Embed Size (px)
Citation preview
If I had written this article a month earlier, I would have been content to make the case for ethical management of personal information. My writ these past seven years as privacy commissioner has been confined to defending some of the values inherent in that large and emotive word “privacy.” But I have since been privileged to be entrusted by Parliament with a new role, that of Canada’s information commissioner. My first instinct, however, is that I will not suffer from a serious case of occupation- al schizophrenia. Both positions serve the same purpose - playing a watchdog role over codes of fair information practices.
The Privacy Act is a code setting forth ground rules covering the way the federal government collects, uses, discloses and protects personal informa- tion. The Access to Information Act gives individuals a right to obtain non- personal information held by the same government. For the past seven years I have even dared to argue, though possessing no credentials in philosophy beyond university courses in Thomistic philosophy, that the Privacy Act is at base an information handler’s code of ethics. I am now ready to say the same about the Access to Information Act.
Perhaps we all stretch, even debase, the meaning of the word “ethics.” We hear so much about ethics these days - corporate executives speaking about it, business students studying it, computer wizards discovering it - that ethics may be in some danger of becoming flavour-of-the month. But I am not going to engage in an epistemological discussion of the nature of the branch of philosophy called ethics. I will say that I reject the fashiona- bly cynical comment that to speak of ethics in government and business is to utter an oxymoron. I believe that profoundly important human values, indeed ethical values, are at stake in the way information is used in the information age.
Privacy is one of these values, and it is one that we have cherished for hundreds of years. T o protect it we now need privacy ethics, privacy acts and privacy commissioners. Privacy is the quintessential issue of the
The author is information commissioner, Government of Canada; formerly Canada’s privacy Commissioner.
CANADIAN PUBI.IC ADMINISTRATION / ADMINISIXATION PUBLIQUE D U CANADA VOLUME 34, NO. I (SPRINCIPRINTEMPS), PP. 95-100.
JOHN GRACE
information age. Technology has forced on Western nations the growing realization that, without controls, electronic data processing could spell the end of our information autonomy. There were protections inherent in our former reliance on stacks of paper files. Who had the time, energy or access to be able to compare income tax files, medical records, detailed census forms or credit card purchases? The new machines have made it technically possible to strip us all before the Cyclops of the cathode ray tube.
Professor David Flaherty of the University of Western Ontario has argued with chilling persuasiveness that individuals are increasingly subject to surveillance through the use of data bases in the public and private sectors. These developments, he concludes, “have negative implications for the quality of life in our societies and for the protection of human rights.”] His thesis is that without privacy ethics we are in danger of creating surveillance societies.
The computer’s power to record, manipulate, store and transmit data mocks the locks and keys of traditional security. It scoffs at the protection once inherent in those stacks of paper. When the needle in the haystack meets IBM, it is no contest. Technology is creating wonderful new toys to make our lives easier - and to make our lives an open book. One of these toys is the so-called ‘smart card’ - a credit card with a vital difference. Smart cards contain tiny chips which process and store information. Health cards could, for example, be expanded to serve as a portable health dossier.
The parallel threat to our autonomy is the growth of government programs and their increasing demands for personal information. Some of these programs provide a society safety net few of us would want to do without. But they put more and more personal details in the hands of governments. History has shown (and recent history at that) that govern- ments are frequently not benign.
Wonderful as the possibilities are, the new technology, without ethical constraints, could turn ours into a watched society in a way that George Orwell never imagined. Orwell’s camera could see but one act at a time. The computer transcends time and space by mining our information, interrelating programs and actions, and producing chillingly accurate profiles. An individual’s right to be left alone, to control what the rest of the world knows about him or her, is profoundly diminished.
Western governments have reacted to this dark side of technology by creating data protection laws which they hope will tame the beast. Almost
1 David H . Flaherty, Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada and the United Slates (Chapel Hill: University of North Carolina Press, 1989), p. 1 .
96 CANADIAN PUBLIC ADMINISTRATION
T H E ETHICS OF INFORMATION MANAGEMENT
no one now disputes the need for codes to protect personal information. No one is advocating repeal of the Privacy Act. The only issue today is the nature and jurisdiction of these codes. For example, the parliamentary committee which reviewed the Privacy Act four years ago wanted to extend its jurisdiction broadly, to cover the entire federally regulated private sector.
Let me now examine some aspects of good privacy codes and provide some examples of what they mean in practice. A good privacy code requires that only the minimum information necessary be collected and only for the purpose for which it is required, that the information be collected directly from the subject whenever possible, and that the subject be told why the information is needed and what is being done with it.
The first aspect then is the collection of personal information. Among the questions which the implementation of a privacy code should prompt are these: Why is personal information being collected from citizens or clients? Has the need to collect such information been challenged or reviewed? Organizations continue asking for personal details long after the information has ceased to be useful. An ideal time to purge such files is when a privacy code is being implemented. It is also a good time to examine forms, questionnaires or surveys to make sure that irrelevant information is not being collected. It may also be an ideal time to ask tough questions about conducting a survey at all.
Another question to be asked is whether ethically dubious new forms of collection - for example, polygraphs, urine tests, H I V antibody tests or psychological profiling - are being considered? If so, it should be demon- strated that the information is absolutely necessary, not just a response to outside pressures or some trendy new technology.
If data collection is contracted out so that, for example, outside companies or agencies are conducting surveys, has there been a formal agreement or contract which spells out their obligations to protect clients’ privacy? Obligations don’t end once the work is shipped out to someone else.
How are employees asked to substantiate their claims for sick leave? Are they asked for detailed medical diagnoses? Are their doctors called directly and pressed for medical information? I don’t think it is ethical for an employer or manager to know the nature of the medical condition. If a claim seems dubious, an employer can seek another doctor’s opinion - but only an opinion - as to whether the employee is able to work, not a patient’s chart.
A second important aspect of a privacy code is that it should require that information be used only for the original purpose for which it was collected or for a “consistent” purpose. For any other use, there should be individual consent. Among the questions to be raised here are the following: Are
97 ADMINISTRATION PUBLIQUE D U CANADA
JOHN GRACE
personal data about clients or employees being shared with other agencies or companies without the individuals’ knowledge? Are mailing lists sold and, if so, can customers or clients have their names removed? Are an employee’s attendance records matched to determine patterns of common absences among friends or family members? Are longitudinal studies conducted on the same individuals without their knowledge? Are sensitive personal data transmitted by modem or by fax? Is access to employee and client personal files limited to those who need to know?
A third essential aspect of any privacy code relates to the disclosure of personal data to third parties. Some of the questions to be asked in this context are these: Have policies been developed to cover - and control - disclosures to police, to credit-granting organizations or to family members? Is the personal information kept on personnel files only that which an employee’s manager has a legitimate need to see? What response is made to requests for personal information from the media or from outside researchers? New technology makes tough new demands on the physical security of information. Is this security for both hardware and software sufficient to avoid unwitting or deliberate disclosures? It is clear that security of personal information is a significant ethical issue.
In Canada, only the federal government and the provinces of Quebec and Ontario have in place privacy laws or codes containing the provisions I have been describing. I have resisted pressure to advocate privacy legislation for the private sector, hoping, perhaps naively, that the marketplace will respond to the public’s growing apprehension over the potential of information technology to diminish an individual’s ability to control the uses of his or her personal information. Every opinion poll shows a significant increase in the number of persons who believe that their privacy is under assault.
Fortunately, there are at least the beginnings of evidence of ethical intent, the beginnings of awareness in the private sector that data protection is both good ethics and good business. A recent example of ethical intent involves Equifax, a company which holds credit reports on millions of Canadians and Americans. This company’s 1989 annual report contains two pages written by Professor Alan Westin of Columbia University, one of the first, and perhaps the most distinguished, American privacy advocate. Professor Westin reports that Equifax retained his services last year “to conduct a ‘Privacy and Consumer Fairness Audit’ of its existing and planned services” from all aspects of the privacy issue.
As a result of the company’s initiative, and with Professor Westin’s collaboration, Equifax has published and distributed to all its employees and stockholders, a “Fair Information Practices Code.” The code embraces basic data protection principles, including the right of individuals to know what information has been reported on them so that its accuracy can be
98 CANADIAN PUBLIC ADMINISTRATION
T H E ETHICS O F INFORMATION MANAGEMENT
ensured or a file corrected. Equifax’s president has said his company wants to become a model “consumer information trustee.”
American Express is another company which has “got” privacy religion. Last year it announced to the world that “the issue of privacy will be so important in the years to come that we intend to be an advocate of consumer privacy”2 - a concept which Equifax echoes. A senior executive of American Express even dared to admit that he was increasingly concerned about companies collecting information for one purpose and selling it to another without the individual’s consent - perhaps the most common unethical use of personal information. American Express was no doubt influenced by the results of its survey of consumer attitudes which revealed that more than one-third of all Americans think that the federal government should regulate the use of personal information.
I do not claim that Equifax, American Express, IBM, the Canadian Bankers Association, the Canadian Air Transport Association, or Bell Canada (all of which have or will soon be producing their own privacy codes) are acting out of high and disinterested ethical principles. There is healthy self-interest at work, including the realization that failing to be sensitive to the ethical issue will lead not only to government regulation but also to miserable customer relations.
But the important development is that both enlightened government and enlightened companies are beginning to realize that they cannot act as if they own the personal information they control. I t is not just the opinion of a privacy commissioner that custodians of personal information have a fiduciary responsibility. Only last year the Supreme Court of Canada said that “privacy derives from the assumption that all information about a person is in a fundamental way his own.”$ The same high court has interpreted the Charter right “to be secure against unreasonable search and seizure” as protecting individuals from unjustified intrusions upon their privacy. Mr. Justice LaForest has even written that “the primary value served by section eight of the Charter is privacy.”4
I want to touch briefly on an ethical issue in the handling of non- personal information. I turn again to Professor Westin, whose academic interest also includes access to information issues. In his view, the right of a citizen’s access to government data bases is essentially an ethical matter. He sees the danger of the development of an “Information Autocracy.”5
2 Jonathan S. Linen, “Privacy: Respecting the American Consumer,” 7 1st annual conference of the Direct Marketing Association, Atlanta, 17 October 1988. 3 Her Majesty the Queen v . Brandon Roy Dyment [ 19881 2 SCR 417. 4 Mario Duarte v. Her Majesty the Queen [I9881 1 SCR 30. 5 Alan. F. Westin, testimony before the Subcommittee on Information, Justice and Agriculture on Federal lnformation Dissemination Policies and Practices, Washington, 18 April 1989.
99 ADMINISTRATION PUBLIQUE DU CANADA
J O H N GRACE
He observes that it has become increasingly difficult for citizens - he has in mind the voluntary sector in particular - to obtain access to government information at acceptable costs and through non-expert processes.
Professor Westin recently told a congressional committee that he foresees the United States becoming a nation in which the financially and techno- logically well-endowed - government, business, science and the media - have easy access to the current stocks of federal information. He describes these groups as the “Lords of the Information Age.” The rest would be “information peasants.” They would be informationally disenfranchised. They would find it increasingly difficult to locate and use the information paid for by their tax money in order to serve their social and cultural needs, to assert their economic and political views, and to monitor effectively the operations of their government. I am too new to the subject of access to information to be sure where I stand on this issue. But it seems that there is at least the making of an important ethical issue here.
It should be clear from the foregoing analysis that ethical issues pervade the management of information in both the public and private sectors. Existing and emerging issues in the spheres of privacy and access to information mean that the ethics of information management will be high on the ethics agenda for the foreseeable future.
100 CANADIAN PUBLIC ADMINISTRATION
![Week 4: Design Ethics [ethics of information]](https://img.dokumen.tips/doc/110x75/568c373d1a28ab02359aeb5d/week-4-design-ethics-ethics-of-information.jpg)
