Access and Privacy: A Balancing Act?
A presentation to
Open or Controlled Society?
Access to Public and Corporate Information: A Civic Conference
Eckhardt-Gramatte Hall, University of Winnipeg
Director of Strategic Planning & Technology Services
Information and Privacy Commissioner/Ontario
May 10, 2002
Hello. I would like to thank the conference organizers for giving me the opportunity to speak to you today. Commissioner Ann Cavoukian and Assistant Commissioner Tom Mitchinson had wanted to be here, but they are both heavily involved in an Ontario Bar Association continuing legal education program on freedom of information today that our office, together with the Ontario Ministry of the Attorney General, is sponsoring.
Let me begin with an authorized disclosure of personal information - this is the first time I have ever been to Winnipeg. However, I do feel that I have some connections to this wonderful city: 1) my wife was born here (I should note that this information is disclosed with her consent); 2) I recall being regaled with stories from friends about sailing on Lake Winnipeg and; 3) a few years ago, one of our fine policy analysts left the hustle and bustle of Toronto for the beauty of Winnipeg. That background hardly qualifies me as an honorary Winnipeger, but that's the best I can do.
My remarks today stem from my observations of the access and privacy regime in Ontario and Canada over the last number of years and as someone with a long-standing interest in public policy and governance. They also reflect my strong belief in the importance of access and privacy rights in our society.
The topic that the conference organizers suggested I speak on is Access and Privacy: A Balancing Act? This is an interesting and challenging topic and I hesitate to acknowledge how many trees were harmed in my research.
Access and privacy provisions enshrined in legislation in Canada, by and large, appropriately deal with the tension between access and privacy. But there is a threat to this balance, a threat that tips the scales against both these fundamental rights. The threat to access and privacy comes not principally from overly secretive governments (although that certainly does not help), nor from a broadening sense of individual privacy rights, but from the increasing imposition of public safety and security concepts.
The true threat to our access and privacy regime stems from overzealous attempts to protect society from the risk of terrorism - the result of which may lead to legitimate and appropriate access rights being curtailed and inherent privacy rights suppressed. However, there is also a countervailing force, e-government, which has significant implications for access, privacy and security.
To explore these issues, I will touch on three themes in my remarks. First, I will briefly discuss an overview of access and privacy legislation to give some context for the later comments. Second, I will highlight some of the impacts of September 11 on access and privacy. Then I will focus on the implications e-government initiatives have for access and privacy.
Overview of access and privacy legislation
In a presentation at the 2002 Computers, Freedom and Privacy Conference in San Francisco a few weeks ago, Beth Givens of Privacy Rights Clearinghouse said: "the balancing act between access to government records and personal privacy is one of the most challenging public policy debates of our time." I agree.
To better understand this balance, we must review the principles underlying privacy and access regimes. Privacy revolves around the concept of individuals having control over the collection, use and disclosure of their personal information - sometimes described as informational self-determination. The value underlying access or FOI is that open, transparent and accountable government is a right - the quid pro quo of governments, since they are founded upon the collective transfer of rights from the governed citizenry to the governors.
The rights of access to information and the protection of privacy often appear to conflict. The Dagg case that was heard by the Supreme Court of Canada brought these occasional and unavoidable tensions between access and privacy into sharp relief. In the Court's decision, Mr. Justice LaForest clearly noted the fundamental importance of privacy in our society. He also discussed the fundamental importance of access to information legislation. Justice LaForest said:
The overarching purpose of access to information legislation, then, is to facilitate democracy. It does so in two related ways. It helps to ensure first, that citizens have the information required to participate meaningfully in the democratic process, and secondly, that politicians and bureaucrats remain accountable to the citizenry.
In that ruling, Mr. Justice LaForest also stressed that, "The protection of privacy is a fundamental value in modern, democratic states." Both access and privacy are core values in a democratic system; both need to be nourished and both need to be protected.
It has been acknowledged that FOI schemes are potentially politically risky. When Ontario's proposed Freedom of Information and Protection of Privacy Act was introduced in July of 1985, then attorney general Ian Scott noted:
I recognize and have no doubt that at some point in the future, information could be made public under this new bill that could embarrass or harm the fortunes of the government of the day. We recognize that possibility; however, it is a fact of life and a natural consequence of an open, consultative government. It will achieve the greater good of parliamentary democracy, open administration and thus the good of society as a whole. That potential risk, that potential cost, can and must be borne in the interest of freedom.
When the Ontario government proposed combining FOI and privacy under a single law, this approach was not the norm. Some considered this decision to combine two such important but perhaps conflicting values in a single regime as being unnecessarily complicated.
In order to find the proper balance between access and privacy it must be understood and accepted that neither is inherently more important than the other. While privacy is well recognized as a fundamental human right (and thus in little need of defence or further explanation), I hasten to add that access to information shares the same characterization, in addition to being an essential component of open, transparent and accountable government. It is been argued that access to information is a recognized right protected by Article 19 of the International Covenant on Civil and Political Rights and the EU Charter of Fundamental Rights.
In 1946, the General Assembly of the United Nations adopted the following statement: "Freedom of Information is a fundamental human right and is the touchstone for all the freedoms by which the United Nations is consecrated."
In the book, Reflections of a Siamese Twin - Canada at the End of the 20th Century, author John Ralston Saul discusses the importance of having an informed citizenry. He writes:
The primary consideration is that in a democracy legitimacy lies with the citizenry. That is what makes a democracy superior to other forms of social organization and the process which leads to important decisions is not simply supposed to include the citizen, it is supposed to use the intelligence of the society which lies within the legitimacy of the citizen in order to minimize the chances of making major mistakes. That is the primary characteristic of a democracy. (p. 460).
As strongly as I believe in the fundamental privacy rights of the individual, I equally strongly reject the view that considers access to information as an "administrative right," or that it is merely desirable but not essential in our society. I reject the view that privacy "trumps" access. That view is, I suggest, patently simplistic and ignores the wilful balance foreseen by the framers of our access and privacy legislation. Individual circumstances must be taken into account, and difficult decisions must be made under the framework of the law.
I believe that this is the view stated by Mr. Justice LaForest in the Dagg case when he wrote:
There is nothing in the language of either statute [access or privacy], which suggests, let alone compels, the conclusion that the one is subordinate to the other. They are each on the same footing. Neither is pre-eminent. There is no doubt that they are complementary and must be construed harmoniously with each other….
Governments must never hide behind a trumped-up shield of secrecy disguised as privacy, or security, to prevent disclosures necessary to ensure public accountability - the federal government's original (now sort of reversed) decision regarding expense claims of Cabinet ministers comes to mind. To continue the theme of access versus privacy, I could also discuss the controversy over the 1911 census or the battle between the federal government and its own staff lawyers over access to Cabinet documents - but I really don't want to get drawn into those quagmires.
In order for FOI and privacy laws to work effectively, governments and the Officers of Parliament charged with protecting the access and privacy rights of citizens must be able to assure the public, through their decisions, that both values have been given a fair hearing, and that the proper balance has been found. Similarly, restrictions on access or privacy rights under the guise of security measures must be carefully weighed and "balanced" against these competing rights.
Federal Information Commissioner John Reid gave a speech last year in which he remarked that, "openness and privacy are complementary, not adversarial, values." The two federal statutes, he said, were "drafted to fit together like two halves of a whole." This recognition that access and privacy are not inherently contradictory is vital.
The effects of September 11
The issue of access and privacy has taken on a distinctly more sensitive note since the tragic events of September 11, which put access to information - both personal and general government records - and privacy, squarely in the targets of security experts.
Last week, an editorial in the Vancouver Sun discussed the need for legislator to tread carefully when crafting anti-terrorism measures. The editorial stated:
In a democracy, the protection of privacy and personal rights and freedoms [to this, I read freedom of information] must be balanced against the need to guard against terrorism. Sometimes privacy [and access] rights must be curtailed to ensure the protection of all people. It is never easy to strike that balance.
The scope and scale of governmental response in the U.S. to the threat of terrorism has been significantly more pronounced than our domestic actions (substantial as they are). American watchdog organizations, public advocacy organizations and the media have been vigorous in their denunciation that security appears to be trumping access to information and privacy rights. Similar criticisms have been also been voiced in Canada.
One could be trite and suggest that we have been living in an age of terrorism for many years and that FOI and privacy acts had not previously been considered to be supportive of terrorist activities, but clearly many people in government have put security at all costs ahead of access or privacy. I don't want to go into a discussion of events in the U.S. in great detail - this audience more than most is aware of what has transpired with the U.S. PATRIOT ACT, and the Ashcroft "sound legal basis " reversal of the previous Reno "openness" memorandum, but when I read stories of university librarians receiving letters instructing them to destroy CD-ROMs containing data supplied by the US Geological survey "by any means" under the guise of national security, it sounds a lot like book burning.
The U.S. advocacy group OMB Watch issued a Right to Know Update, in which it noted four recent disturbing trends affecting access: 1) vast amounts of information have been removed from government Web sites; 2) information is being destroyed; 3) the policies underlying public access are changing and; 4) the procedures for using reading rooms have become more restricted.
Echoing these concerns, the New York State Committee on Open Government, in its 2001 annual report, criticized the wholesale removal of data under the guise of public safety and security. The report stated:
While the knee jerk reaction may be understandable, it may not be sensible. Moreover, inferring that removal of the data may add to public safety is illusory and may provide the public with a false sense of security. The passage of time or the occurrence of events may diminish or eliminate potentially harmful effects of disclosure. The beauty of [freedom of information legislation] FOIL, its ethical foundation, is its flexibility. FOIL gives the government the ability to make reasoned decisions regarding disclosure based largely on common sense and consideration of the effects of disclosure.
Recently, the Supreme Court of Canada decided that the Sierra Club could not have access to confidential court documents that describe nuclear reactors. It is not difficult to believe that the court did not want see these documents posted on a Web site regardless of commercial confidentiality concerns or national security.
Lawyer David Stratas described the ruling as "an astute attempt to balance the principle of open courts with the public's right to know what is going on in the courts." Time will tell whether the court's determination that confidentiality orders are indeed restricted to cases where such protections outweigh the importance of public access and where disclosure would "present a serious risk" to a commercial interest.
Canadian access advocates may rue the power that our new anti-terrorism legislation gave the Attorney General to issue certificates exempting certain types of information from disclosure; but consider the access situation in America. How many of you were aware that there are 30 bills pending in Congress (and hundreds more at the state level - at least 134 in Florida alone) attempting to redefine and limit government obligations under FOI legislation? Recall this is a country that prides itself on its open records laws, its sunshine laws and the wisdom of its forefathers like James Madison, who said:
Knowledge will forever govern ignorance, and a people who mean to be their own governors must arm themselves with the power knowledge gives. A popular government without popular information or the means of acquiring it, is but a prologue to a farce or a tragedy or perhaps both.
I should also note that is the same country in which the General Accounting Office went to court to force the Vice-President to turn over documents. However, on the bright side, the Chairman of the U.S. Senate Judiciary Committee recently wrote the Comptroller General asking him to report on how government agencies were complying with the Electronic Freedom of Information Act and assess the impact of the Ashcroft position - once again, checks and balances at work.
There are also renewed signs that all thoughts of privacy are not lost, even in the U.S. In late April, legislation was introduced that would require federal agencies to issue a "privacy impact statement" upon proposing any new rule or regulation. After a public comment period, agencies would be required to issue a final assessment detailing what steps it has taken to minimize the impact on privacy.
Ohio Representative Steve Chabot spoke about this proposed legislation and noted:
In the wake of the events of September 11, Congress acted promptly to provide law enforcement with the tools they needed to more effectively fight terrorism. Because some of these tools could have an adverse impact on privacy rights, it's essential that federal agencies provide thoughtful consideration from a privacy perspective and focus on the privacy rights of our citizens.
Representative Jerrold Nadler of New York said: "It is important that the individual liberties of our citizens are not sacrificed to the war on terrorism. We can have both privacy and security. We just have to strike the proper balance between the two." (I think he has been reading some of Ann Cavoukian's speeches.) Perhaps the tide is turning, let's hope that access regains its footing as it appears that privacy has to some degree.
The events of that day last September have given governments the apparent justification to alter the former balance between access and privacy - under the guise of security. Anti-terrorism actions have not only lessened the privacy protections afforded individuals - they have reduced the availability of information accessible under FOI. This is a remarkable situation since it is not access that is being balanced against privacy - for both rights have taken a hit in the purported interest of public safety and national security.
Interesting, a few weeks ago, Mexico passed that country's first freedom of information law. The same day, the Scottish Parliament passed an FOI law. These are encouraging steps, especially in light of events that have been "conspiring" against public access to government-held information.
Our access and privacy rights appear to be threatened due to security concerns. However, thankfully, many people both inside and out of government acknowledge this threat. It is too early to say how a new balance will be struck between access, privacy and security, but one thing is certain - the steamroller of e-government is headed towards us, and it, too, will have an impact on access and privacy.
The impact of e-government
Contrasting the negative effect these anti-terrorism initiatives, e-government initiatives are intended to make government more open and accessible and at the same time offer greater privacy protections for individuals.
In the last year, a significant number of reports and projects have addressed the access and privacy implications of e-government. The Center for Technology in Government at the University of Albany (SUNY), held a policy panel to discuss Information Access in an Electronic World. The Council for Excellence in Government released a report entitled, E-Government: to Connect, Protect and Serve Us and the Pew Internet and American Life Project produced, The rise of the e-citizen: How people use government agencies' Web sites.
These reports, and many similar ones evidence a strong interest on the part of the public to access government information and services online. Yet there remain significant privacy concerns, not to mention access to information difficulties. Looking once again to the U.S., the Senate Government Affairs Committee passed the E-Government Act that would require federal courts to post opinions online, that agencies post rulemakings, and importantly, that agencies conduct privacy impact assessments before beginning new projects that transmit personal information.
For e-government to work, governments will have to get the access and privacy balance right. In his introduction to the report, Privacy and data-sharing: The way forward for public services, British Prime Minster Tony Blair notes that:
…[T]here is great potential to make better use of personal information to deliver benefits to individuals and to society, including through increased data-sharing. But these benefits will only be realized if people trust the way that public services handle their personal data.
New York Chief Judge Judith Kaye recently appointed a Commission on Public Access to Court Records to study the competing interests of open access and privacy, to advise the courts about privacy problems that could arise from posting court files online and make recommendations on how the courts should address this vexing issue. This follows similar work last year in California.
The drive towards e-government is not going to let up. Be it online health networks, integrated justice networks, smart cards, electronic benefit payments systems, online bill payment systems, online court documents, access to public registries, electronic voting, electronic service delivery or electronic democracy, e-government is coming to a computer near you.
The consulting group Accenture says that Canada is doing the best job in the world at developing e-government - of that we should all be proud - but that does not mean that the access and privacy issues associated with e-government have been resolved (there is a special section on privacy and security but not one on access to information). Recently the federal Treasury Board announced that all new government projects would have to undergo a privacy impact assessment (a policy the Ontario government instituted a few years ago). That's good news. I suggest that any new government initiative should be obliged to undertake an access impact assessment to ensure the project also has FOI in mind from the ground up.
An access impact assessment would examine the implications that any proposed new or revised system or procedure might have for fulfilling a department's FOI and informal information disclosure obligations. If the system does not provide or enhance ready access to records that could be released under FOI, then it should be revised to enable such access. After all, it's not just about FOI compliance; it's about effective information management - which in large part supports an efficient and compliant FOI program.
In many ways, it seems that while modern information technology should be providing the public with greater access to government and giving governments the opportunity to efficiently provide information to the public (and to be fair, both are occurring to greater or lesser degrees), these same tools are providing governments with the increased ability to monitor, track and spy on their citizens.
The years ahead are going to be challenging as governments attempt to implement e-government projects and at the same time grapple with the implications of anti-terrorism initiatives. The balance between the public's general interest in access for government accountability coupled with its privacy expectations for e-government, versus the justice community's expectation for access to information to counter crime and thwart terrorism, is one of the most difficult public policy challenges facing us today.
There has never been a time of greater need for independent oversight bodies such as freedom of information and privacy commissions. I say that not for job security purposes, but because never before have the operations of government been so complex, so much a part of the fabric of society. I believe we must vigilantly guard our access and privacy rights, especially against erosion under the onslaught of the auspices of "security."
To cite the Dagg decision one final time, Mr. Justice LaForest wrote:
The Access to Information Act clearly provides that "personal information" is not to be disclosed except in certain specified circumstances. Of course, the determination of what constitutes "personal information" will involve a balancing of competing values. Such a balancing process… cannot be avoided simply because it might be easier to apply a clear, bright-line rule that favours one interest over another.
I believe that, today, that bright line is security, but it too must find its place in the panoply of competing interests. Our access and privacy legislation, even if imperfect, is vital and necessary to ensure open, transparent, and accountable government, while protecting the privacy rights of individuals and the confidentiality of government and business operations without unnecessarily compromising public safety or national security. If the system sometimes fails, well it is a noble goal to aspire to and one that should be supported by all who are entrusted with the guardianship of our governments.
I appreciate your kind attention. I regret not having the time to discuss some of the interesting work my office has undertaken in access and privacy issues, or Ontario's draft health and private sector privacy legislation. I would be pleased to discuss either of these with any of you.
*Thank you and best wishes for the rest of the conference*