A new technology initiative from the Ontario government is setting off alarm bells for those of us concerned with privacy issues.
The Conservatives announced their intentions in a Throne speech: “New technology can improve efficiency and prevent fraud. The Premier has appointed the Chair of the Management Board of Cabinet to spearhead the introduction of new “smart-card” technology…” (www.premier.gov.on.ca/english/thronespeech99.htm). Reportedly, this will require “every resident…to carry a new high-tech ID, possibly using a retina scan or electronic fingerprint.” (“Ontario’s ID plan spurs privacy fears,” The Globe and Mail, Oct. 22, 1999).
Some privacy advocates have long been concerned about this type of initiative. A single identifier facilitates computer matching between databases that were collected for incompatible purposes. Computer matching subjects innocent citizens to surveillance along with the wrongdoers. By suggesting that the technology will be used to prevent fraud, the Throne speech implies that computer matching and other surveillance and verification activities will take place.
In the absence of sufficient detail about the project, I have mixed feelings. Governments presently spend millions of dollars to collect tombstone information about residents who are eligible for various program. From a taxpayer perspective, repeatedly spending this money on a ministry (or perhaps an application) basis is questionable and may not qualitatively enhance an individual’s privacy.
But there are compelling reasons to support this initiative. One commonly-held “fair information practices” requires that information be accurate and up-to-date before it is used. A single government identifier would probably be more accurate than the current situation and would not require the sharing of program-specific personal information between applications or ministries.
Another factor supporting the use of smart card technology is the reduced potential for fraud or theft of identity. Would-be wrongdoers will have more difficulty impersonating another individual in order to gain access to services or personal information to which they are not entitled. Furthermore, biometric encryption technologies effectively prevent the secondary use of personal information.
Considering the above, the public’s comfort level will increase if government officials consider the following suggestions.
The widespread use of the social insurance number should raise concerns among provincial legislators. We can learn from that situation. The proposed ID number should not be collected in the private sector unless it is used exclusively in the provision of specified services (e.g., disclosure to a doctor providing medical services). It should be an offence for an unauthorized individual to request the proposed ID number, as is the current situation with the Ontario health card number.
Additional consideration should be given to offences. The current offences under the Freedom of Information and Protection of Privacy Act use the word “wilful” to describe various offences. This seems inadequate. In the public’s view, it should be an offence to contravene the Act where the ministry official has not exercised “due diligence.”
New uses of these high-tech ID cards will be identified. Accordingly, there should be continuing requirement for Management Board to report annually to the Commissioner. Independent third party audits (similar to ISO 9000 audits) should be considered.
I note that Ann Cavoukian, Ontario’s Information and Privacy Commissioner, has staked her turf on the issue. She expects to be consulted before the smart cards are introduced. The Commissioner’s involvement in this project will build public confidence.
Although there is cause for concern about this initiative, there is also an opportunity to reduce operational costs while protecting and enhancing privacy rights of citizens. This is an exciting project that will test the ethics and imagination of legislators, policy makers and information technology professionals.
Boufford, ISP, is president of e-Privacy Management Systems, a consulting firm specializing in privacy and information technology. He can be reached at Boufford@cips.ca or www3.sympatico.ca/john.boufford/.