Canadian Privacy Commissioner Jennifer Stoddart, whose office recently released a draft consultation report for public comment on “on the privacy issues related to cloud computing practices and their implications for individuals, organizations, and businesses,” has new report out. “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century” (also available in pdf) “presents a general approach for privacy analysis in relation to the wider policy goals of national security and public safety.”
The document outlines the analytical framework and basic steps used by the Office of Privacy Commissioner (OPC) when examining legislative initiatives, program proposals or undertaking compliance reviews through our audit and investigation functions. It stems from discussions held with senior federal public servants, practitioners, academics and civil society, and aims to provide guidance when integrating privacy protections with new public safety and national security objectives.
Understanding this framework, however, requires clarity on two legal concepts: first, what is ‘personal information’ and, secondly, what is a ‘reasonable expectation of privacy.’ Both key definitions are discussed. Details on four specific stages of consideration for privacy — conception, design, implementation and review — are then presented for the development and implementation of security programs and policies:
Stage one concerns the rationale and justification for collecting personal information when a policy or program is being conceived. This requires considering the ‘four part test’ used by courts and legal advisors to ascertain whether a law or program can justifiably supersede or intrude upon rights like privacy. The elements of this test: necessity, proportionality, effectiveness and minimization are set out in plain language.
Having established the basis for collection at the conception of a program, stage two concerns the proper security, use (such as linkages of data), disclosures and maintenance of information collected. This requires consideration of a second set of internationally recognized standards, the Fair Information Practices, which can guide both commercial and government organizations in program development where personal information is used.
Stage three elaborates on the need for ongoing governance and privacy practices as program operations continue. Concrete examples of these policies and practices are explained, alongside reference to the suite of federal policies and reporting established by the Treasury Board Secretariat (TBS) for privacy and data protection.
The document concludes with external controls — stage four — and a series of suggestions for longer-term review and oversight of organizations to ensure privacy and sound personal information handling practices are developed around public