On Jan. 28, 2015, the Office of the Information and Privacy Commissioner of Alberta ("OIPC") released an independent research report, entitled "Government Information Sharing: Is Data Going Out of the Silos, Into the Mines?" (the "OIPC report"). The OIPC report surveys 12 different data sharing initiatives from various jurisdictions worldwide to identify emerging categories of risk and the actions taken to protect privacy. The Canadian data sharing initiatives examined include: (i) the BC Services Card; (ii) the Canadian single sign-on and government e-services initiative; and (iii) the Customs Declaration Card and Employment Insurance data sharing project.
According to the OIPC report, data sharing is the method by which more than one agency or organization may use personal information – it "results in personal data moving out of traditional data silos and being used in new ways, by different agencies, or for new or different purposes." There are many advantages to data sharing – the OIPC report cites convenience, efficiency, better program delivery and cost control as some of the benefits. Yet, as the OIPC report notes, there are also numerous risks, including the use of data for purposes unrelated to original purposes for the data collection, lack of accountability and use of information without the affected individual's knowledge, all of which "point to a glaring need for more informed public discourse on the topic of data sharing."
The OIPC report outlines the following risks and suggestions in relation to data sharing projects:
- Legal Authority: Formal information sharing agreements and strategies between organizations sharing data are crucial. These arrangements should be reviewed by data commissioners and should be open to public comment and participation by stakeholders from the planning stage.
- Procedural Fairness: Legal compliance alone will not garner public acceptance of a data sharing program. A program must be constitutionally, politically and ethically fair. Focus groups and participation of scholars and civil society will help ensure the process is unbiased and lead to a better analysis of the risks of the proposed initiative.
- Organizational Commitment to Privacy: The organization collecting, using, disclosing and sharing the information must be accountable for its privacy practices and must take responsibility for ensuring a privacy program is in place.
- Security Management: Project contracts need to include clear security protocols, procedures and best practices. Security audits, staff training and regular reporting should be an ongoing effort.
- Project Scope Creep: There is always a risk that one data element will lead to new uses and demands for more data. Agencies need to "right-size" data collection and involve a privacy commissioner to raise questions about new data sharing activities.
- Data Mining and Data Elements: Data accuracy becomes a problem with data sharing initiatives as data may be accurate for one program but not for another. Scope and volume limitations are fundamental to privacy protections. To mitigate, the OIPC report recommends comprehensive regulatory impact assessments and the use of sunset provisions.
- Transborder Legal Demands and Jurisdictions: There is no certainty as to whether Canadians can enforce their rights when data is held internationally, nor is there certainty that Canadians will be notified of a data breach occurring outside the country. Agencies should consider specific privacy and security risks when contracting with international companies and should consider keeping personal data within the jurisdiction where it is used.
- Group Privacy: Different groups of people may experience differing extents of discrimination or invasion of privacy as a result of data sharing activities due to factors such as religion and history. Mitigations include an awareness of group privacy concerns, consultation and the use of targeted privacy impact assessments to examine groups created as a result of data and predictive analytics.
The OIPC report is of particular significance in light of Bill C-51, the proposed Security of Canada Information Sharing Act (the "Act"). The Act is the most recent example of a government data sharing initiative and has garnered significant attention and opposition. Proponents of the Act see the information sharing regime as a necessary tool to combat the threat of terrorism while those opposed to the Act view the Act as overbroad and contrary to the pre-existing privacy principles of knowledge, consent, and limitations on use and disclosure.
The Privacy Commissioner of Canada has declared that "[t]he scale of information-sharing between government departments and agencies proposed in this bill is unprecedented. The new powers that would be created are excessive and the privacy safeguards proposed are seriously deficient." The OIPC report provides a useful framework for evaluating the Act and whether it adequately protects privacy in the context of a large scale, multi-stakeholder government information sharing project. Bill C-51 is currently being considered by The Standing Committee on Public Safety and National Security.
With the prevalence of "big data", the Internet of Things and the new ways in which information is being collected, used and shared, the OIPC report is an important tool for both public and private sector organizations. The report highlights the privacy risks which repeatedly arise in data sharing projects and engages in a fulsome review of these risks, providing a critical examination of the ways privacy can be protected as large scale data sharing projects become the norm.
The OIPC report can be found here.