At this year’s Lac Carling Congress, privacy was identified as the most significant issue for a comprehensive e-government strategy. This should not be surprising; repeated surveys have shown that Canadians are very concerned about privacy issues. And as governments roll out electronic service delivery (ESD) programs, privacy implications and risks may arise as a result of intra-institutional, inter-institutional or cross-jurisdictional flows of personal information.
Addressing privacy risks in an appropriate manner involves a number of elements. First, governments must create appropriate legal and policy frameworks to address both public sector and private sector privacy issues. Governments across Canada are already subject to public sector privacy laws and policies that regulate the collection, use and disclosure of personal information. Nevertheless, amendments to these instruments may be required to address a broader range of privacy issues that arise in the ESD context. For example, statutory amendments may be required in order to authorize the sharing of information among different government institutions, between the public sector and the private sector or across different jurisdictions.
Online government activities will tend to flourish as private sector online activities gain public acceptance. Therefore, another essential ingredient for instilling public confidence in the online environment is the enactment by governments of private sector legislation that defines the privacy protection to be afforded to personal information. Both public sector and private sector privacy legislation should be premised on the notion that individuals have a right to control the collection, use and disclosure of their personal information, subject only to certain legislated exceptions. The 10 principles in the CSA Model Code for the Protection of Personal Information constitute a useful starting point for such an exercise:
- Accountability.ldentifying purposes.Consent.Limiting the collection.Limiting use, disclosure and retention.Accuracy.Safeguards.Openness.Individual access.Challenging compliance.
Another key element of a government information management and privacy risk reduction strategy is the articulation of privacy impact assessment (PIA) policies. The purpose of such policies is to develop and maintain PIAs and to communicate the results of PIAs to the public and to the government officials responsible for privacy matters. PIAs should be used to evaluate whether proposed and actual programs/services and service delivery methods involving the collection, use or disclosure of personal information comply with applicable privacy legislation and policies and to resolve privacy issues that might give rise to public concern.
Completion of a PIA involves a number of steps, including but not limited to:
- Identifying and mobilizing the team of advisors required to complete a PIA;Identifying the types and volumes of personal information that are to be
collected, used or disclosed, as well as how and by whom such information is collected, used, disclosed and, retained;
- Describing the system and physical architectures used to separate personal information from other kinds of information and the security methods used to maintain such separation and to prevent improper access to personal information;Comparing the personal information categories, flows and architectures depicted by the tools described above to the applicable statutory and policy instruments;Adherence to all applicable privacy principles, legislation, policies and practices must be ensured and documented;And documenting the evaluation and implication of privacy risks, and possible solutions to avoid or mitigate the risks.
The management of privacy issues and the mitigation of related risks is an essential component of any government online, or indeed multi-channel, ESD strategy.
Christian (Chris) S. Tacit, is the Practice Group Leader of the Technology Law Practice Group at Nelligan O’Brien Payne LLP. He may be reached at [email protected].