Chapter 4.6: Respecting privacy and protecting confidentiality
All statistical surveys represent a degree of privacy invasion—privacy defined as the right for respondents to be left alone, to be free from interference, surveillance and intrusions.
Accurate and reliable data rely on the goodwill and cooperation of the public—whether their participation is optional or based on mandatory legal requirements. In order to maintain the trust of respondents, it is crucial for statistical organizations to secure the privacy of household and business data by assuring that data published cannot be related to an identifiable person or business.Endnote 1
It is expected that confidentiality be implemented at each level and step of the statistical process—from the preparation of the survey to the dissemination of statistical products.
At Statistics Canada, sensitive statistical information is defined according to the Directive on the Security of Sensitive Statistical Information, which consists of the following:
- Information provided in confidence, such as
- data obtained, under the authority of the Statistics Act, either directly from respondents or from a third party (i.e., statistical administrative information) in identifiable mode;
- data holdings stripped of identifiers, but held in a geographical structure or format that could permit the establishment of a direct relationship among such data holdings and identifiable units.
- Information related to a statistical data collection or production process that is linked to an identifiable person, business or organization (called paradata)
- Aggregate statistical information in the pre-release stage (including work in progress provided to external organizations for data validation).
Statistical organizations are required by law to protect the confidentiality of respondents' information, and it is essential that clear legal provisions are laid down in statistical law to ensure that statistical confidentiality is protected. In Canada, the legal framework relies on the following two important pieces of legislation:
- Canada's Statistics Act provides Statistics Canada with access to all records held by governments, businesses and organizations, and, specifically identifies all taxation and customs records, as well as court records. The Statistics Act contains strong legal provisions that indicate the degree of importance that the Parliament of Canada accords to good statistical information. Information obtained by Statistics Canada under these provisions is subject to the same guarantee of confidentiality that applies to data collected directly by the agency. Strong measures are in place to foster an organizational culture whereby all employees feel personally responsible to uphold that confidentiality guarantee. They are also subject to penalties under the Statistics Act should they willfully disclose confidential information.
- Canada's Privacy Act, which is a very detailed piece of legislation, that applies only to persons, and that obliges the agency and its employees to keep confidential all individual information obtained under the Privacy Act Exceptions to this restriction are few and carefully circumscribed. The Privacy Act guarantees confidentiality during the legal and organizational aspects in the context of producing a statistical survey. A number of internal policies regarding the collection, use and disclosure of statistical information are in place within the agency.
The preceding pieces of legislation guarantee four guiding principles:
- the privacy of data providers (households, businesses, or other respondents) and the confidentiality of the information they provide
- the security of information received from data providers
- the use of the data for statistical purposes
- penalties and sanctions in case of infraction.
Mechanisms and measures for respecting privacy and protecting confidentiality
A number of mechanisms and measures are in place to ensure that privacy is respected and confidentiality is protected, including the following:
- mandatory obligations for employees
- strong culture of respect for the need for privacy and confidentiality
- physical security
- information technology (IT) security
- disclosure control
- record-linkage control
- privacy impact assessments
- measures to protect confidentiality while granting access to confidential information for statistical and/or research purposes (covered in detail in Chapter 4.4: Access to microdata).
1. Mandatory obligations of employees
Employees at Statistics Canada are asked to swear an oath of secrecy to make each employee fully aware and liable in terms of protecting confidentiality.
Taking an oath of secrecy under the Statistics Act is a requirement for to all employees of Statistics Canada and to persons “deemed to be employees” (according to the Statistics Act). Employees who swear in by affirming this oath promise to fulfill their duties by agreeing to respect the confidentiality requirements of the Statistics Act. Of key importance is the promise never to disclose identifiable information about any individual person, business or organization that employees learn of while undertaking their duties. This oath lasts a lifetime. Even after leaving the employment of Statistics Canada, persons must remain faithful to the oath and maintain the confidentiality of any statistical information to which they had access. Persons are liable to the penalties outlined in the Statistics Act (fines and/or imprisonment) or other sanctions that could lead to and include termination of employment if they break the oath. Refer to Box 4.6.1 (at the end of this chapter) for the wording of Statistics Canada's oath of secrecy.
Statistics Canada has taken measures to improve its training in the areas of privacy, confidentiality and security. Flagship training courses that are mandatory for specific groups of employees contain a module on these three topics. The orientation course that all new employees must also attend includes basic training on confidentiality and security.
To address the needs of not only all new employees, but also those in the professional streams, a computer-based training module has been developed. This course is delivered to employees when they receive their user identification (ID) card for the computer system. It takes only 20 minutes to complete and it covers all the basic information on confidentiality, privacy, network use, IT security, physical security, fire safety and building evacuation practices. This course must be retaken periodically when employees renew their ID cards.
3. Strong culture of respect for the need for privacy and confidentiality
Statistics Canada is known for its strong traditions of respect for privacy and protection of confidentiality.
Directors from statistical program areas play a very important role and have direct responsibility for controlling and protecting all sensitive statistical information obtained by their respective work units in fulfilling their program objectives. For example, they must ensure that appropriate control measures regarding access to confidential microdata files are in place in their divisions. They must also determine the need to retain identifiable files and ensure that such files are referenced as required under the Privacy Act and the Access to Information Act.
4. Physical security
The Government of Canada's approach to physical security measures is to design and manage environments or facilities with specific physical security safeguards.
Physical security is implemented at various levels across the agency. The extent to which physical security measures are applied in a given work area will vary according to operations, location, type, and the nature of work, and any other factors bearing on the general work environment.
- Identification cards
Electronic identification cards are issued to all employees and contractors of Statistics Canada, as well as all other employees of departments that occupy space in Statistics Canada headquarters.
The electronic identification card has an expiry date (usually three years from the date issue for indeterminate employees). Prior to the card's expiry, employees are required to report to the Departmental Security Office to have their card updated to continue their access to the agency's buildings. The electronic identification card is required to enter Statistics Canada premises and it is to be visibly worn by all employees at all times.
- Areas with restricted access
All three buildings at headquarters are designated as restricted-access areas, which means that safeguards are in place that will allow access to authorized personnel only. In the regional offices, restricted areas are designated in accordance with operational requirements.
Security personnel are hired to protect the health and safety of employees and to safeguard departmental assets and information. Specifically, a security guard's duties include reception, building access control, patrol and escort functions, monitoring of alarm/video- and life-safety systems, and emergency response.
- Building controls and access
All perimeter doors are equipped to monitor unauthorized entry or departure. These doors are to be used only in the event of a building emergency or during a scheduled building evacuation. Employees who use these doors without proper authority are subject to disciplinary action.
5. Information technology security
Information technology (IT) security addresses the protection of information during collection and transaction input, transmission, processing, storage, retrieval, output and disposal. It also includes the protection of IT systems and facilities. This protection is achieved using technical, procedural and administrative procedures and practices. Collectively, these procedures and practices are designed to prevent, detect potential loss, and enable recovery from damage to the confidentiality, integrity and availability of the agency's data, systems and facilities.
Statistics Canada has always maintained a very strict code of IT security by implementing and maintaining the following measures:
- Agency Network Use Policy
All employees are required to read and accept the Network Use Policy as a condition of receiving their computer user account. In addition, they are required to sign, three times a year, a reaffirmation that indicates their understanding of the policy and acknowledges that they will follow its requirements. This policy governs their use of the IT system and covers issues such as acceptable use of email and the Internet, as well as virus protection.
- Controlled access to the database system
The agency manages the various accesses through to the Corporate Access Request System (CARS), which is used to automate and control employees' access to data, applications and after-hours buildings.
- Virus protection
Serious viruses can cause havoc to an information-based organization. The most up-to-date detection, isolation and irradiation methods must be in place along with employee awareness and compliance with the virus prevention and protection protocols. Statistics Canada IT staff and employees are very vigilant in this matter as data reliability, integrity and confidentiality are at risk in an event of a serious virus attack.
All Statistics Canada employees must consider privacy and confidentiality when choosing email as a means of communication. The agency's email system does not currently provide security features such as encryption to protect email messages or attachments during transmission. However, confidential information can be shared through an electronic-file-transfer platform, if necessary.
6. Disclosure control
Disclosure control measures are designed to ensure that the confidentiality protection commitment of statistical organizations is met while preserving the usefulness of data outputs to the greatest extent possible. These mechanisms are usually applied as indicated below:
- During data collection and data processing, there are separation between the direct identifiers and the statistics provided; personal data and questionnaires are kept secure, and later destroyed after a required length of time.
- Prior to publishing aggregated data, information is suppressed if the number of respondents allows easy disclosure of individual data; use of standard software for checking tabulations is used; and a review is conducted by authorized staff of all data prepared for publication and possible disclosure.
- When releasing individual data, all applications must be examined in relation to access to confidential data requirements by the Disclosure Review Committee; the release of individual data are authorized as anonymized microdata only for research purposes; and releases must limit geographic detail, the number of variables, recoding and sampling.
The Disclosure Review Committee was established to share best practices across the program areas. Furthermore, the increase in the amount and complexity of analyses being undertaken—mostly through research data centres—has created new challenges for disclosure control.
Under specific circumstances, the Chief Statistician is the only official who may, by order, authorize the disclosure of confidential data, as stated in the Statistics Act.
7. Control over record linkage
According to the Directive on Record Linkage, record linkage is defined as combining two or more microrecords to form one composite record containing information about the same entity. Record linkage is an important technique used in the development, production, analysis and evaluation of statistical data. This technique reduces respondent burden because it does not make it necessary to go back to a respondent to collect the information.
Record linkage can be undertaken at Statistics Canada for research and statistical purposes only, and the linkage must lead to benefits that serve the public interest. It must also be clear how the proposed methodology could lead to results that, in turn, could be implemented to address important public issues.
Record linkage has always dealt with a balance between the competing public goods of privacy protection and the value of the information that can be delivered through linkage. Given the wide scope of record linkage within a centralized statistical system, particularly one with Statistics Canada's broad access to data holdings of other departments, the agency developed a multi-level review procedure, as well as extensive ongoing consultation mechanisms with stakeholders and the Office of the Privacy Commissioner. All linkages must be approved by the Executive Management Board, chaired by the Chief Statistician.
8. Privacy impact assessments
A privacy impact assessment (PIA) is an evaluation that looks at privacy, confidentiality and security risks associated with the collection, use or disclosure of personal information. PIAs help program areas develop measures to mitigate or eliminate the identified risks. All PIAs are to be sent to the Office of the Privacy Commissioner.
Key success factors
Statistics Canada has a long history as a statistical agency that is up-to-date in terms of maintaining policies, procedures, and tools that continually enhance the protection of statistical information.
A strong confidentiality culture is paramount. Awareness among and training of employees are key in safeguarding the confidentiality of respondent data. Training tools guarantee due diligence and ensure that all practices are consistently followed and systematically applied.
Enhancing research by being informed and considering new methods, trends or best practices while protecting confidentiality are also key to success. All improvements to technical means can add a layer of protection, with a positive impact.
Challenges and looking ahead
Respect for the privacy of respondents and maintaining the confidentiality of individuals' responses are key for the survival of any national statistics office. Any serious breach or even perceived breach of privacy could severely damage the public's trust and confidence, with an impact on response rates.
With rapid advances in electronic communication technology, along with growing awareness of the privacy concerns that this technology brings, statistical agencies are experiencing increasing pressure to justify their activities in the context of privacy implications. An open and coherent approach to addressing privacy issues on the part of the statistical agencies is a necessary element of their successful management in the future.
The purpose of this preamble is to clarify the implications of the secrecy provisions and consequences of violating your oath or affirmation of the Statistics Act. The Statistics Act requires all employees and deemed employees of Statistics Canada to take an oath or solemn affirmation of office and secrecy. The Statistics Act gives Statistics Canada the authority to collect information by contacting respondents directly and by accessing administrative records held by other departments, at the federal and provincial level, or by municipal governments, businesses, corporations and organizations.
2. Obligation to protect confidentiality
To balance Statistics Canada's extensive powers to collect and access information, the Statistics Act establishes the rigorous legal obligation for the Agency to keep the confidential information obtained in trust. The Statistics Act makes a formal commitment to respondents and data providers that the information they provide will never be released to anyone in a form that is identifiable, without their authorization.
3. The principle of confidentiality
The general principle of confidentiality is described in subsection 17(1) of the Statistics Act: no person other than an employee or a deemed employee of Statistics Canada who has sworn or affirmed the following oath can examine identifiable information collected under the authority of the Statistics Act. Furthermore, such information may not be disclosed in a form that may identify an individual person, business or organization.
As noted in the Statistics Act, violations of the confidentiality provisions are a criminal offence. After taking the Statistics Act Oath or Solemn Affirmation of Office and Secrecy, all persons who seek to obtain information they are not authorized to have, who desert from their duties or make false statements or returns in the performance of their duties, or who disclose identifiable statistical information are liable to fines of up to $1,000 or to a prison term of up to six months, or to both. Additionally, the Statistics Act also provides for more severe penalties for employees and deemed employees who, after taking the oath of office, unlawfully disclose information which might influence the value of any security or other asset, or who use such information for the purpose of speculation. Penalties in these circumstances can be fines ranging up to $5,000 or prison terms of up to five years, or both.
The Statistics Act Oath or Solemn Affirmation of Office and Secrecy
The Statistics Act Oath or Solemn Affirmation of Office and Secrecy is a requirement of the Statistics Act. It reflects and supports the confidentiality provisions of the Statistics Act. Persons swearing/affirming this oath promise to fulfill their duties by agreeing to respect the confidentiality requirements of the Statistics Act. Of key importance is the promise never to disclose identifiable information about any individual person, business or organization that they became aware of while undertaking their duties as employees or deemed employees of Statistics Canada. The oath lasts a lifetime, so even after leaving the employment of Statistics Canada, persons must still adhere to the oath and protect the confidentiality of any statistical information to which they had access.
I __________________________, (name) do solemnly swear (or affirm) that I will faithfully and honestly fulfill my duties as an employee of Statistics Canada in conformity with the requirements of the Statistics Act, and of all rules and instructions thereunder, and that I will not without due authority on that behalf disclose or make known any matter or thing that comes to my knowledge by reason of my employment.
- Endnote 1
United Nations, 2014.
Return to endnote 1 referrer
United Nations (2014). United Nations Fundamental Principles of Official Statistics; Implementation Guide.
Government of Canada (2005). Statistics Act. L.R.C 1985, c. S-19. Amended by 1988, c. 65, s. 146; 1990, c. 45, s. 54; 1992, c. 1, ss. 130, 131; 2005, c. 31; 2005, c. 38. Consulted on 11th of March 2016 and retrieved from http://laws-lois.justice.gc.ca/eng/acts/S-19/FullText.html.
Government of Canada (1985). Privacy Act, Consulted on the 11th of March 2016 and retrieved from http://laws-lois.justice.gc.ca/eng/acts/P-21/.
Statistics Canada (2008). Access to Information Act, Ottawa. Consulted on the 11th oh March 2016 and retrieved from http://laws-lois.justice.gc.ca/eng/acts/A-1/.
Statistics Canada (2012). Directive on Security of Sensitive Statistical Information, Ottawa. Internal document. Accessible on demand.
Statistics Canada (1998). Network Use Policy, Ottawa. Internal document. Accessible on demand.
Statistics Canada (2011). Directive on Record Linkage, Ottawa. Internal document. Accessible on demand.
- Date modified: