A decade ago, Bruce Phillips, the Privacy Commissioner of the day, was asked how we should protect privacy from the spread of new technologies through governments. He replied that they should always have to seek citizens’ consent for how they use their personal information.
Five years later, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force. It reiterated the same principle for businesses and organizations, stating that they must obtain consent for collecting, using and disclosing personal information in their public dealings.
Nevertheless, if governments and businesses are bound by the same principle, they have tended to apply it differently, partly in response to cues from the public. Comparing the two yields a couple of timely lessons.
When it comes to governments, the public sees consent narrowly. We think they should not collect our personal information unless they tell us why; and should not use it for other purposes or share it with other parts of government without seeking our permission.
In theory, this gives citizens almost complete control over when, where, how and why governments can use our personal information. If we don’t like what they plan to do with it, we can always say no when they show up at the door to ask.
While it’s not without justification, this suspicion nevertheless blinds us to the fact information is a huge new resource that could be used to improve services, conduct new forms of research, develop innovative new policies or make governments more transparent and accountable.
But the public is not inclined to see things this way. Our first impulse is to resist any effort by government to change the way it uses information, especially personal information. Recall the huge flap in 2000 over Human Resources Development Canada’s Longitudinal Labour Force File. This distrust effectively undercuts government’s ability to wring the full benefits from new technologies.
It is odd, then, to see how accommodating we have been to businesses. Unlike governments, we don’t seem to mind that private-sector companies view their information holdings as a single corporate resource, of which they are the trustees or stewards.
In practice, this means corporate Canada views the responsibility to protect our personal information as consistent with using it to develop new products and services or market them in new ways. As a result, massive amounts of data now surge back and forth across corporate boundaries.
This difference in attitude helps explain why governments have fallen so far behind the private sector in the use of new technologies. We see this for example in the development of e-commerce or integrated services, such as ATMs.
The lesson here is that if we want better public services, we must give government more latitude in how it uses information. Nevertheless, it would be a mistake just to say that it should adopt the same practices as the private sector. Indeed, things on that front could be taking an ominous turn.
Businesses also commonly assume that once data has been stripped of personal identifiers, it is no longer personal. For example, if we are told that someone is a doctor, earns $300,000 per year, has three children and lives in a mid-sized city in B.C., but the name and address have been removed, the information is considered generic, rather than personal, and so can be shared or used quite freely for research or other purposes.
Ten years ago, that may have made sense. Today it is worrying. A host of developments, from the evolution of grid computing to new techniques in data analysis, make it possible to connect “generic” data like this back to small groups or even specific people. In short, while the line between generic and personal data used to look black and white, it is starting to look grey.
If personal data starts showing up regularly in the wrong places, public opinion could whipsaw in the other direction. That would stop the growth of e-commerce and e-government dead in their tracks.
So here is a second lesson: while the very restrictive reading of consent that we tend to impose on governments is neither necessary nor desirable, the relatively loose practices in the private sector should be reined in. What we really need in both cases is real transparency and accountability in how personal information is collected, stored, used and shared, at each stage in the process.
In the end, consent is all about trust – between citizen or client, on the one hand, and governments or businesses, on the other. We are feeling our way toward a better balance between the very dim view we take of governments and the relatively lax one we take of businesses.
Don Lenihan is president of the Crossing Boundaries National Council, a not-for-profit forum focused on a more citizen-centred approach to government. He can be reached at firstname.lastname@example.org