Asian Tribune Your Multilingual Newspaper covering World and local news News
Listen to this article
Estimated 5 minutes
The audio version of this article is generated by AI-based technology. Mispronunciations can occur. We are working with our partners to continually review and improve the results.
Alberta’s privacy commissioner says putting personal health numbers (PHN) and citizenship markers on driver’s licences pose new risks to the protection of personal information in the province, including fraud.
“It creates a risk that now we have more information in one place that could be subject to snooping or hacks,” Commissioner Diane McLeod told CBC News Thursday.
Last week, the province announced it would start to roll out the integrated driver’s licences on July 2 to eliminate the paper health cards Albertans have used for decades.
Amendments to the Health Information Act regarding health information sharing in December enabled the change, according to a June 4 press release from the Office of Information and Privacy Commissioner of Alberta.
McLeod said one of her biggest concerns is that the Registrar of Motor Vehicles — which is responsible for issuing driver’s licences — is not subject to provincial privacy laws.
“PHNs are actually a desired commodity on the black market and now you have driver’s license information — also a wanted commodity — together with PHNs all in one place,” she said.
“[The Registrar does] have certain provisions in their legislation to protect the information, but that is not the suite of rights that individuals have under privacy laws,” she added.
The citizenship markers could also lead to discrimination, McLeod said, a concern she previously voiced when the province announced the change last August.
McLeod’s concerns come a month after the personal information of nearly three million Albertans was posted to a searchable online database, prompting concerns about the safety of Albertans’ personal information.
Elections Alberta, the RCMP and the privacy commissioner are all investigating the breach.
New IDs will protect against fraud, premier says
In a statement to CBC News, a spokesperson for the Ministry of Primary and Preventative Health Services said there are already “strong privacy protections” for licences.
“This information will be protected through multiple pieces of legislation, including under the Health Information Act, which makes it clear that anyone who collects an individual’s driver’s licence or ID and who is not authorized to use the personal health number cannot use it for any purpose, and the Alberta Health Care Insurance Act also includes collection, use and disclosure restrictions,” the statement said.
At an unrelated announcement on Friday, Alberta Premier Danielle Smith said having all the information included in one card will reduce the chance of fraud.
“The card itself has 57 different security features on it to prevent against fraud,” Smith said.
She added her government will listen to any privacy concerns that may arise, but she sees this new approach as “far superior” to the existing system.
Alberta has separate laws regulating how personal information is protected in the public and private sectors.
The provincial Protection of Privacy Act (POPA) regulates how public bodies protect personal information, while the Personal Information Protection Act (PIPA) governs how private sector organizations and businesses protect that information.
The registrar is not subject to either, but is subject to the Access to Motor Vehicle Information Regulation included in the Traffic Safety Act.
Like a ‘flashing neon sign’
But some privacy experts say the risk of having multiple pieces of identifying information in one spot does not enhance security, instead the information just becomes easier to get to.
“It’s like putting a giant, flashing neon sign saying, ‘Hey, there’s more personal information available on Albertans via the driver’s licence system,'” said Jason Woywada, executive director of the B.C. Freedom of Information and Privacy Association.
Woywada said centralizing the information could create a more lucrative target for hackers, as breaches of only a few systems could mean bad actors have access to multiple pieces of identifying information.
“These are very real threats that governments need to start wrapping their head around because it is no longer a hypothetical,” he said.
There is also no requirement for the registrar to report a breach were it to occur, given that it is not subject to provincial privacy laws, said Tamir Israel.
“It’s not subject to any oversight and auditing powers that the privacy commissioner has in relation to other types of public bodies,” said Israel, who directs the privacy, surveillance and technology program at the Canadian Civil Liberties Association.
“In the instance of a data breach, the Registrar of Motor Vehicles is not obligated to notify people that a breach has occurred,” he added.
Independent oversight is important not only to audit security systems and ensure they can defend against a breach, but also because it changes how organizations approach data security, Israel said.
“Just knowing that you will have to inform people if a breach occurs, really changes the internal decision making,” he said, adding it can incentivize organizations to invest in better safeguards.
McLeod said she knows Albertans will have questions about how their information is used and how to protect it, which is why her office plans to release guidance on best practices in the coming weeks.
“I’m also providing guidance to all of the other sectors to caution them on ensuring that they’re not collecting that information when they’re not permitted to do so under their relevant laws,” she said.