(This article has been translated from French.)
On December 9, 2019, the Office of the Privacy Commissioner of Canada published the results of an investigation into complaints that Statistics Canada had requested from a credit institution and Canadian banks the personal information on financial transactions of banking customers without notifying those customers. This clearly raises the issue of big-data mining by public authorities – the marriage of Big Brother and Big Data – with regard to the protection of privacy.
Let us recall the facts: Seeking to measure household debt more precisely, Statistics Canada reached an agreement with TransUnion, which agreed to forward files covering close to 24 million Canadians. The files included personal credit ratings along with identifying elements (name, address, date of birth, social insurance number, etc.). Statistics Canada was then able to link this data (600 pieces of information) with data from its own surveys, such as the census. In addition, Statistics Canada asked Canadian banks to provide it with information on all transactions carried out by a sample of 500,000 households.
The Canadian Bankers Association (CBA), which Statistics Canada first approached, said that it was reluctant to respond to such a request because of the burden it placed on banks, but mostly because complying meant that they would violate their privacy standards. A Global News report on October 26, 2018, blew the whistle. The chief statistician was called up before the Standing Committee on Industry, Science and Technology, and an investigation was launched by the Office of the Privacy Commissioner. The Financial Transactions project, for which no data had yet been transferred, was immediately suspended. TransUnion also stopped forwarding information.
According to the results of the investigation, those whose information had been shared had not been notified. In the first case, TransUnion put a note in people’s files, but nobody told them it was there. (Only if they asked to see their file for some other reason could they discover it.) In the case of the project with the banks, Statistics Canada had not planned to notify the selected households. In both projects, Statistics Canada claims to have complied with the Privacy Act. The organization also claims to have relied on section 13 of the Statistics Act, which requires any person responsible for documents or archives, public or private, to transmit them to Statistics Canada if such a request is made. The Commissioner concluded from his investigation that the Credit Information Project did comply with existing law and that the complaint on this subject was thus “not well founded.” In the case of the Financial Transactions Project, he concluded – against the opinion of Statistics Canada – that what was asked for went beyond the transmission of pre-existing documents or archives and involved the creation of new files. However, since no data had yet been transmitted, the Commissioner did not see fit to accept the complaint. That said, he expressed several concerns and made six recommendations, two of which call on Statistics Canada to refrain from going ahead with both projects as designed.
These two projects offer an example of linkage between big data as a by-product of transactions and interactions carried out for private purposes and information obtained through surveys to which citizens are obliged to answer. The scale of Statistics Canada’s projects is impressive and suggests that the revolution associated with Big Data is now affecting national statistical offices, hitherto hesitant to join it due to methodological scruples and ethical constraints. Section 13 of the Statistics Act, conceived of at a time when statistical treatment of documents and archives was limited by their physical nature, presents unforeseen potential. It is also clear from the results of the investigation that Statistics Canada’s requests rested upon a particularly broad interpretation of this section of the law. The Privacy Commissioner therefore considers that the legal framework applying to the collection of “big-data administrative data” from the private sector is outdated and suggests that the legislator review the Statistics Act respecting this matter.
On the other hand, the problems that the Statistics Act could pose would no doubt be lesser, according to the Commissioner, “if the Privacy Act were not so out of date.” In 2016, he proposed that it be amended “to explicitly require compliance with the criteria of necessity and proportionality in the context of any collection of personal information.” In fact, even if Statistics Canada agreed to demonstrate the “necessity” of the information sought in these and other projects and the “proportionality” of the means used to obtain these data, the agency is not legally required to do so.
Finally, beyond legal amendments, the Commissioner’s report presents recommendations that are inspired by European practices aimed at ensuring the consent of individuals or even at circumventing this problem. They include “civic data sharing,” which is based on prior consent, “algorithm-to-the-data,” which means only anonymized results are transferred by the private enterprise to public authorities, and “privacy-preserving computation,” which also amounts to anonymizing information at the source. The first method resembles in all respects the position of the Harper government with regard to the long-form census. The other two would interfere with the type of data linkage that Statistics Canada envisioned.
Much has been made in recent years of the necessary independence of Statistics Canada from government. If the Office of the Commissioner’s report presents a less-than-sympathetic and somewhat authoritarian image of the agency, it is at least reassuring that Statistics Canada is accountable to a parliamentary committee, that it had to collaborate with the Office of the Commissioner to improve its practices and that a report was made public. The whole affair illustrates how big-data mining poses new challenges for official statistics when it comes to the trade-off between privacy rights and evidence-based policy-making.
Do you have something to say about the article you just read? Be part of the Policy Options discussion, and send in your own submission. Here is a link on how to do it. | Souhaitez-vous réagir à cet article ? Joignez-vous aux débats d’Options politiques et soumettez-nous votre texte en suivant ces directives.