Submission on Access and Privacy Legislation, October 1996

The Manitoba Association for Rights and Liberties (MARL) is a provincial non-profit, nongovernment volunteer advocacy group. MARL seeks to promote respect for, and observance of, fundamental human rights and civil liberties and to defend, extend and foster the recognition of these rights and liberties in Manitoba.

October, 1996

Introduction

This document is MARL's response to the discussion papers Access to Information and Privacy Protection for Manitoba (Manitoba Culture Heritage and Citizenship, May 1996) and Privacy Protection of Health Information (Manitoba Health, May 1996 ).

Invasion of personal privacy through the use of computer databases can take many forms. At its most trivial, it is the constant annoyance to tele-marketers calling during the supper hour. At worst, individuals can be seriously harmed by decisions made bas ed on inaccurate personal information.

Manitoba is moving ahead rapidly in developing new computer data bases of personal information, particularly in the health field. It lags far behind other provinces in adopting legislation and administrative procedures for the protection of individual privacy.

With the exception of Quebec, provincial information and privacy legislation only applies to the public sector. This protection is too narrow. The movement towards privatization of home care and other services means that a great deal of personal information on which was formerly held only by the government will now be controlled by private concerns. In order to be effective, legislation concerning the privacy of personal health information will have to apply to both the private sector and the public sector.

What is Privacy?

There is no satisfactory single definition of privacy or privacy rights. For practical purposes, "privacy" is best considered not as a single right but as a series of interconnected rights. Some specific privacy rights include:

the right to be alone or in company with others of one's choosing without unwanted interruptions
the right to control who has access to information about one's personal life;
right to demand confidentiality when revealing personal information to others;
freedom from unwanted surveillance.

Many more rights could be added to this list.

Privacy rights, however they are defined, are never absolute. Individuals do not exist in isolation. They form part of a society in which they owe duties to other individuals. Collection of personal information is a necessary part of a well run society. A credit rating system which cuts down on lenders' losses from bad loans ultimately benefits honest borrowers. Computer data banks can help to collect child support payments and keep dangerous drivers off the road.

There are very few areas of life where it would be feasible simply to prohibit the collection of personal information. Most forms of personal information can have a legitimate use in some circumstances. The great challenge behind privacy law and policy is to prevent information which was collected for a legitimate purpose from being abused for some other purpose.

Privacy and Computer Technology

Since the invention of the computer, people have feared the threat it posed to personal privacy. Three developments in the last fifteen years have made these fears more urgent.

The first is the development of low cost micro-computers which make it possible to collect large amounts of data in machine readable form. For the first two decades or more of the computer era data would be recorded on paper and then sent to a data proces sing department for entry. Today computers and computer terminals are as commonplace as typewriters and cash registers. Transactions in business and government offices are recorded directly on a computer as they take place. This greatly reduces the cost o f data entry and makes it possible to capture far more data about individuals than was ever possible before.

The second is the improvement of the capacity of mini-computers and main-frames. Large quantities of data are useless until they can be analyzed to yield worthwhile information. For example, the large computers available today can take the millions of pie ces of data from credit card slips and identify individuals who are likely to purchase certain products.

Increased computing power also makes it possible to combine and cross-reference databases. If information about individuals in various databases is linked by a unique identifier such as a Social Insurance Number, a computer can link this information to pr oduce detailed personal profiles of millions of people.

Finally, the linking of computer networks through telecommunications makes it possible to connect personal information data banks on a national or international scale. This makes it more difficult for a single jurisdiction to regulate the use of personal data. Widely distributed computer networks are also vulnerable to unauthorized access.

The result of these three developments is that the creation of massive databases which make every transaction of an individual's life available to government and business interests is a realistic possibility.

Principles of Privacy Protection

What steps can a society take to protect individual liberty and privacy from the dangers posed by the personal information data banks?

In 1981 the Organization for Economic Cooperation and Development Responded to this question by issuing us Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These guidelines define eight principles for the collection of personal data:

1. The Collection Limitation Principle: There should be limits on the collection of personal data. Such data should be obtained by lawful and fair means and, where possible, with the knowledge and consent of the subject.

2. The Data Quality Principle: Personal data should be relevant, accurate and up to date.

3. The Purpose Specification Principle: The purpose for which data is to be used should be specified at the time the data is collected.

4. The Use Limitation Principle: Personal data should not be used for purposes other than the ones for which it was originally collected without the consent of the subject or the authority of law.

5. The Security Safeguards Principle: Personal data should be protected from loss or unauthorized access, destruction, use, modification or disclosure.

6. The Openness Principle: There should be a policy of openness concerning personal data. It should be possible to determine the existence and nature of personal data, the purposes for which it is used and the identity of the person who controls the data.

7. The Individual Participation Principle: Individuals should have the right to obtain data relating to themselves and to demand that inaccurate data be corrected or erased.

8. The Accountability Principle: Each data bank should be supervised by a data controller who is accountable implementing these principles.

Implementing these principles requires a three pronged approach:

The principles must be adopted as legislation.
An enforcement mechanism must be provided
Administrative procedures must be adapted to respect these principles.

Privacy Legislation in Manitoba

Manitoba legislation regarding privacy of personal information is inadequate to cope with the problems posed by modern information technology. There is no legislation of general application dealing with the privacy of information held by the government. T here are various laws, regulations and practices which do protect certain kinds of personal information but these are inadequate in three respects.

First, current legislation regarding personal information only applies to the specific types of information or government agencies named in the legislation. It remains possible for the government to collect personal information at the administrative level without any governing legislation. Effective privacy legislation should cover all personal information banks maintained by the government.

Second, current practices only implement a small part of the O.E.C.D. principles. Existing legislation generally deals only with penalties for improper use or disclosure of information (the use limitation and security principles). The Freedom of Inform ation Act provides a partial implementation of the oneness principle. There is little or no recognition of the individual participation or accountability principles.

Third, there are very limited remedies available to individuals who feel that their rights have been violated. In many cases, the only remedy is a costly and time consuming court action.

Privacy Legislation in Other Jurisdictions

Other provinces and the federal government have moved to update their legislation on information and privacy.

Alberta, British Columbia, Nova Scotia, Ontario, Quebec and Saskatchewan have all adopted comprehensive freedom of information and protection of privacy legislation.

In Alberta, British Columbia, Ontario and Quebec the legislation is administered by a privacy and information commission with the power to make binding orders.

In Saskatchewan the privacy and information commissioner functions as a specialized Ombudsman without the power to issue binding orders. Instead, a person who is not satisfied with the decision of a public body can appeal to the superior court. In Nova Sc otia the Lieutenant Governor in Council can designate a tribunal to hear complaints under the legislation. Decisions of this tribunal can be appealed to the courts.

Scope of Privacy Legislation

One of the first questions that must be considered in designing privacy legislation is how far this legislation should extend.

Quebec has privacy legislation which covers all personal information held in both the private and the public sector. In most other provinces, privacy legislation only applies to the public sector although there may be specific legislation relating to some parts of the private sector. British Columbia, Saskatchewan, Ontario and Quebec also have freedom of information and privacy legislation which applies to municipal governments.

Another possibility would be to limit the general privacy legislation to the public sector but to enact special legislation dealing with the privacy of health care information. This legislation would apply to all institutions which collect personal health care information including the government, public and private hospitals, health care professionals, pharmacies, clinics and professional bodies.

This is the option MARL recommends. General privacy protection information applying to all personal information in both the private and public sector would be too costly and cumbersome. However, health information is highly sensitive and personal. It requires a stricter and broader protection than other types of information.

A second question is whether or not to have separate legislation relating to freedom of information and privacy. The Federal Government has created separate privacy and information commissioners. Because of the nature of their duties the two offices frequ ently find themselves in conflict with the information commissioner recommending disclosure of a document and the privacy commissioner opposing disclosure in the interests of individual privacy. Neither commissioner has the power to issue binding orders. Disputes are settled by the Federal Court.

The model adopted by most provincial governments has a single Freedom of Information and Privacy Commissioner. The Commissioner hears complaints relating to both access to information and privacy and can issue binding orders. This approach has two advanta ges. First, it costs less. Second, it reflects an understanding that privacy and information rights are complementary rather than competitive.

Model Information and Protection of Privacy Legislation

The British Columbia Freedom of Information and Protection of Privacy Act, S.B.C. Chap 61 (Assented to June 30, 1992) is the model MARL recommends Manitoba follow for its legislation. It is comprehensive, strong and drafted in clear language. The Acts in the different provinces vary considerably in detail but they all generally contain the following elements:

Part I: A general introduction which includes a definition of the public bodies to which the legislation applies.

Part II - Freedom of Information: This part establishes a general right of access to government information and then goes on to provide specific exceptions. One of these exceptions is information considered to be personal information. As a rule, this info rmation cannot be disclosed without the consent of the person to which it relates.

Part III - Privacy of Personal Information: The O.E.C.D. guidelines on protection of personal information are enacted into law.

The part begins by providing that no public body may collect personal information except where that information is necessary for the administration of a properly authorized activity of that public body. (The privacy commissioner may have the power to orde r that a public body cease improper collection of personal information.)

As a general rule, personal information must be collected directly from the individual to whom it relates and the person must be notified of the reasons for collecting the information. There are certain exceptions to this rule, for example where informati on is collected for the purpose of law enforcement.

There is a general requirement that public bodies must take reasonable steps to ensure the accuracy, security and confidentiality of personal information.

Individuals are given the right to see personal information relating to themselves and to request the correction of inaccurate personal information. Refusals may be appealed to the information and privacy commissioner.

Once personal information is collected for a given purpose, it may be used or disclosed only for that purpose or for a consistent purpose. A consistent purpose is one which is so closely related to the original purpose that a reasonable individual might have expected that the information would also be used for that purpose. In other circumstances, a government department which collects personal information for use in a given program cannot disclose that information to another department or even use it in connection with a different program. There is a list of exceptions to this rule which varies considerably from province to province.

One exception is use with the consent of the individual concerned. This exception is subject to abuse. Businesses or government agencies frequently include in their application forms a blanket consent to conduct personal investigations. Most provincial pr ivacy acts have some wording which requires consent to the use of personal information to be genuinely specific and informed consent.

Part IV - Procedure and Appeals: Procedures are established for requesting access to information or the correction of personal information. There are generally time limits within which officials must respond to requests. A procedure for appeals to the pri vacy and information commissioner is defined.

Part V - The Privacy and Information Commissioner: The privacy and information commissioner is established. See the next section for a fuller discussion of the commissioner's role.

The Information and Privacy Commissioner

The key to modern information and privacy legislation is an effective information and privacy commissioner to enforce the law.

Neither civil actions nor criminal penalties will provide adequate protection. The right to bring a civil action for damages for violation of privacy has limited value. Civil actions are expensive and time consuming. The right of civil action should be pr eserved but it should not be an exclusive remedy. Penalties imposed through the criminal courts may be necessary in some serious cases but in most circumstances a less rigid approach is required.

Information and privacy law is mainly concerned with problems and administrative practice. Most disputes in this field require a balancing of competing public and private interests. The most effective means of resolving these disputes is through an admini strative tribunal which has the specialized knowledge to understand the issues and the flexibility to impose appropriate remedies.

An information and privacy commissioner should have three functions:

1. Adjudication: The commissioner would have receive complaints from the public and have the power to direct agencies to:

Disclose or refuse to disclose information;
Cease improper information collection practices and destroy improperly collected information;
Implement more effective security practices;
Correct information relating to an individual.

2. Education: The commissioner's staff would undertake public relations programs to inform the public of their rights and provide training programs to the staff of agencies covered by the legislation.

3. Inspection and Auditing: The commissioner's staff should conduct periodic reviews of information collection practices in all major government agencies to ensure that they are complying with the legislation. This kind of ongoing review is required becau se there may be cases where members of the public do not realize that their privacy is being violated until they have already suffered damage.

The Privacy Commissioner should be an independent officer of the legislature appointed for a fixed term. There should be one or more assistant commissioners to whom the commissioner may delegate hearing powers. The commissioner should also be provided wit h a staff and the ability to engage consultants.

Unique Identifiers

The potential for abuse of personal information banks is greatly increased when several information banks can be combined to produce a detailed data portrait of an individual. This process is greatly simplified when the records in each data bank contain s ome unique personal identifying number such as a Social Insurance Number or Personal Health Identification Number.

Linking data banks where individuals are identified only by name and address is possible but difficult because so many people have similar names. Where both data banks identify individuals by the same unique number the difficulties with cross-referencing largely disappear.

The federal government has imposed tight restrictions on the use of the Social Insurance Number by government departments for purposes other than income tax and entitlement to social benefits. Unfortunately, there are no similar limitations on use by the private sector. MARL recommends that Manitoba adopt legislation prohibiting the use of the Personal Health Identification Number for purposes not related to health care.

Access for Research Purposes

One common use of government information banks is in research. All provincial privacy acts permit disclosure of personal information for research purposes.

In most cases, disclosure for research purposes does not pose a risk to individual privacy. This is because the information is disclosed in statistical form without individual names and addresses. For example, the Manitoba Health Research Data Base at the University of Manitoba contains records from physicians, hospitals, nursing homes and vital statistics. All patients are identified by a unique number so that they can be tracked through the system but it is not possible to determine from this data base the name, address or PHIN of a doctor or patient.

In some cases, researchers may require more information. Medical researchers sometimes attempt to link data on a disease such as cancer with data on individual occupation, residence or lifestyle. In order to do this they require information in a form whic h would make it possible to identify individuals.

The medical research community has expressed the concern that the kind of restrictions on sharing of personal data being adopted by the European Community would make it virtually impossible to perform population health and epidemiologic studies.

MARL recommends that Manitoba adopt a compromise position which is based on the British Columbia legislation. Before being given access to data in a form which permits the identification of individuals a researcher should be required to satisfy an indepen dent review committee that:

The research cannot be accomplished unless the records are provided in a form which permits the identification of individuals.

The research is likely to result in a significant public benefit.
The research database will be destroyed or purged of individual identifiers within a reasonable time after the research project has been completed.
The researchers have adequate security procedures in place to prevent unauthorized access to the data.
The database will not be disclosed or shared with anyone other than the authorized researchers.
All persons having access to the information will sign an undertaking to preserve the confidentiality of the information.

Although research uses may be legitimate and necessary, they should not influence decisions on the collection of personal information. Agencies which maintain personal data banks should not be permitted to collect personal information which they do not re quire for the administration of their programs on the pretext that the information may be useful for research purposes.

Conclusions

M.A.R.L. has the following general recommendations:

There should be comprehensive freedom of information and privacy legislation which applies to all public sector bodies.
A separate piece of legislation should apply to personal health care information held in the private sector.
Both acts should reflect the O.E.C.D. principles. The British Columbia act is a good model.
An information and privacy commissioner should be appointed to enforce both pieces of legislation. The commissioner should have the power to issue binding orders.
This legislation and the privacy commissioner should be in place before the Smart Health system is put into operation.

The effectiveness of privacy legislation will depend on two factors. The first is the details of the legislation itself. Even one or two overly broad exceptions can seriously undermine what might appear at first sight to be good legislation. M.A.R.L. will carefully scrutinize the draft legislation when it is released. The second is the resources which the government makes available to comply with and enforce the legislation.

Print Resources

Branscomb, Anne Wells. Who Owns Information? From Privacy to Public Access. New York: Basic, 1994.

Cavoukian, Anne, and Don Tapscott. Who Knows: Safeguarding Your Privacy in a Networked World. Toronto: Random House of Canada, 1995.

Flaherty, David H. Privacy, Confidentiality and Security in a Canadian Electronic Funds Transfer System. Electronic Funds Transfer Study Project, Working Paper 5. Toronto: Minister of Government Services, 1978.

---. Protecting Privacy in Surveillance Societies. Chapel Hill: The U of North Carolina P, 1989.

Gibson, Dale, ed. Aspects of Privacy Law: Essays in Honour of John M. Sharpe. Toronto: Butterworths, 1989.

Industry Canada, Communications Development and Planning Branch. Privacy and the Canadian Information Highway. Ottawa: Minister of Supply and Services Canada, 1994.

McNairn, Colin, and Christopher Woodbury. Government Information: Access and Privacy. Toronto: Carswell, 1989.

Manitoba Centre for Health Policy and Evaluation. Information Package. Department of Community Health Sciences, Faculty of Medicine, University of Manitoba, 1996.

Organization for Economic Cooperation and Development. Economic and Trade Issues in the Computerized Database Market. Information, Computer and Communications Policy 32. Paris: O.E.C.D., 1993.

---. Guidelines on the Protection of Privacy and the Transborder Flows of Personal Data. Paris: O.E.C.D., 1981.

Privacy Commissioner. Annual Report, 1993-94. Ottawa: The Privacy Commissioner of Canada, 1994.

Robinson, David. "A Legal Examination of Computerized Health Information." Health Law Canada 14 (1993): 40-46.

Rothfeder, Jeffrey. Privacy for Sale. New York: Simon and Shuster, 1992.

Westin, Alan F. Privacy and Freedom. New York: Atheneum, 1967.