It has been a hot summer for 2017 so far, and I’m not talking weather. On June 28th, privacy specialists and political commenters were shocked to discover Kansas Secretary of State Kris Kobach and vice chair of the new Presidential Advisory Commission on Election Integrity requested each of the 50 American States of the U.S. submit, via email, voter registration data for all registered constituents. A mix of public and private data, all of it very personal: the information requested includes names, addresses, birth dates, partial social security numbers, party affiliation, felon status, and other data as collected per state. While parties are divided on what the United States government will actually use the data for, security experts right away took note that sending such sensitive information through a known insecure channel should raise bright red flags.
Of the 50 states, 44 have refused, either entirely or providing only partial information that is already publicly accessible, with other states under review. Five different lawsuits were also launched, although at least one, by the Electronic Privacy Information Centre, was denied, as the commission is not qualified as a federal agency which would be a requirement under the E-Government Act the Centre used to bring the issues to court. Still, it’s hard to see how privacy fears aren’t founded: aside from the fact that the data in question will be a very tempting target for identity thieves and vendors everywhere, there is a question of how much protection the data will get once in the Advisory Commission's hands, if any. Already, the Commission has had it’s first faux-pas: releasing names, along with emails and home addresses if on-file, for those who posted responses to its Advisory Commission, essentially doxxing a number who have been critical of the initiative. Good privacy operates on the principle of need-to-know access, with personal data only provided to those who require it to fulfill responsibilities and/or services, but that's a wash if the parties accessing the data aren't aware it needs secure treatment in the first place.
The United States is not the only one making headlines. The Swedish government continues to struggle with a privacy backlash when it was revealed earlier this month that there had been a huge breach of confidential data under the watch of a government contractor, including potential disclosure of undercover operatives. In January Maria Agren, former director general of the Swedish Transport Agency, had been fired for negligent handling of classified data. Over three hundred in Canada were notified when an audit of the Nova Scotia Health Authority revealed six employees had looked, unauthorized, at patient files.
It seems that observation on government use of personal identifiable information, and why privacy laws are so critical within government departments is long forthcoming. As we do so however, it is important to remember why the government has so much of our data, and why privacy protection measures are vital within any egalitarian regime.
Why Do Government Departments Need Our Personal Information?
That governments can, will and need to collect some levels personal information should come as no surprise. This is not entirely a bad thing: somewhere, in some department, at a local or national level, governments need to know you exist, both for the purpose of collecting taxes, and to deliver the services that you and other taxpayers provide for. We argue about how much government takes off pay checks, or adds to shopping bills, but it does need money to provide the services communities need, and it needs personal information to ensure those services are administered.
Consider the following: if I trip and break my leg (*ouch!*) I need to go to the doctor's office, where information will be collected and shared between health officials to make certain I receive treatment, and that any care provided won’t cause complications with existing medication or conditions. In Canada the government pays part of the hospital bill, so they need to know I was there, what province I’m a part of and how I was treated so that bill can be settled. If a friend loses his or her job and needs to collect Employment Insurance, Service Canada needs to know how much is owed, if they qualify through their past work, and where to send the check so that the friend can survive until a new vocation is found. When tax time comes, the Canadian Revenue Agency needs to know who should report in, collect from, provide refunds to and, come election time, who is eligible to vote.
All of these scenarios demonstrate but a small fraction of the ways in which our personal information is used by the public sector to provide services. They also provide examples of the different kinds of personal information that may need to be accessed: health, employment, social security and financial records, although this is but the tip of the iceberg. Information is also collected on employees of government services, meeting special needs, and, yes, law enforcement. The amount of sheer data that any government currently collects, combined with the amount of information the government could collect through higher levels of surveillance and combining data sets is staggering.
Big Brother Is Watching
While government services need citizen information to provide services, complications arise when too much information is collected and shared with too many parties. As discussed above, personal information is collected by and for a myriad of different services; however just because one department collects information does not most of that information is shared or frequently accessed, and for good reason.
First, good privacy practices also enforce firm security safeguards. The concept of information sharing on a need to know basis is as much a security measure as a privacy precaution: the more places the information is held, the more individuals or groups who have access, the higher the risk for a leak. Studies have determined, time and again, that employees cause over 60% of data breaches, both intentional and accidental. Reducing the odds of PII exposure than, means reducing the number of employees who can view sensitive information in the first place: only staff that needs PII to fulfil their work responsibilities should have access, with stronger training and clearer responsibility expectations for those that do. Personal information traded freely, even within a single department, can be a big liability. Many departments, such as those responsible for statistics and census, often take to using restrictions on when information may be disclosed, and use of de-identification when controls are unreasonable.
The other issue with too much state access to personal information is preventing such privileged knowledge from being abused. Government is a human institution, created for and by the people; unfortunately people are not perfect. We all have our own biases, whether acknowledged or unintentional, and when these bias leak into policy there’s a very real problem. Prejudice is as old as time: if the state has access to detailed listings of race, religion, gender or other identifiers, and a group with an agenda against one of these groups comes to control powers within the state, what protects the people? In addition to personal information, government also has access to significant power and resources that can cause very real harm if directed against those within the country’s borders. History, and unfortunately the present, is full of dictators and groups who believe freedom should only exist for those that were born into or believe specific criteria, persecuting, either overtly or through force those that don’t fit or follow the mold. Extremism is never acceptable simply because the prevailing regime dictates it tolerable.
The ability for state forces to find and isolate individuals based on information provided with trust should be a chilling thought. So what stops federal, state or provincial departments from using personal information to further causes, even if those requesting the information do not intend or believe to be following malicious intent? What reminds government that its collection of personal information is in fact a heavy responsibility and contract of trust between the state and its people? What prompts managers to keep audit trails of who accesses what record, instigates training sessions and step carefully before disclosing detailed personal data to other departments?
This is the reasoning behind the creation and development of public body privacy laws.
Privacy Legislations and Officers: Your Protectors
The necessary access to information, combined with the easy way in which that information could be abused is why privacy legislations are so critical for a responsible government. Legal charters and mandates, combined with policies, practices and compliance auditing to ensure that the power which could be extracted by use of personal information is curbed responsibly. They are part of the checks and balances within the system to allow information to be collected and used to fulfil the government’s purpose of serving the people, while providing consequences if information is mishandled, misused or misappropriated.
In Canada, individuals are protected by both provincial privacy legislations, which can cover provincial, municipal, and crown corporation collection of information, and by The Privacy Act, which manages privacy protections at the federal level. Overseeing compliance to these privacy laws are the privacy commissioners: the Office of the Privacy Commissioner of Canada, which examines both public and private sector compliance at the federal level, and provincial privacy commissioner offices, which work with local agencies to investigate regional data breaches, inform departments of their privacy protection obligations, and address concerns. While conformity to privacy legislation is dependant on the actions and operations of those within different departments, the Office of the Privacy Commissioner acts as a watchdog: investigating complaints, auditing holdings, providing advice to Parliament on issues that impact Canadians and spreading awareness.
In the United States of America no person is appointed to the post of privacy commissioner; instead the privacy office is a responsibility of the Department of State. As the foundation of personal freedoms within the United States, it should come as no surprise that privacy is built into several passages of the American Constitution, most notably the First, Third, Forth and Fifth Amendments of the Bill of Rights. Other acts at the federal level attempt to fill in the gaps, such as the Privacy Act of 1974, and the Electronic Communications Privacy Act of 1986. Privacy laws exist at the state level with jurisdiction over organizations and public offices that collect personal information from local residents; the Personal Information Privacy Act of Virginia and sections of the California Civil Code. Most importantly however, American privacy legislation is often applied via torte law: when a state office has not been designated to review practices, failure to provide privacy protection may still be addressed by taking the offender, including private and public institutions, to court.
Privacy is the balancing act that allows us to trust governing bodies, levelling personal information collection and need against its use and disclosure. A government that does not collect personal information is limited in the support and services it can offer citizens, while a government that abuses access puts individuals at risk and betrays trust, two factors that can come back to haunt parties during election time. We give our information to support a system that protects us if we fall, but not to suppress our freedoms or the freedoms of those around us. Privacy then, is a key part of responsible government. To quote C.S. Lewis:
“The question about progress has become the question whether we can discover any way of submitting to the worldwide paternalism of a technocracy without losing all personal privacy and independence. Is there any possibility of getting the super Welfare State's honey and avoiding the sting?”