2016 Protecting and Promoting Canadians’ Privacy and Access Rights in Information Sharing Initiatives
January 25, 2016
Context
Governments at all levels are seeking to leverage technology, increase information sharing, integrate data and facilitate cross agency sharing of personal information to better serve citizens.
At the same time, there is a concern that increased information sharing may result in more personal information being collected, used or disclosed with little public awareness.
Information sharing initiatives provide opportunities for governments, public agencies, private organizations and the health sector to work more collaboratively. As a result, organizations may need to share citizens’ personal information in the delivery of social programs, community safety, research, health and education.
Information sharing can include data comparison and analysis, joint access to databases, file duplication, and other activities that enable more than one agency or organization to access, use and disclose personal information of citizens.
As such, information sharing can have important implications for protection of privacy and access to information, including lack of transparency, inaccuracy, use of information for secondary purposes, risks to security, and the potential for surveillance and discrimination.
Whereas
- Privacy and access to information are quasi-constitutional rights that are fundamental to individual self-determination, democracy and good government;
- Technological advances now make it possible to analyze and use personal information in ways never before possible, and also offer opportunities to protect privacy and facilitate access;
- Governments, citizens and other stakeholders wish to take advantage of the potential benefits of information sharing initiatives;
- Information sharing has implications for, and can increase risks to, protection of privacy and access to information;
- Information sharing initiatives must recognize and adhere to privacy and access to information laws and principles; and,
- Privacy and Information Commissioners play a role in providing advice and guidance on the design and implementation of information sharing initiatives, as well as oversight for compliance with access to information and privacy laws.
Therefore
Canada’s Information and Privacy Commissioners call on governments at all levels to respect and promote privacy and access to information rights and principles when embarking on information sharing initiatives by:
- Being open and transparent about how information sharing initiatives will be implemented, namely, what information will be collected and shared and for what purposes; what information will be disclosed, to whom, and for what purposes; and how individuals can ask questions and obtain information about how the program will work. This may include stakeholder consultation for significant initiatives.
- Ensuring that all participating entities are subject to the obligations set out in access and privacy laws directly or by way of contractual undertaking.
- Being proactive by undertaking assessments early on to help identify possible privacy risks, with a view to preventing privacy breaches, including identifying ways to mitigate these risks.
- Respecting citizens’ rights by having a process for them to request and correct their personal information, and seek information about how their information is used and disclosed.
- Acting in an accountable manner by implementing information sharing initiatives that will:
- Share the least amount of information needed to satisfy the goals of the initiative;
- Implement all reasonable and necessary safeguards;
- Establish and follow policies and procedures, risk assessment tools (such as privacy and access impact assessments), formal agreements and contracts, and privacy breach reporting protocols;
- Provide regular and on-going training on these policies and procedures; and
- Review and evaluate the information sharing initiative on a regular basis to ensure these principles and legislative requirements continue to be met.
- Ensuring information and privacy oversight bodies have the necessary powers to provide effective, meaningful oversight through consultation, education, enforcement and audit.