Information Privacy Commissioner/ Ontario Français | Contact Us | Site Map | Advanced Search info
Skip Navigation Links
Privacy
Access To Information
Resources
Decisions & Resolutions
About Us
Home | Browse All Resources | Reports and Submissions | A letter from Commissioner Ann Cavoukian to David Tsubouchi, Chair of Management Board of Cabinet, summarizing the IPC's position on smart cards.

E-mail | Print | Accessibility | Share:

Add to Twitter |
Skip Navigation Links.

A letter from Commissioner Ann Cavoukian to David Tsubouchi, Chair of Management Board of Cabinet, summarizing the IPC's position on smart cards.

Summary A letter that summarizes the IPC's stance on the smart card.
Keywords Surveillance
Published Date Apr 05, 2001

A letter from Commissioner Ann Cavoukian to David Tsubouchi, Chair of Management Board of Cabinet, summarizing the IPC's position on smart cards

 

 

 

 

OPEN LETTER


April 5, 2001


The Honourable David H. Tsubouchi
Chair of Management Board of Cabinet
12th Floor, Ferguson Block
77 Wellesley Street West
Toronto, Ontario
M7A 1N3


Dear Minister:

I am writing to you further to my letter of February 9, 2001, congratulating you on your appointment as Chair of Management Board of Cabinet. Over the past several months, I trust that you have had the opportunity to be briefed on your diverse responsibilities as Chair, including the smart card project, and hope that you are enjoying the challenges of your new position.

I was greatly encouraged to see that your first public statement on smart cards underlined the government's commitment to a card that will enhance, rather than diminish, the privacy of Ontarians. This commitment on the part of the government has, as you know, been instrumental to my office's involvement in the smart card project. As the government moves forward with this initiative, I would like to take this opportunity to review my office's position on the proposed smart card, and to summarize the privacy concerns we have identified through our work with your Smart Card Project team. As I have indicated from the outset, these concerns must be addressed prior to the government's introduction of a smart card for the citizens of this province.

I would like to begin, however, by noting that I have appreciated the level of involvement that my office has had to date with Project staff, particularly in the context of the working group that has been tasked with addressing privacy and security issues raised by the smart card. My experience as a member of the External Advisory Group for this project has also been positive, and I am pleased that the group has been successful in identifying a variety of important issues raised by the card.

I believe that, through the work that my office and Management Board Secretariat have done together over the past year, all participants in this process have a shared understanding of the need to implement any government smart card in a manner that respects privacy. Management Board's commitment to undertaking a full and thorough Privacy Impact Assessment, and to retaining a Privacy Architect as part of the Smart Card Project team, have helped to establish a positive working relationship between our two offices. I look forward to maintaining that relationship as we move forward to address the complex privacy issues before us in this initiative.


Surveillance

From the outset, my office has clearly stated that we cannot support a smart card that diminishes the privacy of Ontarians in any way or that becomes a de facto government identity card. The location and time stamp information of each smart card transaction, coupled with the cardholder's personal information, creates the potential for a powerful surveillance tool.

We would always vigorously oppose the creation of databases that match personal information across programs and create a central record of an individual's transactions with government. Such databases are potential surveillance tools and must not be enabled by a smart card. To this end, the proposed card registration centre that gathers the documentation to issue an Ontario smart card can never have, even in a temporary capacity, access to any program information. As well, the data generated from the use of the card, such as where and when it was used, can never be matched to the transaction information or its content. The systems design ultimately used should be incapable of permitting such matching to take place.


Public Consultation

The development of a provincial smart card raises a host of issues that require public debate. From the outset I have recommended that the government undertake a broad and thorough public consultation process that allows a full and informed debate on the government's detailed plans for the proposed card before it is implemented. That public consultation should be predicated on the release of the privacy impact assessment and details of how the architectural design of the system will protect privacy.

Thorough public consultation will also help to correct some of the current inaccuracies and misconceptions about the purpose and design of the smart card, as well as quell the public's fears about how the card will actually be used.


The Need for Legislation

Given the potential for intentional or unintentional misuse of smart card information, privacy protections must be enshrined in legislation. This legislation needs to closely define the parameters of the card's purpose and its informational content, including data shown on the face of the card, stored on the card, and stored in the databases of personal information associated with the card. The legislation must detail the necessary restrictions on:

  • the use of the card;
  • the personal information stored on the card, or collected by programs associated with the card;
  • the use of any numbers or identifiers related to program eligibility; and
  • the use of the card as a means of identification.

The legislation also needs to specify privacy protections at both the technology architecture level, and at the policy level, that will minimize the potential for future "function creep," ensuring consistent privacy protection over time. The legislation and technology design must ensure that any smart card or its associated databases will never turn the card into a government identity card.


Consent and Personal Control

The concepts of informed consent and personal control must underlie the design and implementation of the smart card. No personal information should be generated, collected or used without the informed consent of the individual. Further, consent should not be obtained through a blanket consent form that must be signed in order for citizens to obtain the card. The introduction of smart card technology and its associated security features will make it possible to obtain consent each time the government seeks to collect, use or disclose the personal information made accessible via an individual's smart card. This may be done in any number of ways, such as through the use of a password or PIN.

Another critical element of personal control is the extent to which the smart card is voluntary in nature. My understanding is that the smart card is intended to replace the current Ontario health card, and will be mandatory for receiving health services. I was assured at the outset of this project that any additional uses of the card beyond health insurance will be at the discretion and control of each Ontarian. Your statement in the fact sheet you recently released on the Ontario smart card also notes that information on the card and access to that information will be completely controlled by the cardholder. It is reassuring to see that your views are consistent with those of your predecessor.


Biometrics

Of all the personal information the government is considering collecting as part of the smart card project, biometric information is, by far, the most contentious. This is a hotly debated issue, with considerable underlying technical complexity, and a great deal of confusion associated with it.

In my view, it would be both simplistic and counter-productive to dismiss the use of biometrics out of hand, as there are clearly ways to use biometrics that can protect personal privacy. However, biometrics are very powerful personal identifiers, capable of functioning as the ultimate tool of surveillance.

Given the power and complexity of biometrics, my office has set out strict conditions under which the use of biometrics could be considered. No database of biometric information, as generated from finger or iris scans for example, should be created without applying the minimum standards for the use of biometrics, as set out in the Ontario Works Acts. I was pleased that your predecessor had committed to meeting these minimal standards, which are as follows:

  • the biometric must be stored in encrypted form both on the card and in any database;

  • the encrypted biometric cannot be used as a unique identifier;

  • the original biometric information must be destroyed upon encryption;

  • the stored encrypted biometric can only be transmitted in encrypted form;

  • no program information is to be retained or associated with the encrypted biometric information;

  • there can be no ability at the technical level to reconstruct or recreate the biometric from its encrypted form;

  • there must be no ability to compare biometric images from one database with biometric images from other databases or reproductions of the biometric not obtained from the individual;

  • there can be no access to the biometric database by law enforcement without a court order or specific warrant.

To date, I have not seen a commercially available biometric technology that meets these minimum conditions. Until I do, my office's position is that any government smart card program must not result in the creation of a database of citizen biometric information. I would strongly urge you, therefore, to make a definitive public statement indicating that any type of biometric database is now "off the table."

I hope that this summary will assist you in understanding my office's perspective on Ontario's smart card initiative. The concerns I have raised here are the same ones that we have been bringing to the table since the project's inception, over a year ago. I look forward to working with you to address these issues to ensure that, in your words, privacy is enhanced, not diminished, as this initiative progresses.


Sincerely yours,

Ann Cavoukian, Ph.D.
Commissioner

 

<< Back
Back to Top
25 Years of Access and Privacy
Privacy|Access to Information|Resources|Decisions & Resolutions|About Us
Français|Contact Us|Site Map|Advanced Search|RSS|Accessibility|Twitter Policy|Privacy Policy
© Copyright 2013 Information and Privacy Commissioner of Ontario. All Rights Reserved.
To search for a specific word or phrase, use quotation marks around each search term. (Example: "smart meter")