Privacy? It’s about balance.
That, at least, was part of the message from Bernard Courtois at this year’s Lac Carling Congress. Courtois, president and CEO of the Information Technology Association of Canada, told a plenary on privacy issues that Canadian governments need to take a balanced approach to protecting privacy while avoiding the “onerous” conditions British Columbia has placed on private sector delivery of public services
“The debate around the U.S.A. Patriot Act demonstrates just how this debate can get out of hand,” he said.
“What the government chose to do, in our view, because of that pressure cooker environment, went way too far. There were some terms and conditions in some of the contracts that have been shown to be pretty onerous for industry.”
Courtois, who represents about 1,300 information and communications technology companies, was referring to the passage of the Personal Information Protection Act in British Columbia’s last year. The law prohibits anyone who collects personal information from the B.C. government or its agencies from storing that data outside Canada or allowing access to anyone located outside the country.
“The view of the IT industry is (that) it’s absolutely essential that no other jurisdiction in Canada adopt that kind of approach,” Courtois told the conference. “We certainly hope the B.C. government will be in a position to roll back these aspects as soon as it becomes politically and practically able to do so.”
The need to balance privacy with alternative service delivery arrangements was a central theme of the Lac Carling conference this year. As some municipal and provincial governments outlined their service delivery projects, keynote speakers, from Treasury Board President Reg Alcock to Ireland’s Tim Duggan, warned about the requirement to satisfy public concerns about privacy from the outset, while forging ahead with e-government initiatives.
However B.C. Privacy Commissioner David Loukidelis, another panelist at the session, said the province did not over-react to the U.S. legislation. The Patriot Act, passed in the wake of the 9/11 terrorist attacks, contains provisions that would allow U.S. law enforcement agencies such as the FBI to secretly obtain personal information held by U.S. firms or in the U.S. offices of Canadian companies. When the province announced that it was considering contracting out the administration of its public health insurance plan, concern arose among the public and unions opposed to the plan that the FBI could have access to personal and private information.
“One of the issues that was raised … was whether or not alternative service delivery should be allowed at all,” said Loukidelis. “There were a number of groups and individuals – we received 500 submissions from around the world – who recommended or strongly advocated that we should recommend or order that outsourcing should not proceed.”
At the end of the day, Loukidelis told CIO Government Review in an interview later, “we did not agree with the contention of some organizations that the risk (from the Patriot Act) was incremental or vanishingly small or not real. We decided that there was a reasonable possibility that such an order could be sought.”
Banning alternative service delivery was neither warranted nor practicable, Loukidelis decided. Instead, the government drafted its new law, requiring that any contracts comply with privacy obligations. The new law also prohibits anyone who has obtained personal information from the province or its agencies from storing that data outside of Canada, or allowing anyone located outside Canada to gain access to it.
Despite concerns from industry that the changes to B.C.’s privacy legislation would effectively close down the cross-border flow of information, as Courtois characterized it, Loukidelis pointed out that none of the public-private partnerships or contracts B.C. entered into have been affected by the new law.
“None of the provincial government (outsourcing) initiatives have been stopped,” Loukidelis said. “Four of them went ahead in the immediate aftermath of that, with the government having said that it has put in place contractual measures as well as the legislative measures to appropriately protect personal information.”
Governments also have to be willing to devote the resources necessary to enforcing those contracts, ensuring that they comply with privacy legislation and terminating them to correct problems if they don’t, Loukidelis said. He said later that his own department had its budget cut by 30 per cent, just as he was trying to review and develop recommendations on these critical issues.
Both Alcock and Privacy Commissioner Jennifer Stoddart, who participated in the panel with Loukidelis and Courtois, emphasized that the first thing governments at all levels need to do is assess how much information they collect and how vulnerable it is, as well as step up privacy and security precautions. Stoddart’s office commissioned a poll by Ekos Research in March which indicated that Canadians’ concern about privacy “is now up to levels never seen before – way past levels post-9/11,” Stoddart told the conference.
Previously, Canadians’ privacy concerns centred around their home and its physical integrity, Stoddart said. “Now, a lot of their concern is focused on – guess what – their personal information. Seventy percent say protecting their personal privacy is one of the most important issues facing the country.”
Despite a lack of well-documented studies, many Canadians also believe a lot of their personal data is flowing outside the country, Stoddart said. They want to be informed about those transfers of information and asked for consent; all jurisdictions needed to better define the rules regarding e-government and privacy, so that they’re clear for all citizens and all users.
Stopddart urged delegates to consider and act on the privacy implications and social implications of any new technology they employ. “If it screws up at some point, either you or your bosses are going to end up trying to explain it to a very concerned public.”
Shortly after the conference, Stoddart announced that she is conducting an audit to discover whether personal information collected by the federal government is flowing outside the country.
While she told Lac Carling that, with regard to the Patriot Act, “I have not taken the position that this is a catastrophic event and we should move to close the borders,” Stoddart said the first thing the government must do is determine what information it collects.
(A quick electronic poll of the Lac Carling audience found that 74 per cent of those present did not believe their organization or service transfers or stores personal information outside of Canada.)
Laura Eggertson (eggerts@trytel.com) is an Ottawa-based freelance journalist.