Wednesday, January 28, 2009

Time for a privacy check-up

Today's Halifax Chronicle Herald has an opinion piece by Bob Doherty, the former head of privacy and access with the Nova Scotia Department of Justice:

Time for a privacy check-up - Nova Scotia News -

Time for a privacy check-up Laws need to be understandable, consistent

By BOB DOHERTY Wed. Jan 28 - 7:25 AM

With today being International Data Privacy Day, it is useful to see just how far society in Atlantic Canada has come in dealing with the complex issue of privacy since the last, almost unnoticed, celebration of this event locally a year ago.

Positive signs are emerging in the efforts to create more privacy consciousness in the region. Dalhousie University hosted a privacy event yesterday, and there have also been other events over the past 12 months. Most recently, CBC Radio’s Maritime Noon hosted a privacy "phone in" with Kostas Halavrezos and local privacy lawyer David Fraser. All of these events and others point to an increase in privacy consciousness in the past year.

However, as one listened to the calls that were received on the CBC Radio privacy segment, it became apparent there was substantial confusion as to what privacy choices, rights, obligations and remedies exist in a variety of settings. A good part of this confusion would seem to arise from a misunderstanding as to what "privacy" is.

In a nutshell, privacy is about legal choices, rights, obligations and remedies for the collection, use and disclosure of non-public, usually recorded, information about us, as individuals, in certain public and private-sector situations. However, even further than this, there are usually only four categories of personal information about us in which privacy choices, rights and obligations may or may not exist:

Our secrets: This includes information about our personal or work lives, such as employment record, sexual orientation, personal preferences, digital photos or video recordings, records of library loans, video rentals, etc.

Our identity: Such things as our social insurance number, health card number, blood type, society membership cards, etc., fall into this category.

Our health: This includes our medical and psychological history.

Our finances: Examples are our financial and credit status, bank account information, credit card identification and usage history, etc.

While some of the information in all categories may not be considered particularly sensitive and of little privacy interest to some individuals, for others this information is very personal and its disclosure would be viewed as highly privacy-invasive. Regardless of the sensitivity, there is always the potential for public embarrassment, denial of services or financial loss if the information is disclosed, or disseminated widely or indiscriminately.

However, while all of these categories involve our privacy choices, not all of the situations in these categories are subject to privacy laws.

All of this information we willingly (or reluctantly) give to selected individuals or organizations, either as a matter of trust, social interaction, contract or as required by law. However, there seems to be confusion among the general population on choices, rights, obligations and remedies (if any) in many of these situations where our personal information is involved.

In many cases, as Esther Dyson points out in a September 2008 Scientific American article entitled Reflections on Privacy 2.0, "People often have a better bargaining position than they realize, and are gaining the tools and knowledge to exploit that position."

So, how do we lessen that confusion and achieve that level of knowledge and understanding? For those who have tried to navigate the patchwork landscape of privacy laws in Canada, the answer should be obvious. Current laws need to be made more understandable to the average person and consistent across Canada. Penalties should be clear and significant for egregious privacy breaches, and oversight mechanisms must be provided with broad educational mandates and the budgets to implement them.

At the federal level, this would include passage of the proposed "identity theft" amendments to the Criminal Code, and development of clarity amendments to federal public and private-sector privacy legislation.

In Nova Scotia, this would mean proclamation of the recently passed Privacy Review Officer Act. It would also mean a provincial health information law, along with legislation to deal with privacy in the workplace and electronic surveillance (e.g. video, digital cameras including cellphone cameras, and computers).

If these changes, along with increased privacy education about choices, rights and obligations regarding our personal information in the schools, the workplace and the community are implemented, perhaps at this time next year we will not only have an increased level of privacy consciousness – we will also have a better understanding and the capacity to engage in a more informed debate on the future directions privacy-protection policy and laws should take.

Bob Doherty is a Halifax access and privacy consultant who teaches and works with access and privacy law courses in Nova Scotia and Alberta.

I think that Bob and I may think about privacy a bit differently. I probably wouldn't have used the categories he did. To me, words like "non-public" aren't very helpful and everything may fit into the category of "secrets". It just depends on how much an individual decides to disclose and how they propose to disclose it. Public information can be subject to privacy rights, as is the case in PIPEDA where publicly available information is still subject to legal limitations. But no matter what, the public should be educated about privacy rights and should have a say in shaping privacy laws.

No comments: