Privacy-related policies and practices at Statistics Canada
(The author of this article is Ivan P. Fellegi, Chief Statistician of Canada)
In his latest annual report to Parliament, the Privacy Commissioner wrote about Statistics Canada in a very positive context. "Only Statistics Canada gathers comprehensive information about individuals but does so only for statistical purposes, not to make decisions about them," Bruce Phillips wrote. "And Statistics Canada’s data are stringently protected; abusers can be fined or jailed."
I am very conscious of the fact that the very character of the work of Statistics Canada involves a degree of unavoidable, yet hopefully minimal level of privacy intrusion. This can occur when we approach people for information in their homes, or when we (occasionally) link files involving data about them. Statistics Canada is very sensitive about the legitimate privacy concerns of Canadians and goes to great lengths to minimize the intrusiveness of its practices -- while still carrying out its mandate.
I would like to inform your readers about our privacy-related policies and practices.
1. All information collected by Statistics Canada is subject to the legally mandated confidentiality protection of the Statistics Act. Among other measures, this Act requires every employee to take an oath of secrecy. Employees are subject to criminal prosecution and liable to a fine or imprisonment should they contravene the confidentiality provisions of the Act. We take this provision extremely seriously: it is drummed into all employees that of all "sins" that they can commit, this is the most serious.
2. Equally important from a privacy perspective is the voluntary nature of most of Statistics Canada’s personal or household surveys. While Statistics Canada has statutory authority to carry out these surveys on a mandatory basis, requiring response under penalty of law, we only apply the force of law in two instances: the census, and the Labour Force Survey. In both cases, it is in the public interest that the accuracy of the data should be exceptionally high.
The census is the constitutionally-mandated basis for the redistribution of federal electoral seats. It also plays a major role in determining the distribution of billions of dollars of federal transfer payments to provinces. In addition, census data are used in the design and evaluation of innumerable federal, provincial, municipal and other kinds of programs. The Labour Force Survey data are used to determine regional differences in Employment Insurance benefits.
3. It is also the policy and practice of Statistics Canada to be very transparent (‘up front’) with respondents about how we treat the information that they provide to us: how and for what purposes will the statistics be used, the confidentiality protection given to the data, any data-sharing arrangements and planned linkages of their survey responses to other data files.
4. Turning to the issue of linking of files, record linkage is a potentially important source of valuable statistical information, for example to shed light on the effectiveness of certain cancer screening methods, or the long term effects of heart surgery. But we are fully aware that linkage of records is, by its nature, privacy intrusive. So we follow a rigorous policy, based on the principle that record linkage should not be done unless the public good from doing so is clearly evident, and only if all of the following conditions are satisfied:
- only statistical aggregates, never individually identifiable data, can be disseminated from linked files using data collected by Statistics Canada (unless there is informed respondent consent to do so);
- the linkage is to provide analytic/statistical information designed to provide insights about some specific issue the answer to which is in the public interest and the information could not be obtained cost effectively by some other means. In other words ‘no fishing expedition’ or ‘just in case’ linking of files;
- the nature of the ‘public good’ to be served is assessed through a series of reviews which culminates by my personal review. These reviews must explicitly conclude that the good to be served is sufficient to warrant the linkage. The most frequent examples involve health: e.g. linking a file of women who have participated in a clinical study of breast cancer screening with a file of cancer patients to assess the effectiveness of such a screening program;
- if the linkage involves a specific group of individuals, we do not link files -- even for statistical analysis -- if the results might harm the interests of that group;
- if the linkage involves a particular group and relates to a potentially sensitive issue, we consult with representatives of the group involved. For example, a few years ago we were asked to carry out a linkage of files involving social welfare recipients and then to produce a statistical study to shed light on the effectiveness of various social assistance programs. Before undertaking this project, we conducted a public consultation involving representatives of several anti-poverty organizations, as well as the Privacy Commissioner.
5. Whatever studies we undertake, whether they involve a single survey or linked data files, the analytic results must all be placed in the public domain, accessible to everyone on the same basis. In other words we do no secret or confidential studies.
6. We will undertake no linkage on an indefinite on-going basis. If the linkage of two files is approved for a specific purpose, the linked data will be destroyed at the conclusion of the project. If the project is of longer duration, the linkage approval is conditional on a regular periodic review to assess whether the specific objectives have been served and whether there are good grounds for the period of approval to be extended.
7. The size of files involved in linkage (if approved in the first place) must be as small as possible, consistent with the specific objectives. Time and again when we have approved linkages, we have done so not for massive files, but for a small sample drawn from them.
8. Every new kind of major new linkage project is discussed with the Office of the Privacy Commissioner. We try to accommodate his concerns and comments. While he cannot formally approve our projects (and we do not ask him to do so), there is a very open consultative relationship with his office. His past comments have been extremely useful.
9. Finally, we go out of our way to ensure that the data entrusted to us are not only legally protected, but that our security practices are exceptionally strong. For example Statistics Canada uses two physically separate computer networks. All confidential statistical data reside only on an internal, closed network to which there are no outside connections, thus eliminating the possibility of unauthorized access to our computer system.
In conclusion, the Agency strongly believes that in a democratic society it is essential that policies and programs should be designed on the basis of good information. We also believe that this information should be made available equally to everyone, that only statistical information should leave Statistics Canada, and that we should carry out our information mandate in a manner that maximizes respect for individual privacy.