2013 ACCESS AND PRIVACY Office of the Information and Privacy Commissioner Ontario, Canada FREEDOM & LIBERTY As Commissioner, I feel that one of the most important parts of my mandate is to engage citizens so that the message of “respect our privacy, respect our freedoms,” can be heard loud and clear. COMMISSIONER’S MESSAGE WHEN I BEGAN MY FIRST TERM AS ONTARIO’S INFORMATION AND PRI- 2009 VACY COMMISSIONER IN 1997, I COULD In 2009, I continued to advance Privacy by NOT HAVE IMAGINED HOW MUCH THE Design on the world stage by launching The 7 WORLD WOULD BE CHANGING! Com- Foundational Principles of Privacy by Design, puters and the Internet were still largely limited which I am proud to say have now been trans- to desktops in homes and offices. Laptops were lated into 35 languages, with more to come. still unwieldy devices, and cellphones were still To ensure that Privacy by Design continued to a long way from becoming “smart.” gain strong global momentum, I also launched Today, information technology is compact, www.privacybydesign.ca as a repository of mobile, and everywhere. You cannot walk down news, information and research. the street without seeing someone using some In an entirely different area, following an exten- sort of mobile device that has more computing sive investigation, I issued a special report en- power than an office floor full of computers, just a generation ago. There is almost no aspect of titled, Excessive Background Checks Conducted our lives left that remains untouched by infor- on Prospective Jurors: A Special Investigation Re- mation and communications technology. port. As part of my recommendations, I ordered Crown attorneys to cease collecting any per- When I was reappointed for a second term in sonal information of potential jurors, beyond 2004, I stated that we were in the midst of pro- that which was necessary under the Juries Act found change in the areas of privacy protection and Criminal Code. I also proposed a funda- and access to government information. How- mental shift in the way that prospective jurors ever, as I have always maintained, technology were screened. The new process addressed the – which has resulted in many challenges – can lack of consistency in the “patchwork of prac- also be tapped for innovative solutions, particu- tices” employed by Crown attorney offices and larly for privacy and access. the police. I was deeply honoured when the Legislative Assembly of Ontario reappointed me again in 2009, to serve as Commissioner for an unprece- 2010 dented third term. It is a day I will never forget and I am still deeply grateful to the Members of I launched a campaign called, Stop.Think.Pro- Provincial Parliament for their strong support tect. which appealed to Ontario’s health sector and confidence. I pledged that I would focus on to help combat the growing number of avoidable Privacy by Design, and to promote government breaches involving personal health information. transparency and accountability through our Specifically, health-care organizations were asked newly developed Access by Design. to educate their staff on the simple steps required to prevent the far too frequent disclosure of un- As evidenced by the chronology of examples be- encrypted data through the loss or theft of porta- low, I believe that we’ve accomplished a lot since ble electronic devices. then, not only for the residents of Ontario, but also for future generations both here at home, A landmark resolution was unanimously passed and around the world. in Jerusalem by the International Assembly of 2 Privacy Commissioners and Data Protec- tion Regulators, recognizing Privacy by Design as an essential component of funda- mental privacy protection – transforming it overnight into an international standard. I unveiled my concept of Access by Design, consisting of 7 Fundamental Principles that encourage public institutions to take a pro- active approach to releasing government records, making the disclosure of govern- ment-held information an automatic pro- cess wherever possible – i.e., access as the default. 2011 I declared 2011 as my personal “Year of the Engineer,” reaching out to those who de- sign and build the systems and technologies upon which we rely. I wanted to challenge every innovator and engineer to operation- alize Privacy by Design and make it an ev- eryday reality. I was delighted by their re- sponse to my message and their willingness to take up the challenge to make privacy the default condition. It became clear that this was eminently “doable!” The Ontario Lottery and Gaming Cor- poration (OLG) launched its voluntary self-exclusion program following a suc- cessful collaboration with my office and the University of Toronto. This program sought to embed a design protocol based on Privacy by Design called Biometric En- cryption. This enabled the OLG to better support its customers who had enrolled in a completely voluntary self-exclusion program, while protecting the personal data of all OLG customers. 3 When it comes to the state’s power to conduct surveillance, critical privacy protections must include judicial authorization and independent oversight. 2012 right to make a request for access to a range of recorded information. I held a public symposium called, Beware of Over the course of my investigation into Elec- “Surveillance by Design:” Standing up for Free- tions Ontario’s loss of two USB keys, contain- dom and Privacy, bringing together a highly re- ing the unencrypted personal information of spected panel of thought leaders to share their as many as 2.4 million voters, I found the cause perspectives and raise awareness of the serious could be traced back to the agency’s failure to privacy implications of proposed federal “law- systemically address privacy and security is- ful access” legislation [there was nothing law- sues. I recommended that Elections Ontario ful about it]. I was gratified when people from take concrete steps in three areas to enhance across the political and social spectrum rallied the protection of personal information – pol- to the defence of privacy in response to the gov- icies, practices, and procedures; training and ernment introducing Bill C-30, a highly priva- compliance; as well as accountability. The cy-invasive piece of legislation. We were suc- Chief Electoral Officer for the province ac- cessful in the bill ultimately being withdrawn. cepted my recommendations unreservedly. As After a long campaign, theBroader Public Sec- a companion to my report, I also released a tor Accountability Act came into effect, bringing guidance document, A Policy is Not Enough: It Ontario’s hospitals under the Freedom of Infor- Must be Reflected in Concrete Practices, on how mation and Protection of Privacy Act. This was a to effectively execute an appropriate privacy historical milestone in the evolution of freedom policy and embed it in the concrete practices of information in Ontario, allowing citizens the of an organization. 4 ORION Think Conference - Hon. Reza Moridi, Minister of Research and Innovation; Dr. Ann Cavoukian, Information and Privacy Privacy by Design User Forum Commissioner, Ontario; Darin Graham, President and CEO, ORION In order to guide organizations through the im- 2013, the federal government announced that it plementation of Privacy by Design, I released a would not proceed with Bill C-30, and any at- groundbreaking paper, Operationalizing Privacy tempts to modernize the Criminal Code will not by Design: A Guide to Implementing Strong Pri- contain the measures in Bill C-30, including the vacy Practices. The paper provided an anthology warrantless mandatory disclosure of basic sub- of the experiences of organizations from a wide scriber information, or the requirement for tele- range of sectors, including telecommunications, communication service providers to build inter- technology, health care, transportation, and en- cept capability within their systems. Privacy and ergy. It also provided a comprehensive overview freedom would survive for another day! of the partnerships and joint projects that I have engaged in to implement Privacy by Design, by However, the feeling of success that came with providing concrete and meaningful operational the demise of Bill C-30 would not last long. In effect to its principles. November, the federal government introduced Bill C-13, which would enact new surveillance 2013 powers again under the guise of protecting chil- dren. While not as heavy-handed as its prede- In my 2012 Annual Report, I said that the key cessor, Bill C-30, this new bill nevertheless lever- question for 2013 would be whether Bill C-30, ages new and evolving surveillance technologies so-called “lawful access” legislation, would be which pose a threat to the privacy rights of ev- amended to incorporate privacy protections. ery Canadian. As Commissioner, I feel that one I learned the answer to that in early 2013, and of the most important parts of my mandate is to I was absolutely delighted. On February 11, engage citizens so that the message of “respect 5 our privacy, respect our freedoms,” can be heard senior political staffers. This practice violated loud and clear. the Archives and Recordkeeping Act (ARA) and undermined the transparency and account- Adding further ammunition to an already trou- ability purposes of the Freedom of Information bling year for privacy, Edward Snowden, a former and Protection of Privacy Act (FIPPA). In my analyst with the U.S. National Security Agency Report, I recommended that the government (NSA), came forward to reveal just how invasive, take concrete steps in three specific areas: Of- and pervasive, government surveillance was in fice of the Premier and Ministers’ Offices; leg- the lives of everyday citizens. Further, it would islative changes; and records retention policies. also come to light that the NSA was not acting alone. These revelations brought to light the in- I am pleased to report that the Premier and the volvement of major information and technology government have made significant progress in companies, as well as the remaining “Five Eyes” addressing each of the recommendations made; countries, comprised of the United Kingdom, my office continues to work closely with them.