have something to hide, and that may be fine, if it’s your information but it isn’t, its ours.
And from BC Office of the Privacy Commissioner – 2010 Annual Report News Release
“The risks to privacy presented by the growth of networked databases is a growing concern for public and private sector agencies, and a key challenge for the Office of the Information and Privacy Commissioner. This message was delivered in the office’s annual report, issued by Acting Information and Privacy Commissioner Paul Fraser, Q.C. today. “The erosion of privacy protection is nothing new, but the nature and magnitude of the risks to privacy provide increasing cause for alarm.”
New technologies are enabling, and driving the creation of more and more personal information data bases. “These systems collect and match disparate pieces of information about us and create a digital persona that not only may we be unaware of, but which may not represent an accurate picture of who we are,” the Acting Commissioner stated. “Yet this information will be used in decisions that affect us. I cannot understate the urgency of building these systems in a transparent, restrained and accountable way.”
Perhaps the first questions should be – do we (the patients, the citizens) need these systems, and who benefits.
I have not heard what the government will do. It can ignore all recommendations, or some recommendation; in essence it can do what it wants.