The Future of Information Access and Privacy Protection in a Changing Canada
While the notions of privacy and secrecy, and the counterpoints of access and curiosity, have existed for a long time, their formalization from general concepts is still early in the journey towards comprehensive legislation. Definitions such as a “…physical space where we can be free of interruption, intrusion, embarrassment or accountability, and the attempt to control the time and manner of disclosures of personal information about ourselves” (Smith 2000) or stated plainly, “the right to be let alone” (Warren 1890) help forward awareness of the legal basis for privacy, but the ideal of “information self-determination” (Cavoukian 1995) when evaluated against today’s access and privacy protection landscape still seems far off. Adding to the challenge is changing social norms regarding privacy expectations and a technology-fueled gold rush in data collection and information extraction.
The situation in Canada could be summarized as “a strong foundation in need of updating and enhancement”. The Privacy Act and Access to Information Act, both enacted in 1983, have never been revised despite repeated calls for addressing the changes to information issues over the past quarter-plus century (Franks 2016). The private sector’s parallel legislation, the Personal Information Protection and Electronic Documents Act is younger than its public counterparts but tasked with regulating an environment undergoing even more rapid change. In the absence of a coordinated federal effort we run the real risk of creating a complicated patchwork of regional legislation, sectorial rules and self-regulation (Franks 2016) that would greatly increase the challenges of compliance.
With commitment and political will towards change, legislative enhancement can build on recommendations of reviews that have already been completed, addressing first the “easy wins” identified, including:
- An Enhancement of the role of federal and provincial privacy commissioners, including the ability to investigate beyond responding to complaints [similar to Alberta and British Columbia (Franks 2016)], flexibility to direct resources to areas of highest impact and increased order-making powers.
- A reduction in the number of discretionary exclusions (Franks 2016) and a clarification of exceptions and general government secrecy omissions, refocusing on specific cases directly impacting personal privacy information.
- Establishing a scheduled periodic review and assessment of existing legislation that focuses on emerging technologies and best practices of cohort jurisdictions such as Australia, the United Kingdom and the European Union (Franks 2016).
One of the biggest challenges to building an IAPP framework is the rapid advancement of information technologies. It may also prove to be one of the best tools for addressing the challenges. If well designed and implemented, electronic information systems can minimize data duplication and errors, effectively manage access & information sharing and reduce the costs of data initiatives. Coupled with comprehensive legislation, knowledgeable information professionals and procedures & policies we can balance competing aspects of access and privacy. Ultimately all parties involved: legislators, courts, the private sector, privacy commissioners and oversight, information management professionals and IAPP administrators must agree to a sustained and evolving commitment addressing information access and privacy protection issues in an unpredictable world of accelerating change. Through this journey we can build the IAPP environment that Canadians deserve and expect.