The changing face of public and personal privacy in the face of social media, data clouds and global security challenges are becoming increasing concerns for privacy commissioners across Canada. The federal Privacy Commissioner, Jennifer Stoddart, explained her concerns to editor-in-chief Toby Fyfe.
How can we as individuals balance the demands of social media for openness and the requirements of privacy? Are these contradictory?
They are per se contradictory. We’re moving to a more open society, which is not a bad thing necessarily. You did an article on my colleague and fellow agent of Parliament on open government (June 2010 CGE) and in fact we just came back from a provincial meeting in which we all endorsed the concept of open government with due regard for confidentiality and the protection of personal information. I think it is possible to harmonize the two, to balance the two in one’s individual life.
The challenge is that it takes more knowledge, a lot of consumer and a certain amount of technological savvy. What we’re seeing now is a very aggressive push from the entrepreneurs who are developing these social networks which have become very profitable, particularly with a new demographic that wants to jump into them. Take the example of Facebook. I’m happy to say that Facebook has moved so that you will be able, to a large extent, to choose the amount of personal information that you share on that social networking site which you may not have been able to do easily because the directions just weren’t as clear a couple of months ago.
What I’m trying to say is if people are sufficiently informed and if the choices are there, they can take advantage, I think, of all these new social networking sites and ways to connect which they want to do. I don’t think that people’s privacy’s is going to disappear. They make choices, they don’t have to be on social networking sites. My concern is just how clear are the implications, particularly to young people, kids, and even an older demographic that’s not technologically savvy.
Is the concern about privacy and social media coming from citizens or from privacy commissioners like yourself?
We monitor very carefully all the media reports from around the world and there are very key and influential citizens groups, advocacy groups, and so on, that will take on these giants. There was a group formed spontaneously over the Facebook Beacon, that was where I buy something in a store, a pair of socks for my husband, and he gets it on his Facebook page before I’ve had a chance to give him the socks. That was settled in court recently for about $10,000,000, most of which went to a privacy rights centre in California.
I think privacy commissioners throughout the world are very conscious of the need to reshape the definitions of privacy which are historically, contextually, socially defined anyway to make sure they’re in sync with new technology, new generations, social movements. So no, I’m very confident that a lot of people are concerned about the same things.
Let’s talk a little bit about governments. They’re collecting personal data to achieve policy objectives such as security: how can they balance their roles as collectors of information and still be exemplars, if you will, of privacy protection?
I think government has a challenge. It is a tough balancing act. It’s making issues of collection of personal information by government come to the forefront of the consciousness of many managers, many deputy ministers, assistant deputy ministers in the public service in a way it wasn’t maybe 15 years ago when there wasn’t this sensitivity about it and people weren’t so worried about over-collection of personal information and who was watching. We didn’t have the technological capacity to data mine to the extent we do now.
You refer to “function creep.” Can you explain what you mean by that concept as it applies to governments?
“Function creep” means that something developed for one purpose is broadened into another purpose. Once you have that new technology or that new procedure, you find that it can be used for other things. What we’re worried about in the world of privacy is, for example, the function creep in surveillance of populations.
For example, in the U.K. it started out with a few cameras on the streets and then it spread so that at one point they had 6,000,000 cameras. It became, I think, almost absurd and my British colleague was very vocal in denouncing this. Video surveillance turned from a fairly limited application to video surveillance everywhere and yet the crime rate still went up.
Are you concerned about data being collected by governments for one purpose and then being used for another?
Well, it’s a basic principle of data protection. In fact, it’s enshrined in both the information and privacy acts that you have to collect information for one purpose and use it for that purpose. Again, personal information, like privacy itself, has a different meaning, a different significance in different contexts. When you give your name to the government for one purpose it’s very different than giving it for some other purpose that might be quite frightening.
I think what is a greater concern now is the ubiquitousness of the collection of personal information through Web 2.0, through sensors that are increasingly everywhere, through wi-fi connections. There’s very little you can do now online where some kind of personal information about you is not collected.
There’s also another debate that we will have to go through and I think this will increasingly come to the fore as the government moves to one-stop shopping, guichet unique, to make its online interface with Canadians simple and clear. Traditionally throughout the world, governments have approached the question of keeping personal information only used for that purpose by building separate towers of data, different databases; this is the principle of separation. Well, now you have such enormous databases in which citizens’ personal information may be repeated that some of us are wondering if in the future it would not be better to go to a fish pond idea where you have a certain amount of information on citizens and those that are licensed to fish in the fish pond can only take out those particular fish they are entitled to.
Now, that’s not how the Privacy Act is written but there are some very good questions being asked around multiple databases in which all your information is copied and recopied, and the challenge of keeping it accurate from database to database, the challenge of how to monitor the movement of personal information from one database to another.
As a manager, what would you tell public servants about the steps they should take to ensure privacy and balance it with innovation?
I say go ahead and innovate. I think we have to be relevant, to spend public money wisely but always think of the impact on people’s personal information. Before you’ve gone too far in developing your new program, your procedure, your product for the public, run through it from the point of view of personal information, asking how would this impact people’s privacy.
Another thing that I think managers or general managers could do is make sure somebody in your office goes to privacy training. Sometimes it’s combined with access to information.