There’s some hot news about StatsCan collecting 15 years worth of Canadian’s personal financial data in the news. There are few interesting points related to this. Personally, it’s the first time a national journalist has used the mantra I coined, which is that privacy is consent. More relevant, there are three noteworthy things to consider.
The first one, is that StatsCan, like political parties, have an exemption to our privacy laws. This means they can demand your data from anyone, and use it any way they want, including sharing it or selling it, and there is nothing you can do about it. This needs to ends immediately. Every day there are exempted organizations from privacy laws, your data is being sold and shared, making the laws useless. (any organization that does comply with the law, can give your information to StatsCan or a political party, to get it to a specific intended recipient).
The second concern is this trend around de-identifying, or anonymizing big data. Don’t let organizations convince you they can do this. I propose any organization that suggests they can de-identify data, agrees to publish the exact process they use for de-identifying and open it up to challenge. They never will, as currently this is near impossible. It’s easy to re-identify de-identified data. In the case of StatsCan and Transunion, it appears after a lengthy time they eventually strip off name, address, dob, telephone, and SIN. But this can easily be determined if given the other dataset — not to mention we’re trusting StatsCan to not sell it before they go through this process. All I have to know is one transaction you made in the past and I know the rest of your transaction history, in this example. A question to ask, who has StatsCan already sold this information to, and are they using American data management services?
The third issue, is lack of data sharing disclosure directive for public sector organizations, similar to the GDPR. I would like to see every government organization publish whom they have shared personal information with. If a public sector organization wants to setup a new data sharing agreement, I propose they publish 90 days in advance, while being open to feedback, that relationship. What is still not resolved, even with our great public sector laws in Canada, is any real repercussions for privacy violations. If the worst problem for a public service worker being caught for violating privacy violations is termination, that’s a pretty weak baseline. Companies and governments would pay a lot of money, including Canadian political parties, to get access to any given database.
In summary, related to the specific case at hand, I feel that StatsCan like every other organization in Canada, including political parties, should be bound by privacy laws. Those privacy laws need serious and personal repercussions, otherwise any going bureaucrat can legally share entire databases with immunity — as they do right now. Finally, the de-identification process should be publicly disclosed, and done before the disclosure, not after the fact.