A Conversation with Dr. Ann Cavoukian, Ontario’s Information and Privacy Commissioner

Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m delighted to post the following conversation with Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian.

Dr. Cavoukian leads a dynamic team of professionals at the IPC who are at the forefront of addressing today’s privacy challenges.  Her depth of understanding of privacy issues combined with her passion for privacy has made for a powerful and learned force in Canada’s privacy world.

Thanks to Dr. Cavoukian for agreeing to take part in this online Q & A conversation.  If you’d like to learn more about Dr. Cavoukian, the IPC, or the issues raised in this conversation, I’d encourage you to visit the IPC’s website.

Q. In one of my previous blog posts, Jennifer Stoddart explained how she got involved in the world of privacy.  How about you?

A.  I have always had an interest in human rights, but my direct introduction to the privacy world came as a result of my work as the Chief of Research for the Attorney General of Ontario. As part of the role I completed a program evaluation of the Public Complaints Commission headed by (now Justice) Sidney B. Linden. He was aware of my work with the Canadian Civil Liberties Association, among other things, and when Justice Linden was appointed as the first Information and Privacy Commissioner of Ontario in 1987, he asked me to join him as the Director of Investigations. I haven’t looked back since!

Q.  One of your significant achievements has been your development and advocacy of “Privacy by Design”. Can you explain the concept behind Privacy by Design?

A.  The privacy landscape of the early ‘90s had become increasingly challenging – the volume of personal information collected was growing, as were the risks posed by increasingly sophisticated and interconnected technologies.  It became clear to me that relying solely on compliance with regulation and legislation would no longer be sufficient to safeguard the protection of personal information.  Instead, organizations would need to operate in an environment of default privacy protection.  Those which could do so, I recognized, would gain a competitive advantage.

This is the context in which I developed Privacy by Design (PbD), my philosophy of embedding privacy into the design of three broad application areas:  information technology; business practices; and physical design/infrastructure.  Instead of treating privacy as an afterthought – “bolting” it on after the fact – I argued that privacy should be regarded as a design feature and built right into the system, from the outset.  PbD shatters the zero-sum paradigm which trades off privacy against security and functionality.  It is positive-sum, or doubly-enabling “win-win” in nature, demonstrating that it is possible to protect privacy without compromising other legitimate requirements, such as security or functionality.

You can find our “7 Foundational Principles” of PbD at www.privacybydesign.ca.  To summarize, PbD seeks to establish privacy as the default by embedding it in system design.  It is proactive in nature – already in place when data is first collected, it describes a comprehensive “cradle to grave” approach to information management.  In being proactive, it seeks to prevent data breaches from occurring, rather than prescribing remedial actions.  Importantly, it demonstrates respect for user privacy by ensuring that its component parts and operations are transparent and subject to independent verification.

Q.  Who should be aware of, and consider following, the principles of Privacy by Design?

A.  Broad spectrums of people within most organizations should be aware of Privacy by Design – certainly anyone with influence over how personal information is managed.

Personal information is an asset, the value of which is protected and enhanced by a suite of security practices and business processes. Regardless of industry sector, whether the organization is large or small, public or private, whether it is retained in house or out-sourced, executive leadership and managers responsible for the management of personal information need to carefully consider how to build privacy protections directly into their operations.

I have a new title for those who commit themselves and their organizations to the principles of Privacy by Design – I am appointing them as PbD Ambassadors.  Those who wish to learn more can visit our Privacy by Design website, which houses all of the PbD resources developed by my Office over the years.  While there, I hope people will take the time to share their own PbD experiences or questions with our growing PbD community on the Global Forum.  You can now also follow PbD on Twitter @embedprivacy.

I remind people that Privacy by Design was not developed for use in an ivory tower.  I always intended it to result in real and positive changes in our everyday lives.

Q.  So can you give us an example of the “win-win” approach of Privacy by Design in action?

A.  An example that really brought Privacy by Design to life is the work being undertaken by our mass transit system – the Toronto Transit Commission (TTC), in testing and deploying encryption-based video surveillance technology.

In the autumn of 2007, the Toronto Transit Commission (TTC) announced plans to expand its video surveillance program on both surface vehicles and within the subway system. In response to a formal complaint, I launched an investigation. I found that the TTC’s expansion of its video surveillance system did not contravene any applicable laws. However, I strongly urged the TTC to adopt privacy-enhancing video surveillance technology that was being developed at the University of Toronto by Karl Martin and Professor Kostas Plataniotis.

Using innovative object-based encryption, the technology completely obscures the images of individuals who appear as the subjects of video surveillance. However, unlike current permanent masking techniques, the technology enables the images to be decrypted at a later time, only by authorized staff, when an incident occurs that demands further investigation for safety or security purposes.

This new technology, in its essence, lays to rest the outdated zero-sum paradigm, where one party wins and one party loses. It ushers in a new era in “positive-sum” thinking where both parties may “win” and neither party must, by necessity, lose. Positive-sum privacy-enhancing technologies (I call them PETs Plus) ultimately enable the co-existence of privacy and security, side by side, without forfeiting one for the other, “win-win,” not “win-lose.”

For the full report, see Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report.

Q.  One of the first virtual strip search scanners was recently installed at Toronto’s Lester B. Pearson International Airport. What are your thoughts about the privacy implications of these scanners?

A.  I feel it’s important that we understand exactly what this technology does. The public should know what types of images are being produced of them, and what happens with those images. That’s why I chose to personally experience the Whole Body Imaging (WBI) system in both Toronto and Washington D.C. – to assess first-hand how passengers are treated.

From a privacy perspective, my WBI experience highlighted several important points. The scanned images displayed are not actual pictures and do not contain any unique personal identifiers (there is no way for someone to identify the image as my own). The screening site where the scanner images are viewed is located in a windowless, secure room located a significant distance away from the open scanning area. The personnel viewing the images are not able to visually connect images with the actual passengers being scanned. Also, the machines are not able to record, copy or store any images. Finally, the personnel who review the scanned images are not allowed to have cameras, cell phones or any other recording devices in the secure viewing room.

I have always believed that privacy needs to be built directly into technology – privacy by default. Improved airport security need not come at the expense of privacy – both may be achieved together, in a positive-sum manner.

Q.  Business professionals consult this blog (at least, I like to think they do!). Based on your experience as Ontario’s Information and Privacy Commissioner, can you identify an area where businesses fall short in the realm of privacy and provide tips to help address the problem?

A.  It is a sad fact that many privacy breaches occur largely because of poor information management practices by organizations, and the volume of the information at risk grows with the ever increasing collection of personal information.

As Commissioner, half of the Health Orders that I have issued under Ontario’s Personal Health Information Protection Act (PHIPA) were the result of personal health records being abandoned or disposed of in an unsecure manner. Identity theft is one of the fastest growing forms of consumer fraud in North America, costing Canadians millions of dollars a day and billions of dollars a year.

That is why it is crucial for all organizations, large, medium or small, to engage in the practice of “secure destruction.” The goal of secure destruction is to have records containing any personal information permanently destroyed or erased in an irreversible manner which ensures that the record cannot be reconstructed in any way.

For the effective secure destruction of records, organizations need to ensure that they match the destruction method to the media. For paper records this means using cross-cut shredders which do not allow for records to be reconstructed. For electronic media such as DVD’s or USB keys, the media should be physically destroyed.

Further, if an organization is hiring an external agent to destroy records, they need to be selective. Look for a provider that is accredited by an industrial trade association or is willing to commit to upholding its principles, including undergoing independent audits. Always check references, and insist on a signed contract spelling out the terms of the relationship, to ensure end-to-end lifecycle protection. Remember, you can outsource the service, but you can never outsource accountability.

For more information, please see Fact Sheet #10, Secure Destruction of Personal Information .

Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

A.  The privacy landscape is continually changing and posing new challenges – particularly in this age of information technology where personal information about individuals is increasingly collected and stored indefinitely.

In addition to daily developments on the “Cloud” and Web 2.0, one of the areas we are focusing on in 2010 is the Smart Grid – the modernization of the current electrical grid with a view to more efficient energy usage and delivery. This will involve the increased collection, use and disclosure of end users’ personal information. I have identified privacy as the real “sleeper issue” in this area, which causes me great concern. The Smart Grid is still in a nascent stage, not only here in Ontario and across North America, but around the world. So now is the time to bake in privacy right from the outset. With that in mind, we are proactively working with local energy distributors, and government officials, to ensure that privacy is top of mind as we move toward the Smart Grid. It is the ideal time to proactively build in privacy – by design.