Part 3 of a four-part “Privacy Reality Check” series. Click here for part one and here for part two.
Yesterday Justice Minister Rob Nicholson casually mentioned to reporters that Bill C-30, which has been marketed to Canadians at various times as The Internet Surveillance Bill, Lawful Access, and the Protecting Children from Child Predators Act, is dead. It’s been dead for awhile, but somebody forgot to tell the Conservatives and the Canadian Association of Police Chiefs, who have been doggedly trying to rebrand and resell it yet again.
This is very good news for the thousands of Canadians who spoke out against the bill, proving themselves a more effective opposition to the majority government than the official opposition. It’s good news for the online tech sector, which will not be forced to build technology to constantly spy on every Internet subscriber and website visitor. And it’s great news for Canadians, whose privacy is a good deal safer now the basic principle of court oversight for surveillance has been upheld.
The problem with C-30 was never just about granting police the ability to collect all sorts of personal information without having to get warrants. There was always a secondary, possibly greater concern about how safe our data would be once it was in the authorities’ hands.
Last week I wrote about the dismal state of data hygiene throughout our federal government, where a superstitious fear of cloud services has resulted in a culture in which sensitive data is constantly moved about by employees via memory sticks and external hard drives. Despite recent high-profile leaks and massive losses of personal information, things at large haven’t improved. The RCMP, incidentally, have had their share of data boners and privacy breaches. Another drive could go missing from a government workplace tomorrow. Here’s an email I received from one reader, a contract administrator for a certain federal office:
Has anything happened, an email, a workstation configuration, any change at all to secure my workstation (since the HRSDC breach?)- nope! From my workstation I can use USB Ports, I can burn CDs.If what I do is copy data to a cheap USB stick – and then I lose it – would any sane person tell their boss? nope! Therefore you can assume that many, many data leakages aren’t reported. This building is “secure,” but thousands of people work in it so it isn’t really that secure!At least they don’t leave backup tapes on a table in the hall – oops – that’s another email.
It’s disturbing enough to think of the untold number of data losses that have gone unreported by government employees to their superiors. But what about the leaks and breaches managers do find out about? What happens with those?
In all likelihood, nothing.
“I suspect there have been hundreds of data breaches we haven’t heard about,” says privacy lawyer David Fraser. “The federal government has no obligation to let anyone know about these things.” The Privacy Act, which legislates privacy rules for our federal government, does not make disclosure of privacy breaches mandatory.
In fact, Human Resources and Skills Development Canada’s loss of the personal banking information of 583,000 Canadians only came to light by accident. All the ministry chose to tell the Privacy Commissioner about was an earlier loss of info about a mere 5,000 Canadians. Even this confession seemed like it hurt HRSDC- it took them weeks after they learned about it to fess up. Perhaps they should have kept mum. The disclosure triggered an investigation that unearthed the far greater loss. And after the drubbing Minister Diane Finley is getting, future government goof-ups may well remain covered up.
There’s no reason for them not to.
Criminal charges can’t be laid against a federal government employee for Privacy Act violations, even if they willfully and maliciously expose our data.
- The government collects our information without asking permission.
- If (when) the government loses our information, they don’t have to tell anyone about it.
- If we do find out about it, we can’t hold government employees responsible in a meaningful way.
Clearly, changes are needed to the Privacy Act. Each year, our Privacy Commissioner calls for an overhaul to the 25-year-old law. And every year, she is ignored. In 2009, Justice Minister Robert Nicholson rejected a proposal to update the Privacy Act.
If Canadians are able to face down a majority government hell-bent on warrant-less snooping and stop it in its tracks, then surely they can implore that same government to protect and be accountable for the private data it already has on us.
The trouble is, we knew exactly how dangerous C-30 was the moment Public Safety Minister threatened that to disagree with him was to stand with child pornographers.
With data loss, we rarely witness such a galvanizing display, because we usually don’t even know that it’s happened.
NEXT: why our Privacy Commissioner is spending too much time on Facebook
Follow Jesse on Twitter @JesseBrown