Safeguarding Personal Data in the Proposal for Reform of the Privacy Act
This is the fourth in a series of posts discussing the federal government’s new consultation document on reform of the federal Privacy Act. The previous posts are here, here, and here. This post addresses the third theme in the document: Advancing safeguards across the spectrums of data sensitivity.
Theme 3 of the Treasury Board Secretariat consultation paper on reform of Canada’s Privacy Act is titled “Advancing safeguards across the spectrum of data sensitivity”. This is a broad theme, tackling data security from a variety of angles, including by defining particular categories of personal data that would be subject to different treatment. These categories are sensitive, de-identified and anonymized data, as well as publicly available personal information. Because of the consequences that will flow from how these terms are defined, these categories are fundamentally important, and they will be the focus of my next post in this series. The current post will consider the safeguarding issues addressed under Theme 3.
Proposal 8 addresses the management and reporting of privacy breaches. Currently, federal institutions to which the Directive on Privacy Practices applies are required to follow certain procedures when a privacy breach occurs. The Directive requires institutions to respond quickly to the breach, and to take steps to reduce harm and prevent recurrence. They are also required to document all breaches. Where there is a real risk of significant harm from a breach, institutions are required to report the breach both to affected individuals and to the Privacy Commissioner. Proposal 8 would shift these requirements into the law, giving them the weight of enforceability. The consultation paper describes a privacy breach as “the improper or unauthorized access to, creation, collection, use, disclosure, retention or disposal of personal data”. This is deliberately broad; the consultation paper proposes that a breach would be considered to occur where “personal data is handled in ways that go against the rules for how it should be protected.” Overcollection of personal data, for example, would be a breach – not just unauthorized access.
Under the proposal, the requirement to notify affected individuals and the Commissioner would arise only where there is a “real risk of significant harm”. This is the same threshold used in Ontario’s Freedom of Information and Protection of Privacy Act (s. 40.1(1) and (3)), and in Saskatchewan’s Freedom of Information and Protection of Privacy Act (s. 29.1). It is also the same threshold that was proposed for private sector breach notification in Bill C-27 (s. 58(1) and (3)). If information involved in the breach meets the proposed definition of “sensitive” personal information (which includes information falling into specified categories), then a real risk of significant harm would be presumed.
Proposal 9 would also shift current policy requirements around safeguarding personal information into the law. The dilapidated Privacy Act does not have a legal requirement to safeguard personal data; adding one is important. The consultation paper correctly notes the vulnerability of digital data and acknowledges that this enhanced vulnerability requires stronger legal measures around safeguarding.
The proposal also addresses the current hot topic of digital and data sovereignty (see, e.g., the government’s recent document on Digital Sovereignty). The concern here is that data held by the Canadian government and stored in the cloud might be vulnerable to access by foreign governments. What is proposed is a requirement to use “physical, technical and administrative security measures” to safeguard personal data, and to do so whenever it is “stored or processed outside Canada or in any other situation that introduces risks”. It is proposed that any such measures would have to be calibrated to the level of sensitivity of the information as well as the risks involved, potentially leaving considerable discretion as to what measures are necessary. Although the consultation paper is not specific, one can assume that the measures contemplated could include encryption of data, data localization, and/or contractual measures.
Proposal 10 links the “necessity” principle to the fact that digitization allows storage of large amounts of personal information which can lead to over-collection (and over-retention) of personal information. Currently, the Privacy Act focuses on legal authority as a basis for collection of personal information. The proposal is to add the concept of necessity in order to provide a limit to how much personal information is collected. This is a positive step. Like many of the other recommendations, it is not coming out of the blue. Currently the Directive on Privacy Practices requires limiting collection of personal data to what is “demonstrably necessary”.
The inclusion of necessity as a basis for assessing the legitimacy of data collection was championed by the previous federal Privacy Commissioner Daniel Therrien, who in one report stated that a necessity requirement would not mean demonstrating that the data was absolutely necessary; rather, “the concept of necessity requires thought be given to what personal information is required to achieve a legitimate, sufficiently important and specific public goal.” (at para 20). Elevating the necessity requirement from the Directive into the law has the potential to reframe the assessment of data collection in a way that seeks greater balance between government objectives and privacy impacts.
The consultation paper suggests that the Privacy Act could be amended to require, as a basis for the collection of personal information that there be legal authority, and that the information be necessary in the sense of “reasonably required to achieve a clearly defined purpose that is directly related to an operating program or activity”. In addition, the collection must be effective, meaning that the data collected should be likely to achieve the clearly defined purpose, and that the collection be minimally intrusive. This is very close to the “necessity and proportionality” test that has been advocated for by the Office of the Privacy Commissioner. The issue here will be the language used in the statute. If all that is added is the requirement that the collection of personal data be necessary to achieve the legally authorized purpose, the protection will not be as robust as it would be if the other criteria of effectiveness and minimal intrusiveness are specifically articulated. It might also be good to have proportionality in the list, since necessity and proportionality is a concept that is well-understood in the context of fundamental rights, including in privacy law. Indeed, the European Data Protection Supervisor states that proportionality “restricts authorities in the exercise of their powers by requiring them to strike a balance between the means used and the intended aim.”
Proposal 11 would establish a new requirement to dispose of personal data that is not necessary. The data may be unnecessary because it was collected inadvertently. For example, someone sending an email to government might disclose more personal information than is necessary to obtain the service or information they are seeking. The same can happen when someone responds to an online consultation and provides unnecessary personal information as part of the submission. The discussion document also gives the example of unnecessary personal information being acquired through data scraping activities, or through the conduct of interviews. In any event, the discussion paper notes that if the information is not necessary, it should not be kept; keeping it just creates further vulnerabilities in the case of a data breach. The other instance where data may be unnecessary is where it was collected for a purpose but is no longer needed to fulfil that purpose. The document acknowledges that there will need to be some exceptions to the requirement to dispose of personal data that is no longer necessary – for example when the law otherwise requires that it be retained. However, as a general principle, the obligation to dispose of personal information that is no longer necessary is a sound one and should be included in the reformed Privacy Act.