|
4 November 2002
Privacy Trends: Meeting New Demands
By Thomas B Riley, Executive Director and Chair, Commonwealth Centre for Electronic Governance
A recent conference in Ottawa, Privacy Trends: Complying with New Demands, held on 22 October by the Commonwealth Centre for E-Governance, made clear the importance of privacy overall in society and, in particular, in the development of eGovernment. During the day's proceedings much emphasis was placed on the nature of Canada's new laws covering privacy in the private sector, and how such laws were in place to ensure citizens' rights in a growing electronic commerce environment. Concerns were also raised about the lowering expectations of privacy within public sector organisations internationally, in the sustained drive to combat terrorism. The rise of modern information and communication technologies has created new environments in which millions of bytes of data on individual citizens are being collected daily by governments and corporate interests alike.
Privacy has now become a major issue internationally. The rise of intrusive technologies and the Internet has resulted in a surge in awareness about the importance of privacy. On the Internet increasing pressure is being placed on companies, as in the US where there is no federal law regulating privacy, to develop privacy policies in order to protect consumers from corporations, which are liberally sharing their personal information in this new environment. The rush by large corporations to engage in eCommerce has meant more personal information is being gathered, shared, sold, and disseminated, than ever before. Governments around the world, including the United Kingdom, Australia, New Zealand, Canada, the US and many European Union countries are increasingly gathering personal information from a variety of sources, through the matching of databases.
Surveys in Canada and the US show clearly that many individuals perceive that their personal information is used in cyberspace in very cavalier ways. Many studies conducted by various Information Commissioners, government agencies, advocacy groups and polling organisations make it clear that our personal information is bandied around the technological and communication networks of the world. The amount of personal information collected and stored by government and corporate organisations may seem to some like a fantastic science fiction story rather than a reflection of the reality of the modern world. At any given time, highly computer-literate people, in both government and segments of the private sector, can, within seconds, know everything about an individual by using these sophisticated technologies. It is no longer a question whether the potential to gather such information is out there but rather how extensive is it?
These capabilities have consequences for the development of eGovernment programmes, as they rely on the willingness of the citizen to take part in governments' on-line activities or to interact with the government. For this to occur there needs to be a climate of trust and confidence, generated amongst the public, that any personal information shared with government will be kept confidential and not subject to sharing between departments, except in limited legal circumstances in the interests of the state and for the overall public good. But even these limitations must be stated clearly in educational programs about privacy and data protection measures. It is important that there be consent received from the individual, except in limited, narrow circumstances, to use his/her personal data. Consent of the individual is a bedrock principle of privacy. These ideals are difficult to maintain. Witness the instruments being developed by the European Union, in which countries are being given more and more exemptions to collect and share personal information in the current fight against terrorism. Thus, a new tension has arisen - the right to privacy vs. the growing philosophy in many countries of the necessity for governments to have access to a multitude of usages of personal information, for a variety of reasons.
The growth of privacy and data protection laws around the world reflects government's response to citizens' concerns about their privacy over the past two decades. However, since 9/11, more and more governments have amended once strong privacy laws to enable agencies and departments to amass and share personal information of their citizens in the growing effort to combat terrorism. Privacy Commissioners in Canada have had some influence in curbing some of the more extreme measures the government has wanted to collect personal information on its citizenry. And, despite the somewhat reduced privacy rights, the Canadian Federal government has implemented a policy of ensuring departments conduct a Privacy Impact Assessment whenever any new application of eGovernment programme or service is to be implemented. This Privacy Impact Assessment policy is a marked success and is now being considered by the UK and Australian governments in their respective jurisdictions.
Thus, it is useful to look at what such assessments entail.
Ross Hodgins is a Senior Policy Analyst in the Government Online Division of the Chief Information Officer's Branch in the Canadian government. Their office had surveys conducted to put into context why privacy impact assessments are important. One such survey indicated that Canadians had significant concerns over forwarding personal information to government over the Internet. The findings found that of those Canadians surveyed:
| | · | Only 54% agreed that, with proper security measures in place, they would be comfortable sending information over the Internet to the federal government; | |
| | · | They remain particularly concerned about transmitting bank account, credit card and SIN numbers (Social Insurance Numbers); | |
| | · | 56% believe the federal government has one large database with all their personal information in it; | |
| | · | 35% are not aware that there are federal and provincial privacy laws restricting the use and sharing of personal information; | |
| | · | 51% of Canadians agreed that submitting personal information over the Internet to a secure government website is equally as safe as submitting the same information in person at a government office; | |
| | · | 50% of Canadians believe that departments/agencies only share the information they collect with one another in specific cases where it is permitted by law. (EKOS Survey, Canada, Autumn 2001) | |
It is this type of survey results that drove the government to develop the policy on privacy impact assessments. The Canadian Government was one of the first to recognize the importance of privacy in the overall scheme of e-government implementation.
These indicators, according to Hodgins, have resulted in Canadians expecting that the Government will deliver services via the Internet, and in a trusted and secure environment. However public opinion is divided on whether government should share some personal information among departments for the purpose of providing better and faster service.
Finally, such attention to the implementation of privacy assessments, when dealing with new programs, will help to assure Canadians that their privacy is being protected when they use government programs and services on-line through "notification and consent of personal information" (with consent being the common theme through all the sessions at the Privacy Trends conference).
Public Key Infrastructure programmes, digital signatures, and secure online channels, are also an important part of any Privacy Impact Assessment implementation, according to Michael Powers, legal privacy expert at Gowling Lafleur Law offices in Ottawa. He defines the purpose of Privacy Impact Assessments as:
"An evaluation of business processes to determine the level of compliance with 'best practice' benchmarks, including data flow analysis, gap analysis, privacy risk assessments and privacy risk management plans."
He sees three elements to developing a privacy secure environment:
| | 1 | Data Analysis (as to how the information is either aggregate or personal information); | |
| | 2 | Privacy Analysis; | |
| | 3 | Privacy Risk Management Plans. | |
The above are only some of the key ingredients of Canada's privacy policies in relation to eGovernment. These implementations are occurring at both the Federal level and in some of the provincial governments. Privacy Impact Assessment policies evolved from an awareness that trust and confidence of the citizen are crucial if eGovernment programmes were to take hold with the citizenry and, most important of all, if the citizen would be willing to use the programmes and become engaged in electronic service delivery as a matter of routine. These privacy policies are helping to offset some of the concerns citizens in the developed world are having over the loss of some privacy rights since 9/11.
There is a distinct difference between privacy legislation, which covers the private sector, and legislation covering public sector organisations. Legislation covering the private sector organisations to protect individuals' personal information is strong, and a culture of compliance is widening in many jurisdictions outside Europe. But the same cannot be said of public sector privacy legislation where many amendments to current law are resulting in more powers for governments to use personal information in a variety of ways. A balance is being sought to ensure that governments can have the tools to ensure they are able to fulfil their law enforcement and intelligence gathering abilities in the fight against terrorism while still enshrining privacy values in public sector institutions.
Citizens of many countries have accepted that certain privacy rights have to be given up in the new environments. However, at the same time, while acknowledging the new reality of international terrorism, there is also an expectation that a proper way will be found to ensure that fundamental privacy values are maintained and not washed away in some eager impulse to collect increasingly more and more personal information on citizens to be put into large databases.
The Ottawa conference has shown that privacy continues to be a fundamental value intricately linked to basic human rights. Recently, there have been erosions in some of these privacy rights, but the public does not expect them to vanish anytime soon.
Note: The highlights of the seminar and the presentations of the most important speakers can be found here: http://www.rileyis.com/seminars/index.html
Other articles by Thomas Riley
- eDemocracy in a Changing World
Thomas Riley is the co-Founder, Chair of the Board and Chief Executive of the Commonwealth Centre for Electronic Governance [http://www.electronicgov.net], a think-tank set up under a Commonwealth Secretariat programme in London. He is also the President of Riley Information Services [http://www.rileyis.com], a consultant and advisor specialising in national and international IT policy development, and a Visiting Professor of Law and Technology at the University of Glasgow. Throughout his twenty-eight years as an access, privacy and information technology professional, Mr Riley has written numerous articles and opinion pieces published around the world, organises national and international conferences on a wide range of information technology and policy issues, and produces specialised reports for public and private sector clients. For further information he can be contacted at Tom@Rileyis.com
Thomas Riley's independent opinion appears courtesy of Prospect - a recruitment consultancy committed to 'enabling better futures' and sourcing the people to drive eGovernment. For further information go to http://www.prospectmsl.com/ or email info@prospectmsl.com
|
