Updated: Two pieces of scotch tape that show why Statistics Canada doesn’t care about your privacy

***

Update:

As of December 3rd, 2018, one week following the publication of this blog post, and a couple of weeks after more than 400 Canadians exercised their privacy rights and requested their personal information through an OpenMedia campaign that FIPA assisted with, Statistics Canada has announced that they are suspending their practice of obtaining personal credit records from TransUnion and are delaying their plans to access the banking details of 500,000 Canadians.

Information contained in this blog post was cited in an article in the Globe and Mail that originally broke the story. 

***

I wish that was some kind of elaborate metaphor.

When I heard that Statistics Canada had been accessing the credit scores of Canadians, I wanted to find out if I was affected. I filed a request under the Privacy Act for “any records or data related to me that was received by Statistics Canada from TransUnion,” which is one of Canada’s two credit bureaus.

As someone interested in privacy and privacy rights, I was curious as to why Statistics Canada would be interested in my personal financial information and how they would safeguard it.

The offending envelope, replete with scotch tape and addressed to the wrong person.

The letter I received confirmed that Statistics Canada had, in fact, accessed my complete credit history. It was apparently protected though; the letter went on to explain that any personal information that could identify me had been scraped from my financial information. They had only recombined the information and re-identified me in order to fulfill my request (Click on the image to the below right to read the full letter).

Then they tucked these sensitive records, which contain my complete credit profile, into an envelope, attempted to close it with two pieces of scotch tape, and sent it to me in the mail.

Two pieces of scotch tape.

Forget for the moment that I had asked for electronic copies of my records and that Statistics Canada made a choice to print this sensitive financial information and send it through the mail.

Please also forget that the envelope was addressed to the wrong person.

Click the image to read about Statistics Canada’s “essential security” measures

Because I’m able to open the package, read the letter from Statistics Canada detailing the importance of safeguarding my personal financial information, flip through several pages that contain my Social Insurance Number, birth date, address, contact information, all of my banking information, including available credit, debts, accounts, balances, and more—and then I’m able to seal the envelope closed again with those same two pieces of scotch tape.

I would never know if this envelope had been opened prior to arriving at my residence.

If Statistics Canada does, in fact, take privacy seriously and does believe that it can responsibly hold the detailed and sensitive financial records of Canadians, then it needs to be able to comply with the Privacy Act in a way that doesn’t mean sacrificing privacy. That is the tragically ironic position that Statistics Canada finds itself in.

Here is one possible solution that Statistics Canada could consider employing as an additional “essential security measure”: Send an encrypted CD-ROM through the mail and provide a password in a separate letter or through email. This two-step authentication method means that anyone who interrupts the original package won’t have access to the sensitive records that Statistics Canada holds.

It would also mean providing access to the records through the means that I had initially requested.

The back of the envelope shows an intact seal.

But Statistics Canada made a choice about how they were going to respond to the request that I made through the Privacy Act. In doing so, they both fulfilled my request and put my privacy at tremendous risk. Perhaps, they were trying to send a message: Don’t bother us about our security measures if you want your data to be kept safe.

But alas, there is a saying that goes something like, “Attribute not to malice what can be attributed to incompetence.” This example illustrates why Statistics Canada shouldn’t have access to the sensitive financial information of 500,000 Canadians.

In era where trust in public bodies is eroding, and progressive technologists look towards adopting decentralized models like block chain, our government needs to be rebuilding trust. For Statistics Canada, that starts with taking decisive steps towards protecting the privacy of Canadians, of doing the fundamental work to earn the trust of its stakeholders.

And, quite frankly, two pieces of scotch tape won’t cut it.

Bryan Short is the Program Director at BC FIPA. He holds a master’s degree in Journalism and a bachelor’s degree in English Literature from the University of British Columbia. 

Civic duty and the values of an informed society

How the government’s action regarding the long-overdue FIPPA reform reflects our collective attitudes towards political issues

“International justice and privacy” by EFF-Graphics is licensed under CC BY 3.0 US

By Carlo Javier

We have an interesting relationship with our rights – especially those dealing with our freedom to access information and privacy. On one hand, conversations around such issues have certainly become more welcome in the general Canadian discourse, and on the other, conversations are ultimately just that – conversations.

I bring this to attention after quite an inspiring event took place at this year’s Right to Know Week. With the signed support of several important figures from Canada’s host of esteemed advocacy groups, the BC Freedom of Information and Privacy Association (BC FIPA) called on Premier John Horgan and Minister of Citizens’ Services Jinny Sims to immediately act on the long-overdue reforms for the Freedom of Information and Privacy Protection Act (FIPPA).

Said reforms reflect recommendations made by a review committee commissioned by the Legislative Assembly in 2016, and focus on four primary pillars:

  • To do away with an ‘oral government’ and implement a ‘duty to document’ under FIPPA’s jurisdiction, which would mandate government officials to maintain accurate and detailed records of their work;
  • To refine existing provisions – especially in sections 12 and 13 – and alleviate exploitation of loopholes;
  • To bring all subsidiaries of educational and other public bodies within the scope of the FIPPA;
  • To create real repercussions for government officials who impede freedom of information rights processes.

Notably, BC FIPA asked that the law reform be implemented before the next provincial elections (2021) and that the government commit to a tangible timetable.

In their official response, Minister Sims wrote that the government is “committed to openness and transparency” and that dramatic improvements on a legislation that dictates how the government handles and shares records cannot be done with haste. Furthermore, the response included that “updating policies, regulation and legislation” are necessary tasks prior to any actual reforms. While there is no mention of the requested timetable, Minister Sims did note that feedback from their consultations with both internal and external stakeholders should arrive in the “coming months.”

The response may seem like a strategic communications reply, but it is progress nonetheless.

Among the most resonant parts of BC FIPA’s letter to Premier Horgan and Minister Sims was a critique on how government bodies tend to react to inquiries that challenge their stance on transparency, accountability, and the right to know. For the most part, responses will be rich with endearing and supportive messages of hope and promise, but empty of meaningful and substantive action – the things that lead to actual legislative changes.

One of the signatories of the letter is Toby Mendel, Executive Director of the Centre for Law and Democracy. Toby reiterates a critical view of the government’s commitment to FIPPA reform, noting that although politicians may be keen on discussing their priorities, “concrete promises to take action” don’t exactly come as often.

“Unfortunately, Minister Sim’s letter falls precisely into this talk without walk category,” he says. “She speaks eloquently about the importance of transparency and notes that her government is ‘examining’ practically every aspect of this issue, but significantly fails to actually promise anything. We do not need another examination.”

In fairness to the government, the delay could very well be attributed to the possibility of including privacy matters and the Personal Information Protection Act (PIPA) to any impending reform. Such reasons would certainly be understandable considering the gravity of the act, but if the delay is ultimately just a means to stall, then it is only right for us to expect and demand for better.

According to Toby, FIPPA has been researched exhaustively and its shortcomings are all abundantly clear. BC’s FIPPA is especially lacking, scoring just 97 out of 150 in its Right to Information (RTI) Rating – putting it 14 points behind Canada’s top scoring jurisdiction in Newfoundland and 43 other countries around the globe.

By no means do I intend to be scathingly critical of government action or inaction, but what I can be critical of is how such attitudes – which some might even describe as bordering on apathetic – are eerily reflective of our collective mentality as citizens.

We deeply value our ability to protect our digital privacy and our right to access information. So much so that conversations within these issues are no longer happening exclusively among privacy and FOI advocates, but the general public, too. Just this year alone, we saw considerable uproar after Facebook came under fire for security breaches and data harvesting. The same reaction was directed to Air Canada and Statistics Canada after their own respective security and privacy practices became subject to controversy.

Maybe BC FIPA’s critique on government can be applied to society as well, speaking on transparency, accountability, and the right to know is one thing, but meaningful action is another.

It is baffling how these issues have so provocatively permeated the public discourse, yet meaningful progress have been so stagnant. The issue could be with how we see and accept the realities of our rights. Ideas that feel so personal and so close to home are infinitely more accessible than any acts and legislation full of legalese and political jargon. I have only been with BC FIPA for a short period, but I have seen the depth and the magnitude of our rights to protect our privacy and our rights to access information.

The two intrinsically linked ideas may seem inherently about the digital world, but it is a tremendous understatement to say that they are much more than that. FOI and privacy are our couriers to a true democracy. They are among the institutions that keep us well-informed and equipped to participate in the political environment. Nothing captures this notion better than the revelation that data collected through Facebook was used to manipulate voter choices in the 2016 US Presidential Elections and the Brexit campaign – two incidents that feel nothing short of violation of democratic rights.

BC FIPA’s letter to Premier Horgan and Minister Sims ends with the suggestion that quickly acting on the FIPPA reform will give the government an opportunity to exhibit “true leadership.” And if the government were to provide these reforms with the promptness and effort it deserves, maybe that approach will reflect itself in us too, as citizens, and as members of an informed society.

Actions speak louder than words and you don’t have to wait for legislative reform to take action, click here to exercise your democracy now.

Carlo Javier is the new Community Awareness and Outreach Coordinator at BC FIPA. He is a graduate of Capilano University’s School of Communications and is the former Editor-in-Chief of the Capilano Courier. 

New study outlines the critical importance of whistleblowers to uncovering wrongdoing

MEDIA RELEASE

November 13, 2018

New study outlines the critical importance of whistleblowers to uncovering wrongdoing

Vancouver, November 13, 2018 — A report commissioned by the BC Freedom of Information and Privacy Association posits that while both federal and provincial legislation regarding the protection of whistleblowers exhibits positive advances, there are still necessary steps to take in order to reflect the same safeguards to workers outside governmental jurisdiction.

Currently, employees in the private sector remain vulnerable to retaliation should they partake in the disclosure of wrongdoing. The report coincides with the recent introduction of the Public Interest Disclosure Act of BC (PIDA), which notably introduced new protections to whistleblowers within the provincial government.

”While we strongly support the introduction of whistleblower protection legislation, BC FIPA is concerned that the definition of ‘wrongdoing’ under the Public Interest Disclosure Act does not encompass deliberate efforts to interfere with access to information rights under the Freedom of Information and Protection of Privacy Act (FIPPA),” said Sara Neuert Executive Director of BC FIPA.

FIPA has received inquiries from the public about the new legislation and looks forward to the provincial government’s implementation of the act and enforcement procedures coming into effect.

Best Practices in Whistleblower Legislation: An Analysis of Federal and Provincial Legislation Relevant to Disclosures of Wrongdoing in British Columbia underscores the critical importance of protecting whistleblowers. Researcher and author Carroll Anne Boydell suggests that a more comprehensive scope of protection displays a level of societal value to the work of whistleblowers. Such recognition is then deemed as possible motivation to incite the continued disclosure of wrongdoing, particularly for those who see their respective acts as a form of civic duty.

The report is available here.

Contact:

Sara Neuert, Executive Director

BC Freedom of Information and Privacy Association

Email: fipa (at) fipa.bc.ca

Phone: 604-739-9788

-30-

Best Practices in Whistleblower Legislation: An Analysis of Federal and Provincial Legislation Relevant to Disclosures of Wrongdoing in British Columbia

Best Practices in Whistleblower Legislation, prepared by Carroll Anne Boydell, instructor of criminology at Kwantlen Polytechnic University on behalf of the British Columbia Freedom of Information and Privacy Association, compares BC’s new whistleblower legislation, the Public Interest Disclosure Act (PIDA), to international best practices standards.

Best practice principles exist for laws, regulations, and procedures aimed at the protection of those who report wrongdoing. The purpose of this paper is to examine selected legislation containing whistleblower protections that are relevant to those who disclose wrongdoing in British Columbia to determine how well they follow best practice principles. Several best practice principles were reflected in the legislation reviewed, and the introduction of the new Public Interest Disclosure Act in British Columbia is a positive development in the protection of whistleblowers who are employees of the provincial government.

However, not all best practice principles are enshrined in the laws examined here. For example, there are still types of whistleblowers that do not have adequate protections, such as private sector workers and those in the public sector who are not employed by a provincial ministry, government body, or office. In addition, though types of protected disclosures have been expanded under the PIDA, there are still some disclosures of wrongdoing that may remain unprotected, such as interference with freedom of information requests. Some issues were also found related to transparency of decisions made about investigations into disclosures of wrongdoing and complaints of reprisal against whistleblowers, as well as about the accountability of government agencies in protecting whistleblowers. Therefore, some refinements and amendments to whistleblower laws and disclosure management procedures are needed to ensure that adequate protections are afforded to those who disclose wrongdoing in British Columbia.

Download the resource.

For more than twenty years, the B.C. Freedom of Information and Privacy Association has relied on the support of our community to provide resources, educational programming, and one-on-one advice. By making a contribution to the Association in exchange for this resource, you’re helping us provide another two decades of service to Canadians and supporting more publications like this in the future. There is no minimum donation amount. Every bit helps.

Click here to make a donation. We hope you consider supporting the Associations.

Let us know what you think: If you have comments, questions, or concerns about the report, please send them to FIPA at fipa@fipa.bc.ca or tweet to us @BCFIPA.