Our Association recently read and discussed your excellent report on the use of the Social Insurance Number. We found ourselves in substantial agreement with your assessment of the facts, and most sympathetic to the thrust of your suggestion of a new provision in the Criminal Code. We did, however, discover some nits that wanted picking, and hope that you will be able to give our account of them consideration.
The pivotal elements of the fact-finding component of your report are summarized on pages 203-204, 210, and 213: However, while the availability of the Social Insurance Number may be crucial to saving time and costs if the data are recorded manually, it is of trivial importance when the data are stored in a computer. What is required in the latter case is simply a sufficient number of different items of information to distinguish individuals with the same name. There is every indication that most data storage will be computerized in the near future and that data storage by a series of known pieces of information will be neither difficult or expensive.
Knowledge of individuals’ Social Insurance Number is not essential to successful, quick and accurate data-linkage. The need for the number will decrease as the speed and scope of computer capacity increases and the cost decreases (pp. 203-204).
The conclusions drawn from the above are, first, that the capacity to store and manipulate data by computer is almost unlimited, second, that data-linkage does not depend on a unique identifier such as the social insurance number and third, that prohibition or limitation of the use of the social insurance number would not provide adequate protection against inappropriate data-linkage (p. 210).
In fact, this study revealed that the objection to the use of the Social Insurance Number was most frequently an objection to the absence of restrictions on data use and linking. The reaction to the number often turned out to be symbolic. The real objection was to having to disclose personal information and to losing control over it. Indeed, many individuals have reported that they desire more control over the use of their personal information and wish to be protected against undisclosed, secondary uses (p. 213).
From these considerations, you conclude that:
- To forbid or limit the use of the Social Insurance Number to prevent data linking may be a wasted effort or at best of limited, short term effect. But of even greater importance is the possibility that regulation of the use of the Social Insurance Number might lull the public into a false sense of security and might divert attention and effort away from solving problem that do exist (p. 204).
We agree that the use of the S.I.N. will eventually be a mere symbol of the threat to privacy posed by data linking. This is, however, clearly not the case at present, and we cannot reasonably expect it to be the actual case over the next. five to ten years. We believe, therefore, that there are privacy-enhancing benefits to be won by restricting the uses of the S.I.N. to those allowed by present legislation. We must reasonably expect that virtually all data linked by the investigative agencies of government and the private sector will, with the aid of the S.I.N., find its way into future computer data banks, even if some of it should not have been collected or linked. In the light of this consideration, our Association suggests that we do not let our convictions about the shape of the near future lull us into a false sense of security about the yet-to-become innocuous shape of the present. Present uses of the S.I.N. by investigative agencies are a threat to the privacy of individuals, and hence deserve the attention of those of us committed to the protection of civil liberties.
We suggest that S.I.N. can be instructively viewed as somewhat similar to the current listening devices of investigative agencies. Both will be outmoded in ten years. Both are likely to be employed illegally during the next ten years because of loose legislative/judicial control and/or a poorly informed, acquiescent public. We should treat them similarly as temptations to abuse and energetically attend to the legislative/judicial controls that will limit them to their legitimate sphere. We do not suggest the abolition of the S.I.N. as a means of accomplishing this, but we do not think it wise or timely to relax our conviction or insistence that S.I.N. be clearly and specifically restricted to its present legal uses.
- Because we are in essential agreement with you concerning the shape of our machine-readable future, we applaud your suggested new provision in the Criminal Code as a substantial and intelligent contribution to the privacy issue. We believe, however, that the statute is too weak to accomplish its intended purpose. Our criticism centres on two considerations:
The model statute does not provide for the protection of personal privacy in transactions concerning personal data that were not provided by the subject and
it does not address the generous (in our view) exculpating authority of the investigative branches of government.
We see both of these weaknesses naturally flowing from the adherence of the commissioner to the terms of reference of this report, but view them seriously enough to think that they compromise the value of the proposed legislation in addressing the “”harm which members of the public perceive as arising from the use of the Social Insurance Number as a data-linkage device”. The Commissioner interpreted the perceived public anxiety concerning the use of the S.I.N. as symbolic of a more general anxiety at “having to disclose personal information and to losing control of it”. We would suggest, against this, that the public’s anxiety extends not only to the loss of control of those bits of data that it has willingly provided to government or private institutions, but also (perhaps even more urgently) to those bits of personal information that were gathered without the knowledge or consent of the subject.
Similarly, we view the anxiety of the public in this connection as attached to the burgeoning power of government to scrutinize its individual subjects. If we are correct in this, then legislation which is designed to alleviate this anxiety must realistically confront the scope of data linking which is now “authorized by law”. We shall consider both of these criticisms of the proposed statute in turn.
Since the proposed statute explicitly limits the offence to the undisclosed acquisition, use, manipulation, transmission, etc. of personal data provided by the subject intentionally, it serves to positively exclude from prosecution the acquisition, use, manipulation, etc. of personal data that has been acquired or gathered without the knowledge or consent of the subject. Since, as the Commissioner notes, Canadian law does not contain an offence of theft of information, the omission of stolen personal data from the scope of the statute cannot be a source of comfort to those of us who are anxious about the threat to personal privacy from computerized data banks. We suggest, therefore, that the scope of the statute be broadened to include not only personal data intentionally provided by the subject, but also to data obtained without the knowledge or consent of the subject. Unless this is done, it is—at best—misleading to call the proposed offence “an offence against the privacy of another”.
On page 152 of the report, we learn that “the RCMP advises that Social Insurance Numbers are not specifically required for its policing activities; however, the number may be used in certain investigations.” So also, we may assume, are the information gathering possibilities of computerized data linking used “in certain investigations”. We doubt that such practices are unheard of in other governmental agencies with investigative authority. We also doubt that, in the event of the adoption of the statute proposed by the Commissioner, that such agencies would fail to provide themselves with specific exculpating authority. We view this as seriously compromising the value of the proposed statute for the following reasons.
Computer linking of personal data significantly changes the environment in which individuals provide for their privacy. In this respect, it is similar to the advent of remarkable eavesdropping devices such as wiretaps and powerful directional microphones. Such devices radically change the rules of the privacy game. They accomplish this by generating unexpected accessibility to information about our actions, plans, and selves. This is precisely what computer linking of personal data can be used to accomplish, and is one of the sources of the “perceived public anxiety” that the Privacy Commissioner is mandated to address.
Our legislative record of attention to the threat to privacy represented by eavesdropping devices is not perfect, but we have recognized that the obvious usefulness of them for investigative agencies must be formally controlled by law if an unacceptable threat to individual privacy is to be avoided. Our Association thinks that the “authorization by law” of wilful undisclosed acquisition, use, manipulating, transmission, processing, etc. of personal data must be hedged in by legislative controls at least as strict and as effective as those applying to the use of eavesdropping devices.
Of course, the legislative and judicial controls of electronic eavesdropping by the investigative branches of government have been a rather thorough failure, if not a disgrace. We understand that less than one percent of all applications to wiretap are refused by the judicial branch. Therefore, we do not regard our suggestion (that the use of networked databases as an investigative tool be controlled in a manner similar to electronic eavesdropping) as a solution to the problem. We do believe, however, that such a move is useful in locating the threat to privacy represented by computers in the appropriate niche of our existing legal institutions. The problem of perfecting those institutions is another and larger task.
- Gathering or linking personal data that has been gathered without the knowledge or consent of the subject is a problem with a natural companion: the provision of adequate or full access to information. Personal data that has been collected without the knowledge or consent of the subject cannot possibly be scrutinized or challenged by that individual. Such information (even when erroneous) can become accepted as fact by association with linked information that has enjoyed the scrutiny and confirmation of its subject. Similarly, if a citizen is asked for permission to link data, and is ignorant of some of the data accessible to the agency seeking that permission, consent might be granted to a project of which the citizen could not form a reasonable view of the consequences. This consideration serves to remind us that one cannot truly control data without access to it. Privacy legislation must, therefore, be linked with effective access to information legislation.
The failure of your proposed statute to address the issue of personal data gathered without the knowledge or consent of subjects may have led you to overlook the closely related privacy issue.
- On page 215 of your report, you remark that:
The proposed offence should operate to prohibit data-linkage by persons, corporations, and governments, except when the data-linkage is provided for elsewhere in law, is implicit in the original purpose for which the information was collected, or when the individual consents.
Having raised caveats concerning the issues of lawful investigative linkage and informed consent, it should come as no surprise that we also see possible dangers associated with the more nebulous notion of “implicit” provision or consent. The strictest practical interpretation be placed upon the scope of such implicit consent, and the proposed statute should clearly define appropriate limitations for the distribution of information on this basis. Examples need hardly be given of legitimate instances where implicit consent to the distribution of personal information may be given or called for. Indeed, it would be hard to imagine social interaction as we know it without such a provision. Nevertheless, the casuistic resourcefulness of the nosey and curious in discovering that the subject(s) of their scrutiny tacitly or implicitly consented to a fishing expedition is a matter of historical, if not anthropological, record. Consequently, any vague suggestion in the text of the statute that the use or linking of data that is implicitly consented to or allowed is legitimate and excluded from prosecution, may seriously weaken the attempts the proposed legislation makes to protect personal privacy, and would almost certainly prove to be the focal point of a dreary body of litigation.
To be effective, then, in protecting personal privacy, we believe that a concise definition of implicit consent is required, and that this definition should meet the general conditions for regulating the use and distribution of personal information that we have set forth in the appendix to this brief. Anything less would be a clear invitation to abuse and would be in opposition to the purpose of the proposed legislation.
- We unreservedly agree with:
- The suggestion that those persons who have a strong desire to be identified by traditional means be allowed to do so. Such strong desires might be motivated by experiences in the last World War, or by religious considerations. We don’t think that we should have any objection to the imposition of a “reasonable fee” for this privilege, so long as the reasonableness of the fee was judged in terms of the average citizen’s financial resources rather than in terms of the possibly large bureaucratic costs incurred.
- The suggestion that the federal government study the need for plans to protect information banks in the case of war, etc.
- The suggestion that the federal government assume responsibility for informing members of the public of their rights to informational privacy and of the need for individuals to take personal responsibility for caution in releasing personal data.
Appendix: Guidelines for the use and distribution of personal information
It is important that the objectives or purposes of gathering such information be made clear and available to the public, in order that the members of the community can judge whether such objectives are legitimate ones. The purposes should not be phrased in a vague and general way but rather, they should indicate which specific positive objectives it is designed to achieve through the gathering of the information sought.
If the objectives are acceptable, then it must be clearly demonstrated that the information to be gathered is relevant to the objectives, and that the persons gathering the information are not just fishing for data that might possibly be useful to them. By “relevant” we mean that it is necessary for the achievement of the objective outlined above.
In determining whether the information should be gathered or distributed, one must take into account the potential damage to individuals as the result of misuse, inaccuracy and the like. How accurate or reliable is the information gathered? Since information may be potentially dangerous to the individuals on whom it is gathered, it is our view that unless it is highly reliable, it should not be compiled and used as a basis for action.
All information collected about individuals should be divulged to those individuals and opportunities provided for them to refute it.
The persons to whom the information will be made available must be clearly identified and procedures developed to guarantee that others will not be able to obtain the information.
Arrangements must be made both for revising the information gathered at regular and frequent intervals and for destroying it when it has served its purpose.