Leg4
- 1. CANADIAN GAMING SUMMIT 2011
April 19, 2011
Casinos As Public Institutions under the Freedom of
Information and Protection of Privacy Act
Mary O’Donoghue
General Counsel and Manager of Legal Services
Information and Privacy Commissioner/Ontario
© Information and Privacy Commissioner of Ontario, 2006
- 2. The Regulator: Information and Privacy
Commissioner/Ontario
ABOUT US:
• The Information and Privacy Commissioner of Ontario (the IPC) is
an administrative tribunal as well as a policy making body.
• In addition to her powers as an adjudicative tribunal, the IPC has an
explicit statutory authority to
– Conduct research into access and privacy issues;
– Receive information from the public on the operation of the
Acts;
– Comment on proposed government legislation and programs;
and
– Educate the public about Ontario’s access and privacy laws.
© Information and Privacy Commissioner of Ontario, 2006
- 3. Information and Privacy Commissioner/Ontario
The Acts
Information and Privacy Commissioner/Ontario oversees:
The Freedom of Information and Protection of Privacy Act (FIPPA)
The Municipal Freedom of Information and Protection of Privacy
Act (MFIPPA) and
The Personal Health Information Protection Act (PHIPA)
Under these Acts she resolves access to information appeals and
complaints when government or health care practitioners and
organizations refuse to grant requests for access or correction or fail
to treat personal information in accordance with the statutory
Privacy Rules;
© Information and Privacy Commissioner of Ontario, 2006
- 4. The Acts
• Each of these Acts provides for access to information and
privacy of personal information.
• FIPPA came into effect in 1988, MFIPPA in 1991, and PHIPA
in 2004
• Under FIPPA and MFIPPA, the general public has a right of
access to general records in the custody or control of
institutions, as well as to their own personal information
• Access rights are subject to both legislated exclusions and
exemptions
© Information and Privacy Commissioner of Ontario, 2006
- 5. Purpose of FIPPA/MFIPPA
• The purposes of the Freedom of Information and Protection
of Privacy Act and the Municipal Freedom of Information
and Protection of Privacy Act are:
– a) To provide a right of access to information under the
control of government organizations in accordance with
the following principles:
• information should be available to the public;
• exemptions to the right of access should be limited
and specific;
• decisions on the disclosure of government information
may be reviewed by the Information and Privacy
Commissioner.
– b) To protect personal information held by government
organizations and to provide individuals with a right of
access to their own personal information.
© Information and Privacy Commissioner of Ontario, 2006
- 6. PUBLIC INSTITUTIONS
• Which bodies are covered?
“Institutions” are the entities subject to the public sector Acts
– FIPPA institutions mainly cover provincial ministries and
agencies, including entities specially scheduled by
regulation
– MFIPPA institutions are municipal governments and their
agencies, school board, libraries, police services etc.
– In Ontario, under the aegis of the Ontario Lottery and
Gaming Corporation, Casinos are subject to the privacy and
access to information rules of FIPPA
© Information and Privacy Commissioner of Ontario, 2006
- 7. Transparency, Openness and Privacy
• Under the two public sector Acts, there are 3 underlying
principles:
– Citizens are ensured access to the information that allows
them to participate meaningfully in the democratic process
– Elected officials and public officials remain accountable to
the citizenry
– Public institutions are responsible for safeguarding
personal information and following the privacy rules
© Information and Privacy Commissioner of Ontario, 2006
- 8. The Privacy Rules
• Part III of the Freedom of Information and Protection of Privacy Act
provides rules for the protection of the privacy of the individuals.
“Fair information practices:”
– personal information should be collected directly from the
individual, unless indirect collection is necessary and authorized;
– institutions should collect only personal information which is
specifically authorized by statute, necessary for a lawfully
authorized activity or for law enforcement;
– individuals should be notified by the collecting institution when
their personal information is collected; notice should contain legal
authority for the collection; name, title and telephone number of
institution employee who can answer questions;
© Information and Privacy Commissioner of Ontario, 2006
- 9. The Privacy Rules cont’d.
– individuals have a right of access to their personal information
held by institutions, subject only to statutory disclosure
exemptions;
– individuals may request correction of their personal information
being held by institutions, or have right to attach statement of
disagreement;
– institutions only use personal information for the purpose for
which it was collected or for consistent purpose; consistent
purpose is one reasonably expected by the individual;
– individual can consent to new use for the information;
information may be collected for more than one use; all potential
uses identified prior to collection, and all main uses disclosed to
the individual at the time of collection;
© Information and Privacy Commissioner of Ontario, 2006
- 10. The Privacy Rules cont’d.
– institutions should not disclose personal
information except as permitted under the Act, or
upon consent of the individual;
– institutions should use only personal information
which is accurate and up to date in making
decisions affecting an individual; and
– institutions must provide for the proper secure
custody of personal information
© Information and Privacy Commissioner of Ontario, 2006
- 11. Privacy Rules in the Casino
Investigation Report PC-010005-1, February 26, 2001
• Hamilton Spectator reporter contacted the IPC for
information on biometric facial scanning by OPP in
casinos.
• The Alcohol and Gaming Commission (AGCO)
Investigations Branch, (seconded OPP officers) closely
monitors Ontario casinos to enforce section 209 of the
Criminal Code, which criminalizes cheating while
playing a game or betting . The OPP was using Facial
Recognition Technology.
© Information and Privacy Commissioner of Ontario, 2006
- 12. Facial Recognition Technology in the Casino
• The OPP used Facial Recognition Technology to detect
suspicious behaviour by customers. If reasonable suspicion that
individual is engaging in criminal activity, uses the face
recognition software to determine if the individual is a known
or suspected casino cheat.
• Facial template is compared for matching purposes against two
databases (the first is the casino based database of suspected
casino cheats throughout North America, the second is the OPP
database which contains convicted casino cheats in Ontario and
ongoing investigations)
• Incident report is prepared and facial scan only retained if
investigation leads to a criminal conviction.
© Information and Privacy Commissioner of Ontario, 2006
- 13. Facial Recognition in Casinos
• If conviction, scan retained in OPP database at casino where
criminal activity took place. OPP may also send facial scans
to OPP teams at other casinos in the province for their
database. OPP in Ontario casinos did not send their facial
scans to other jurisdictions, however others may send their
scans to Ontario casinos.
• Where the investigation resulted in no conviction the data was
deleted and no copy maintained on file. In addition, contrary to
media allegations, the OPP did not engage in the scanning of
all casino customers.
© Information and Privacy Commissioner of Ontario, 2006
- 14. IPC Findings
• Template was personal information
• Collection was for purpose of law enforcement and so proper; officers
gather information in accordance with duties under the Police
Services Act. Used only for law enforcement and access restricted to
OPP.
• Notice - Posted Notice was required under s. 39(2). Imaging was
publicly known and disclosure would not reveal unknown
investigative technique.
• Law enforcement provisions “would not apply to exempt institution
from requirement for general notice to inform the public entering a
casino that OPP may be collecting their personal information through
the use of face recognition technology… An individual’s face
displays unique and highly personal information about that
individual, including her or her race, colour, age and sex. In our
view, members of the public should be made aware that this
information could be collected if they choose to enter a casino in
Ontario.”
© Information and Privacy Commissioner of Ontario, 2006
- 15. Consultation
• Though it is not a requirement for the IPC to be consulted on
every project which may have privacy implications, it is
however within the spirit and intent of the Act to consult. In
addition, consultation with the IPC will ensure the compliance
with the Act. Neither the AGCO nor the OPP consulted with
the IPC on the development of facial recognition technology.
As well, neither institution established a privacy impact
assessment before the implementation of this technology. It is
the view of the IPC that consultations are highly recommended
and especially important when the use of biometric programs
may impinge upon privacy.
© Information and Privacy Commissioner of Ontario, 2006
- 16. Casino Investigation Information - Access
• IPC Order PO-2796, AGCO, 2009
• http://www.ipc.on.ca/images/Findings/PO-2796.pdf
• Alcohol and Gaming Commission of Ontario received FOI
request for
1) “plan to investigate”
2) “report of investigation”
– ...any other AGCO document which mentions the [requester]
or relates to the [date] Casino [name] incident.
© Information and Privacy Commissioner of Ontario, 2006
- 17. Investigation Information - Access
• Records denied by AGCO included some about investigation of the casino’s
“operational and performance aspects of a surveillance system”.
• The IPC Adjudicator found that the records contained “more than an internal
review of a surveillance incident as claimed by the appellant…This
information at issue in the records concerns a sensitive subject, namely the
surveillance system in a named casino which is related to both the security
system in that casino, as well as the protection of the public who frequent
that casino. While there may be a public interest in disclosure of this
information, the significant and sensitive nature of this information
outweighs both the public’s interest in disclosure as well as the appellant’s
need to receive this information for his own private interest to assist him in
his court action.”
• Refusal of access upheld - section 49(a) (requester’s own p.i.) in
conjunction with section 13(1) (Advice to gov’t) as well as section 14(2)(a)
(law enforcement report).
© Information and Privacy Commissioner of Ontario, 2006
- 18. The Future of Privacy
With onslaught of new technological programs
involving personal information and new
privacy risks, the Commissioner’s challenge is
to
Change the Paradigm to
Positive-Sum,
NOT Zero-Sum
© Information and Privacy Commissioner of Ontario, 2006
- 19. Privacy by Design:
The Trilogy of Applications
Information
Technology
Accountable Physical Design
Business Practices & Infrastructure
© Information and Privacy Commissioner of Ontario, 2006
- 20. PRIVACY BY DESIGN: THE 7
FOUNDATIONAL PRINCIPLES
• 1. Proactive not Reactive: Preventative, not Remedial;
• 2. Privacy as the Default setting;
• 3. Privacy Embedded into Design;
• 4. Full Functionality: Positive-Sum, not Zero-Sum;
• 5. End-to-End Security: Full Lifecycle Protection;
• 6. Visibility and Transparency: Keep it Open;
• 7. Respect for User Privacy: Keep it User-Centric.
• www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf
© Information and Privacy Commissioner of Ontario, 2006
- 21. Embedding Privacy at the Design Stage:
The Obvious Route
• Cost-effective
• Proactive
• User-centric
• It’s all about control – preserving personal control and
freedom of choice over one’s data flows
© Information and Privacy Commissioner of Ontario, 2006
- 23. Biometric Encryption (BE)
What is Biometric Encryption?
• Class of emerging “untraceable biometrics” technologies
that seek to translate the biometric data provided by the user;
• Special properties:
- uniqueness
- irreversibility
© Information and Privacy Commissioner of Ontario, 2006
- 24. Biometric Encryption:
A Positive-Sum Technology that Achieves Strong
Authentication, Security AND Privacy
• Privacy-enhanced uses of biometrics, with a particular focus on
the privacy and security advantages of BE over other uses of
biometrics;
• How BE technology can help to overcome the prevailing “zero-
sum” mentality by effectively transforming one’s biometric to
a private key.
www.ipc.on.ca/images/Resources/up-1bio_encryp.pdf
© Information and Privacy Commissioner of Ontario, 2006
- 25. Advantages of
Biometric Encryption
BE Embodies core privacy practices:
1. Data minimization: no retention of biometric image or template,
minimizing potential for unauthorized secondary uses, loss, or
misuse;
2. Maximal individual control: Individuals may keep their
biometric data private, and can use it to generate or change
unique (“anonymous”) account identifiers, and encrypt own
data;
3. Improved security: authentication, communication and data
security are enhanced.
© Information and Privacy Commissioner of Ontario, 2006
- 26. Facial recognition a system problem gamblers can’t
beat?
This coming May facial recognition technology will be used to scan the faces of
every patron entering an Ontario casino. This scan will then be compared
with a database of 15 000 individuals who have placed themselves on a self-
excluded list.
When there is a match found the casino security is notified, if no match is found
the image is discarded.
Privacy mechanisms have been implemented into this technology through a
biometric encryption algorithm. This algorithm assures the public that there
is “no permanent link between a biometric template of a person’s face and
their private information.”
According to Commissioner Cavoukian measures must be taken to ensure the
privacy of those who come to the casino and have not placed themselves on
this list.
• Toronto Star, January 12, 2011
© Information and Privacy Commissioner of Ontario, 2006
- 27. OLG’s new 4 step self-exclusion program
• Enrolment process - Images are taken for facial recognition process,
conversation between the self-excluder and security is documented,
and a digital form is signed agreeing to the terms of self-exclusion.
• Detection – Cameras are located at the entrance and exit of each
casino. Faces are scanned in real time and encrypted into a unique
algorithm.
• Tracking and identification – the self-excluded database is searched
for a match of that algorithm. If detected, the self-excluder’s
information is distributed to security. Security personnel double-
check to make sure the system has identified a self-excluded person,
and that no one has been falsely identified.
• Enforcement – If a self-excluded person is detected the casino, they
are asked to leave and the incident is recorded in the database.
© Information and Privacy Commissioner of Ontario, 2006
- 28. OLG Facial Recognition Program
• The system is designed to detect only self-excluded people –
not cheaters or organized crime;
• Legacy, photograph-based system, needs to be maintained
without the need for re-enrolment of individuals;
• Automated facial recognition system is the only technology
that produces remote identification and is compatible with the
legacy photograph-based system.
© Information and Privacy Commissioner of Ontario, 2006
- 29. OLG Self-Exclusion program
• Completely voluntary self-excluded individuals – more than 12,000
in Ontario and growing;
• Great Need for reliable detection of those attempting to enter a
gaming site – manual comparison alone does not work;
• Privacy of all casino patrons must be protected;
• Solution: Facial recognition in watch-list scenario with the use of
Biometric Encryption;
• Novel “Made in Ontario” PbD application: collaboration of OLG,
IPC, UofT, and iView Systems
© Information and Privacy Commissioner of Ontario, 2006
- 30. OLG Facial Recognition Program
• OLG is subject to Ontario’s privacy legislation;
• OLG contacted us at the earliest stage and adopted the Privacy-by-
Design approach – embedding the privacy protection means directly
into the core technology;
• The research project was successfully completed at the University of
Toronto, developing an essentially new variant of a BE algorithm
called Quantized Index Modulation (QIM);
• The database tests showed that BE may be integrated with
conventional facial recognition, with little or no accuracy
degradation.
© Information and Privacy Commissioner of Ontario, 2006
- 31. Facial Recognition with Biometric Encryption
• Biometric Encryption (BE): securely binds a person’s identifier
(pointer to personal information) with facial biometrics;
• The pointer is retrieved only if a correct (i.e., self-excluded) person
is present;
• The link between facial templates and personal information is
controlled by BE;
• Final comparison is done manually;
• Privacy of both the general public and self-excluded individuals is
protected.
© Information and Privacy Commissioner of Ontario, 2006
- 32. Proof of Concept
• Live field test at Woodbine facilities: Correct Identification Rate
(CIR) is 91% without BE, and 90% with BE – negligible accuracy
impact;
• BE reduces False Acceptance Rate (FAR) by up to 50% – a huge
improvement in accuracy;
• Accuracy exceeds state-of-the-art for facial recognition;
• Triple-win: privacy, security, and accuracy (unexpected) – all
improved;
• Next: production version of facial recognition with BE.
© Information and Privacy Commissioner of Ontario, 2006
- 33. How to Contact Us
Mary O’Donoghue
General Counsel and Manager of Legal Services
Information and Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario
M4W 1A8
mary.o’donoghue@ipc.on.ca
416 326-3922
© Information and Privacy Commissioner of Ontario, 2006