Existing laws, policies and practices are insufficient to meet the twin challenges of protecting individual privacy and providing public access to information in the digital age. “Bold leadership” is needed from the federal and provincial governments to safeguard citizens’ privacy and access to information. That’s the message of a joint statement from Canada’s privacy and information commissioners, following their 2014 annual meeting.
…official communications are increasingly done using technologies that did not exist at the time most privacy and access laws were enacted; organizations are generating unprecedented volumes of information that they must organize, store, search and secure, so as to both facilitate legitimate access and prevent unauthorized disclosures; technologies are changing the nature of government records and challenging traditional information management practices. [Emphasis added]
New technologies, new challenges
Countless new technologies can collect a person’s private information. Biometrics, wearable computers, body cameras, drones, behavioural advertising, and more, make it easier to gather information than to properly protect it. According to the privacy and information watchdogs:
Only responsible, strong and effective information management infrastructures and practices will allow governments to seize digital opportunities and fundamentally change how they serve the public in a more cost-effective, transparent, responsive and accountable way.
A strong recommendation for privacy and access
The group recommends Canada’s governments:
- Embed privacy and access rights into the design of public programs and systems.
- Require government employees by law to document matters related to material deliberations, actions and decisions.
- Adopt administrative and technological safeguards to:
- Prevent the loss or destruction of information
- Guarantee that digital records are adequately stored in designated repositories and retained for prescribed periods of time, so that they can be easily retrieved when required
- Mitigate the risks of privacy breaches, which are becoming more frequent and severe
- Ensure that governments collect and share only that personal information strictly necessary to achieving the objectives of given programs or activities
- Establish clear accountability mechanisms for managing information at all steps of the digital information life cycle (collection, creation, use, disclosure, retention and disposal) to meet privacy and access obligations, including proper monitoring and proper sanctions for non-compliance.
- Ensure all government employees involved in managing information at any stage of its life cycle receive training on their roles and responsibilities, including their obligation to protect privacy and access rights, and to continue to meet those obligations in the face of new technologies.
- Release digital information on government activities on an ongoing basis in accordance with open-government principles.
Conclusion
Canadians’ personal information is under escalating threat of capture and exposure, and digital records can be lost or stolen easier than ever. Regardless of the current state of the law and technology, organizations have substantial obligations with respect to protecting individuals’ personal information and, for public bodies, responding to requests for information.
More stringent laws may be needed—and eventually enacted—to address the privacy and information implications of new technologies and systems, but for now employers should act carefully and understand the privacy and information risks when putting any emerging technology into practice.
Read the group’s joint statement (in PDF) on the British Columbia Information and Privacy Commissioner’s Office website.