Remarks at a National Security Practitioners’ Project Cyber Security meeting
April 20, 2016
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Good morning and thank you for the opportunity to speak about privacy and cyber-security.
Privacy rights are extremely important to Canadians, but Canadians also want their government to act on their behalf in protecting their safety and security.
Over the last several years, my Office has advocated strongly for privacy rights while, I believe, also demonstrating an understanding of the very real threats to public safety in Canada—including threats to the security of our information systems which many of you are responsible for protecting.
What has become clear is that privacy and cyber-security are actually very much interconnected.
On one hand, challenges for cyber security are also challenges for privacy protection. Just as organizations must stay abreast of the latest cyber threats in order to protect their IT systems, so too must privacy officers if they are to adequately safeguard the personal information entrusted to them by their clients, customers and employees.
On the other hand, cyber-security policy can also threaten privacy. Sometimes strategies put in place to combat cyber threats have the unintended consequence of infringing on people’s privacy.
So, there is a natural tension between privacy and security, but I believe it is possible to have both.
With that in mind, today I would like to focus my remarks on how Privacy Impact Assessments and breach reporting can reduce any negative impact on privacy in the context of cyber security.
I will also talk about national security issues more broadly, including Bill C-51, the importance of transparency reporting and sensitivities surrounding surveillance. And with Parliament now reviewing options for Privacy Act reform, I will touch on some of our recommendations throughout my presentation.
Privacy Impact Assessments
I am sure you would agree that it is far easier and less costly to address privacy issues proactively than to mop up a mess after the fact. It is also far more effective in protecting privacy rights.
That’s why departments and agencies should consider the privacy implications of any new policy or program at the earliest possible stage of development.
By completing a Privacy Impact Assessment, federal institutions can identify potential privacy risks tied to a planned activity, including ones related to cyber-security, and explain to the Canadian public how they will be mitigated.
During the last fiscal year, my Office received 88 Privacy Impact Assessments, a figure generally on par with previous years. It’s clear many departments and agencies recognize the value of this risk management tool. They understand that privacy is at the heart of their decisions and they respect the privacy rights of individuals.
But while some departments are diligent at doing PIAs, there are others for which we seldom, if ever, receive a PIA.
Occasionally, we learn about a new policy or program from the media that raises questions about why a PIA was not produced.
There are also times when we receive PIAs just days before the launch of an initiative, leaving virtually no time for any real assessment and feedback, let alone the implementation of any of our recommendations.
Before you develop or implement a new or altered program, service or system, you do a threat and risk assessment. If personal information is involved, don’t forget to do a PIA as well because the loss of personal information is among the threats you should be mitigating against.
In addition to beginning PIAs early in the planning process for new or substantially changed initiatives, it’s also important to remember that the PIA process does not end when the final report is developed and sent to my Office and the Treasury Board Secretariat.
Programs and initiatives typically evolve, so there is a need to continue to assess and mitigate privacy risk throughout the lifecycle of a program.
Finally, while we do not approve PIAs or endorse projects or proposals, and cannot be involved in drafting PIAs for institutions, my Office is available to consult with institutions throughout the process and I would encourage your organizations to take advantage of this opportunity.
We offer tips and guidance on how to do PIAs on our website and, in cooperation with the Treasury Board Secretariat, we have developed beginner, intermediate and advanced level PIA workshops for ATIP practitioners and others involved in drafting PIAs.
The bottom line is PIAs are an essential tool for helping institutions anticipate and prevent privacy incidents. This is true for new government programs and new IT systems. PIAs are an important tool to prevent and mitigate privacy risks. It is with this objective of prevention in mind that I have recently recommended to Parliament to elevate the requirement to conduct PIAs from a policy provision under the Treasury Board Secretariat, to a legal requirement under the Privacy Act.
Breach reporting and prevention
Now when it comes to breach reporting, we understand there are a large number of these which are cyber incidents, yet virtually none are reported to my Office.
While we accept that not all cyber incidents involve personal information, the dearth of reports leads us to believe that breach reporting may not always be well understood among government security and information technology personnel.
The reality is, the Treasury Board issued a directive to federal institutions in May 2014 requiring that all material privacy breaches be reported to my Office. That includes breaches involving sensitive information, information that may be used to harm an individual or information that impacts a large number of individuals.
We have also recommended in our comments to Parliament on Privacy Act reform that in addition to PIAs, which I mentioned earlier, mandatory breach reporting also be enshrined in law.
It really is in the best interest of institutions to involve my Office when a “material” breach occurs. The sooner we are notified of a breach, the sooner we can provide valuable advice regarding how to contain the breach, whether and how to notify affected individuals and how to help mitigate future incidents.
It is important to build in adequate physical, technological, administrative and personnel security controls to minimize the risk of a breach. While institutions are currently required to employ such safeguards as per a directive issued by the Treasury Board Secretariat, along with the other reforms we have recommended, we have asked Parliament to consider enshrining this important requirement in law as well.
Information sharing under C-51
When it comes to the broader question of national security, I’d like to talk a little bit about my concerns with Bill C-51, the Anti-terrorism Act, 2015, and how my Office plans to address those concerns.
The new law is meant to facilitate the sharing of information among federal institutions to better protect the safety and security of Canadians—a goal my Office shares. While we recognize that greater information sharing could lead to the identification and suppression of security threats, we are nonetheless concerned about the scale of the information sharing, the scope of the new powers, the safeguards protecting against unreasonable loss of privacy and the lack of independent oversight.
We are currently in the midst of a review of how information sharing is occurring between federal institutions for the purposes of national security. We will direct significant resources towards compliance activities to ensure that information sharing made possible under SCISA, the Security of Canada Information Sharing Act which is part of Bill C-51, duly respects the Privacy Act.
We will also advise Parliament and Canadians of our findings in order to inform both public debate on national security issues and potential future amendments to the Anti-terrorism Act which the new government has committed to reviewing. I look forward to upcoming consultations on possible amendments. Meanwhile, I encourage your organizations to be more transparent, all the while respecting national security concerns. Greater transparency would ensure public debate on the matter is better informed.
As a side note, I think it is worth mentioning that involving both your ATIP personnel and my Office at the design stage of developing an information sharing agreement can provide an important preventative check before sharing takes place. I would encourage you to take advantage of this opportunity.
Bill C-51 is not the only new surveillance-related legislation to cause us concern. Bill C-13, the Protecting Canadians from Online Crime Act, has also raised many questions about warrantless access to telecommunications data.
Since the Bill became law in December 2014, we have worked with both telecommunication service providers and Industry Canada to provide helpful information for Canadians.
We provided input into Industry Canada’s transparency guidelines which establish standards for transparency and accountability reports from companies that share personal information with law enforcement.
At the same time, we published a comparative analysis of transparency reports published voluntarily by some telecommunications companies. We concluded that while the reporting schemes had gaps, these reports can help Canadians make informed choices and better understand how and when government agencies access personal information held by private sector organizations.
Going forward, we hope companies follow the guidelines and that we begin to see more consistent transparency reporting. If not, we may call for legislative changes in this area.
Private sector reporting, however, provides only part of the picture. Greater transparency from the public sector is just as important. It is, after all, the public sector that is seeking and receiving this sort of information.
As such, we have called on federal institutions to maintain accurate records and to report publicly on the nature, purpose and number of lawful access requests they make to telecommunications companies.
A modernized approach, built for today’s communications and surveillance capabilities, would give citizens and Parliament greater insight into how federal institutions are using their lawful access powers. To that end, another one of our Privacy Act reform recommendations includes strengthening reporting requirements on broader privacy issues dealt with by federal organizations as well as specific transparency requirements for lawful access requests made by agencies involved in law enforcement.
As you may know, government surveillance was identified among the four strategic privacy priorities that will guide the work my Office does over the next five years.
Our goal is to contribute to the adoption and implementation of laws and other measures that protect both national security and privacy.
Over the last month or so, the battle between Apple and the FBI over encryption has raised many questions about this delicate balance between security and privacy.
Generally speaking, I would argue that encryption is extremely important for the protection of personal information. Companies that manufacture telecommunications devices have a responsibility to protect the personal information of their customers.
That being said, these companies are also subject to laws and judicial warrants that require access to personal information that may be legitimately needed in cases where public safety is at risk.
Still, the law needs to bear in mind the realities of technology. If you break encryption, or create an exception to the protection provided by encryption technologically, what impact will that have for the population more broadly?
Another issue making international headlines that raises serious questions for Canada is the battle between the European Union and United States over transatlantic data flows.
As you may know, the Safe Harbour Agreement that permitted the transfer of European citizens’ data to the U.S. was deemed invalid by the European Court of Justice last fall, touching off efforts to strike a new deal to ensure the continued flow of data.
At the heart of the matter is whether EU citizens are adequately protected when their personal information is transferred to the U.S. The EU ultimately wants to ensure that privacy protections afforded to EU citizens in other countries guard against mass surveillance and are essentially the equivalent of those guaranteed at home.
So what does this have to do with Canada? It raises questions about the adequacy of our privacy laws in protecting the data of EU citizens, partly in light of Bill C-51.
Not only would these measures improve privacy protections for Canadians, they would go a long way towards reducing the risk to international trade that would result from Canada losing its status as a country offering adequate protection to the personal data of EU citizens.
As I have said before, we believe information sharing provisions in the Anti-terrorism Act are excessive and lack balance. We also support more appropriate thresholds for sharing so that personal information is provided when it is not merely “relevant,” but rather “necessary” to a recipient institution’s mandate or “proportionate” to the national security need to be met.
We have further raised concerns about the fact that 14 of the 17 agencies receiving information for national security purposes are not subject to dedicated independent review or oversight.
As the government moves to amend the new law, it is my hope that it will consider our recommendations to increase oversight and strengthen thresholds for the collection and sharing of personal information.
I’d like to add one final note about the sensitivity of metadata which came up recently in the context of surveillance. In his annual report to Parliament in January on the Communications Security Establishment, Commissioner Jean-Pierre Plouffe revealed that the electronic spy agency had breached privacy rules and the National Defence Act by inadvertently sharing metadata with its Five Eyes partners.
While the metadata was said to contain Canadian identity information, the CSEC ultimately assessed the privacy impact as low given the safeguards it had put in place and because it did not contain enough data or context to identify specific individuals.
Our research has found that metadata can actually be quite revealing. It can include all sorts of information related to phone calls, emails, social networking and Internet browsing activities. While it doesn’t include the content of a message, it can include phone numbers, time and date stamps, email addresses, IP addresses, subject lines, location data, device information and webpage visits. When combined, it can say a lot about a specific individual.
In R. v. Spencer, for example, the Supreme Court of Canada held that a name and address of a subscriber linked with a particular IP address ultimately provided the police with the “identity of an Internet subscriber which corresponded to a particular Internet activity in question.
The Court recognized that individuals can enjoy a reasonable expectation of privacy in information that links their identity to a piece of metadata, in that case, an IP address and that police violated the Charter when it obtained this information from an ISP without a warrant.
All this to say government institutions that collect or are considering collecting such information should not underestimate what metadata can reveal about an individual. The same goes for private-sector organizations that are asked to disclose such data to government institutions.
Given the ubiquitous nature of metadata and the powerful inferences that can be drawn about specific individuals, government institutions and private-sector organizations must be prudent about their collection and disclosure activities.
In closing, I hope this gives you a sense of how to help mitigate cyber-threats, where we stand on national security issues, including Bill C-51, transparency reporting and surveillance as well as a sense of some of the Privacy Act reforms we are seeking.
I believe it is a fallacy that privacy and security cannot co-exist. Indeed, in the context of cyber security, they go hand in hand and protections in one area can complement the other.
And we are here to work with you as you prepare PIAs and information sharing agreements.
It has become clear to me that Canadians value security in the face of threats confronting the world today, but they also care very deeply about their privacy and want to protect it. They want to ensure laws and procedures are in place to keep government institutions in check. And they want greater transparency so institutions can earn their trust.
What gives me reason for optimism is that we live in a country governed by the rule of law—a democratic country that promotes and respects human rights.
I remain confident that we can protect ourselves from the threats we face, while also protecting our privacy rights.