Statistics Canada has backed off its plans to collect the banking information of 500,000 Canadian households following pressure from the public and the federal privacy commissioner.
In his annual report issued Tuesday, Privacy Commissioner Daniel Therrien said StatsCan has agreed to work with his office to redesign the data collection “to respect the principles of necessity and proportionality.”
It also promised to be more transparent in the future on how it collects personal information from administrative sources.
The goal of the project is to measure household spending and debt periodically by collecting personal data — including name, social insurance number, and date of birth — in two ways: From credit bureaus, and from banks.
The data from banks would include detailed financial transaction information of individuals including the value of all transactions recorded in personal accounts (e.g., payments, purchases, income); a description of each transaction and the date of its occurrence; the payee’s name and description in the case of payments, and account balances after each transaction.
StatsCan has been collecting what it calls administrative data since 1921 largely from public sector sources such as vital statistics and income tax records, and, it argued, has been protected from attack.
But much of the data was on the private sector. Getting detailed personal spending data is a new project.
After an uproar when the personal spending collection projects became public, the Office of the Privacy Commissioner (OPC) opened an investigation. In the report, the OPC said found that while the public objectives could be reasonable, StatsCan did not demonstrate that all the personal information it sought to collect was necessary the meet its goals. Nor did it prove that less invasive alternatives were not reasonably available.
Stats Canada has taken “significant steps to isolate and minimize access to data and protect against external threat actors,” the report added, although “it could improve its security safeguards to mitigate against internal threat vulnerabilities.”
It isn’t clear how StatsCan will gather the data it needs for household spending. Privacy experts have suggested banks and credit unions anonymize data before handing it over to the agency. At a Senate hearing a year ago StatsCan chief statistician Anil Arora testified the agency would anonymize the data after getting it but before processing.
The OPC reports notes that while StatsCan has now promised to implement the principles of necessity and proportionality into its administrative data collection programs, the agency is not at the moment legally required to do so.
StatsCan is relying on its data collection powers under the Statistics Act. However, the OPC notes that if the agency is going to access personal information on a large scale from private sector companies, the Act should be updated to give StatsCan clear lawful authority which would be grounded on a modern understanding of technology and its impact on privacy.
The deficiencies in the Statistics Act would not be as troubling if the Privacy Act — which oversees federal departments — were not so out of date, the OPC report adds.
Call to update legislation
This leads to the second major recommendation of the annual report: The need to update the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), which oversees many Canadian businesses. Therrien has long called for both acts to be overhauled and make privacy a right.
In Tuesday’s report, Therrien said an updated PIPEDA “should truly and firmly put an end to self-regulation. This means, in part, that there should be an ability for a public authority to prescribe subsidiary binding rules, giving effect to the principles in specific contexts, so that both individuals and commercial and state organizations have some certainty as to their rights and obligations. The public authority could be either my Office, a government department or some other emanation of the state.
“Industry codes and ethical rules have their place, they can increase transparency and consistency, but they are not legally binding nor enforceable and cannot replace state-made rules adopted in the public interest. Without binding subsidiary rules, organizations have too much discretion to apply principles as they see fit, sometimes making these principles hollow. This amounts to self-regulation, and the past few years have shown the risks and limits of that approach.
“What is required is a law that ensures demonstrable accountability, meaning accountability that is demonstrated to the regulator, an independent third party. In today’s world where business models are opaque and information flows are increasingly complex, individuals are unlikely to file a complaint when they are unaware of a practice that may harm them. This is why it is so important for the regulator to have the authority to proactively inspect the practices of organizations. Where consent is not practical and organizations are expected to fill the protective void through accountability, these organizations must be required to demonstrate true accountability upon request.”
Collect only what’s necessary
The Privacy Act should also oblige government departments to only collect as much data as is necessary and proportional to the goals, Therrien added. “Digital technologies have made it much easier for the government to collect, share, use and store the personal information of individuals. The shift from paper-based to digital format records has actually led to a dynamic of over-collection. Our Statistics Canada investigation underscored how over-collection of personal information without appropriate consideration of necessity and proportionality can be extremely intrusive.”
Almost all of the provinces and territories have set necessity as a standard, he added, as have many countries in the Organization for Economic Co-operation and Development (OECD).
Just before the recent federal election, the Liberal government proposed a Digital Charter upon which future privacy legislation could be based. A discussion paper on possible changes to PIPEDA includes clarifying what information individuals should receive when they provide consent for their personal data to be collected; giving people the right to data mobility, and enhancing powers of the OPC.
Therrien said in Tuesday’s report he’s not impressed.
“The government’s Digital Charter suggests that my Office should be granted ‘circumscribed’ order-making powers,” he noted, and that before fines are imposed for violations of PIPEDA he would first have to convince the Attorney General to further investigate and eventually bring the matter before a judge.
By contrast, European Union and U.S. state privacy commissioners have complete power to order sizeable fines,
Earlier this year Facebook ignored the OPC recommendations following the Cambridge Analytica investigation, Therrien added.
“Both the current framework and the government’s [Digital Charter] proposal create an excellent incentive for companies not to take privacy seriously, change their practices only if forced to after years of litigation, and generally proceed without much concern for compliance with privacy laws,” he concluded.
The government promised a public consultation before introducing legislative changes suggested by the Digital Charter. That may be one reason why the recent Speech from the Throne opening the new session of Parliament makes no mention of planned changes to PIPEDA or the Privacy Act.