Sean Boots

Technology, public services, and people. But mostly people.

Public service heroes: Madelaine Saginur & Melissa Toutloff

Madelaine Saginur and Melissa Toutloff work at the Privacy Management Division for Health Canada and PHAC. They’re two of the most kind and most brilliant public servants I’ve ever worked with. We worked together from the earliest days of COVID Alert onwards, and the app’s positive reception from Canadian privacy experts is very much credit to the two of them and their (equally brilliant) director Andréa Rousseau. I learned so much from them both on privacy policy and legislation along the way. We chatted on May 10.

Sean Boots (SB): Let’s jump into it! For introductions, tell us who you are and where you work! Whoever wants to go first.

Melissa Toutloff (MT): Go ahead, Madelaine.

A profile picture of Madelaine Saginur.

Madelaine Saginur (MS): My name is Madelaine Saginur and I’m the policy manager at the Privacy Management Division for both Health Canada and the Public Health Agency of Canada. I worked with Sean for a couple years on the privacy analysis of the COVID Alert application.

SB: Woot! How about you, Melissa?

A profile picture of Melissa Toutloff.

MT: I’m Melissa Toutloff, I’m the senior policy analyst at the Health Canada and Public Health Agency of Canada Privacy Management Division. I work with Madelaine, and I also worked with Sean on the privacy analyses for the COVID Alert application.

SB: Aw yeah! That was a very exciting time.

Both of you are next-level privacy experts. Even before that, how did you originally get started in the public service? What did your career journey look like off the bat? Melissa, did you want to go first?

MT: Sure! I started off in the public service as an FSWEP student, while I was in university in my undergrad. And then after graduating university, I was able to be bridged in. I was really lucky out of university that I got an indeterminate position.

My first position was as an administrative assistant in the ministerial planning and coordination division at Indigenous Affairs. My primary role was to help prepare the briefing binders for the minister and senior management. It’s basically, these massive binders with everything they needed to know for the week. Super old-school by today’s standards.

And my director in ministerial planning and coordination, while I was still there, moved on to the position of ATIP director at the same department, and she encouraged me to apply for a junior privacy policy officer position; they were rebuilding their privacy policy unit. She suggested that I apply and that’s actually how I got started in privacy, that was all fully back in 2011. So it’s been… 11 years.

SB: Amazing, that’s awesome! Madelaine, how about you?

MS: I’m not a career public servant. I worked outside the public service for over 10 years, before joining it. My interest in privacy – as well as data ethics and data stewardship – started while I was law school; I was a research assistant for a professor who was looking at the ethical, legal, and social issues related to genetics and genomics. A big issue – and this is in the early to mid-2000s – was privacy, not “how do we not do stuff to protect privacy,” but rather “how do we protect privacy so that we can do stuff?”

I worked with that professor for over three years, did a short stint in private practice, which was not for me, and then moved to a university research centre working at the intersection of law and technology. We looked at intellectual property, privacy and other issues that come up in digital spaces, like freedom of expression. While I worked there I snuck in an LL.M. in Law & Technology.

SB: Nice!

MS: I then joined the Office of the Privacy Commissioner as special advisor to the Senior General Counsel. I spent a few years there, and then joined the Privacy Management Division for the health portfolio.

SB: That’s awesome.

MS: I’m just going to add – even though it’s been six and a half years in the public service – I still feel like an outsider. I don’t feel like I have that “government mentality”.

MT: I think you should stay that way, Madelaine. Having an outside perspective is a good thing.

SB: 100%. I feel like I’ve been playing my “I’m new to government” card for like five or six years now, and at some point, people will be like “Sean, you can’t play that card anymore!”. That’s great.

Madelaine do you find – having a law background and working in tech – I feel like that’s a really useful intersection. Do you see more people taking that career path, or finding that half-law half-tech kind of role?

MS: It’s not a majority of law grads by any means, but there’s a growing number of people who are pursuing those kinds of roles, in the private sector, in government, in industry.

It’s a really interesting space because I think it works best when people with a lot of different backgrounds are involved. We need the people with the real tech expertise. It’s not going to work without them. But it is good to have people with legal backgrounds, policy backgrounds; I think we need more philosophers and ethicists at the table thinking about these issues.

SB: Melissa I was going to ask – as someone who ended up in the privacy field kind of by accident, would you have any tips for people who are early-career public servants or students who are interested in privacy policy? Like, here’s what you wish you knew when you were getting started?

MT: In terms of tips, I mean, if people want to get into it, there’s tons of opportunities; it’s a growing field. They can find contacts in ATIP offices. A lot of departments don’t have a separate privacy management division; their privacy policy function exists within their Access to Information and Privacy operations division. They can seek out contacts in those areas and there’s more hiring happening externally, so there’s definitely opportunities, and we’re always looking for people.

Really what we need is – we don’t need people with privacy expertise especially not when they’re starting out; you need people who are critical thinkers, who can analyze information, who can now, more than ever, think of privacy not just as its own issue, but in how it intersects with other social justice issues. For me, that was a point of interest. Privacy intersects with other social justice issues, like respect for democracy, avoiding biases and discrimination and prejudices; the world of privacy is really starting to encompass all of that, slowly but surely.

So, critical thinking skills, the ability to analyze; good writing skills, being able to take complex information and distilling it down to something that’s easy for non-experts to understand. A lot of skills that you learn if you’re in the social sciences area of study.

SB: That’s super helpful.

For both of you, if you had to choose one moment in your public service career that stands out as really inspiring or really memorable, what would that be? It doesn’t have to be COVID Alert, it could be anything. Melissa, did you want to go first?

MT: For me, it is kind of COVID Alert but in a broad sense. COVID Alert was definitely a major career highlight for me. Obviously it was an exciting file to work on; it was a tool that we knew would get a lot of attention, and that would also have a direct impact on addressing the pandemic. It was exciting for those reasons.

But it was also a novel initiative, and how we approached it from a privacy perspective was also novel. It really forced us to think outside the box as to how we were going to assess the privacy implications. Because we have all of these tools that we can use when we’re looking into, you know, activities and initiatives that involve a clear-cut collection of personal information.

But when it came to COVID Alert, there wasn’t a collection of personally-identifying information, but there were still some significant privacy implications to address. Particularly when it came to potential concerns from the public, and so in terms of “how do we assess this”, we had to sort of start from scratch.

And so we used the privacy principles that were developed by Canada’s privacy commissioners around COVID-19 initiatives, and in consultation with the Canadian Digital Service, you Sean and your team, we drafted a privacy assessment, and the entirety of which we posted online. Which for me was really exciting because – as far as I know – this wasn’t done in government before.

And we could have easily said, “there’s no personally-identifying information involved, the Privacy Act is not engaged; you know, see you later, we don’t need to be involved further”. And more broadly what was exciting for me is that a lot of the principles and ideas that Madelaine and I had been discussing over the past year, so even pre-pandemic, on how to address privacy implications in this digital era, overlapped with other issues we were thinking about like Gender-Based Analysis+. And doing so despite operating with an woefully outdated and ill-equipped Privacy Act, COVID Alert helped us put some of those ideas into practice. And so that was exciting.

And on a selfish note, when I have friends and family who are curious about what I do, I can tell them to look at the Privacy Assessment online, that I helped to write on COVID Alert, and that gives them a good idea, hopefully, of what I do.

SB: That’s awesome.

MT: But ultimately, too, it helped us to think about pushing past traditional ways of thinking around addressing privacy issues that are beyond a strict Privacy Act compliance perspective. If we continue to do things the way we always have, we may miss opportunities to take a deeper dive into initiatives that kind of sit in this grey area of whether the Privacy Act applies and whether there are privacy implications. And I think this ultimately helps build trust with Canadians when it comes to government use of data and their personal information.

SB: Super cool, both the fact that privacy work was the angle to public trust and buy-in, and yeah! Also nice when you can – for all of us as public servants! – when our families are like “what do you do?!” it’s like, “it’s hard to explain!” So the fact that that’s out in the world is super cool, for sure. Madelaine, how about you?

MS: COVID Alert was a highlight of my public service career too! But because it’s taken…

Something that I’ve been working on, in an ongoing way for the last few years, is Privacy Act reform work. So this work is led by the Department of Justice; it’s their job to propose a new law, but they consult a lot with departments. They say, you know, we’ve written a whitepaper about this aspect of the Privacy Act, how do you feel about it? And we can write submissions back. I’ve written all the submissions for Health Canada and PHAC to the Department of Justice on Privacy Act reform.

SB: Awesome.

MS: Our Privacy Act is from 1983. And it’s just not really up-to-date anymore, to say the least. There’s a lot of things that it didn’t anticipate, and so in some ways, the Act is inadequate. For example it doesn’t say anything at all about security safeguards. There’s no requirement to have good security measures or encryption or anything. Why? Because when it was written, we stored paper things, and so you had to lock your cabinet and then you’re good to go.

And in other ways, it limits what you can do when in actual fact those things might have huge benefit and be low-risk from a privacy point of view.

So thinking about, not, “do we comply with the law or do we not comply with the law” in a specific instance, but, “what should the law look like? What do we want the law to be?” That’s definitely my happy place.

A big issue has to do with de-identified data. Everyone agrees, when the information very clearly identifies individuals, you have to comply with the whole regime of the Privacy Act in order to collect, use, and disclose that data. But what about when it’s more de-identified? Should the same rules apply? What if it’s really de-identified such that the risk of anyone being re-identified is approaching zero?

How can we facilitate things that are in the public good – in a way where we’re still really good data stewards – and we’re preventing actual privacy harms from occurring, or at least minimizing the risk of those harms?

SB: Solid. That’s exciting!

MS: It really is.

SB: Looking forward to where that all goes.

MS: I think we’re still a ways away from a bill, it’s all sort of background work now, but we’re hoping…

SB: I’ll add some future links in there, like, two years from now.

MS: Hopefully! If it’s two years from now, I’ll be delighted.

SB: Nice, amazing.

This is a question we often ask at our CDS “Ask Me Anythings” – if there’s one thing you could change, if you could wave a magic wand and change one thing about the public service – what would that be? Madelaine, did you want to go first?

MS: So I’m going to give a two-part answer.

First, it would be the way, most of the time, the public service thinks about risk. It’s not that I think we should be “risky”, it’s not that I think the “move fast and break things” mantra of high-tech companies is appropriate for government. We’re using public funds; we have different obligations; we fulfill a different role within society. I think it’s appropriate that we are on the more risk-averse side.

But what I find is that we only think about the risk of doing things. We don’t really talk about what the risks are of not doing things. If there’s a risk because, say, we can’t take that action and that might mean that something good doesn’t happen, that’s a negative effect as well.

So if I could wave my magical public service wand, it would be to change every single time risk is being considered, that both the risk of doing something and also the risk of not doing it factor into that analysis.

And second – something that makes me pull my hair out – is the level of reviews that are required, and how sometimes they are not exactly proportional, in my opinion, to the risk involved. It just adds a lot of time in terms of getting things done, and I think there’s a little bit too much of that.

SB: That’s a super great way of putting it. Melissa, how about you?

MT: My thoughts kind of dovetail nicely with what Madelaine was saying. The thing that comes to mind initially is, it’s always frustrating how much red tape there is in government. The numerous levels of approvals that things have to go through; how long it takes to get something off the ground… and on some level, like you were saying, Madelaine, you understand why it’s the case. Because we are public servants and we should be held to a higher standard of accountability, and that risk aversion can be a good thing that we’re not just jumping head-first into everything.

But, I want to see more meaningful transparency about what we’re doing. Why is it that posting the entire COVID Alert privacy assessment was unprecedented? I don’t think there’s a lack of meaningful transparency because there’s anything to hide, or there’s no willingness to do it; I do think that sometimes people are a little afraid of what the public reaction or media reaction may be. And of course there’s some limits to transparency, you know, such as security or national security issues. But I think this should be the exception rather than the rule.

By meaningful transparency, I mean: what are the ways that we can use to actually reach Canadians? Posting something on a website is one thing, but we may also need to go beyond the confines of our usual channels for informing Canadians. So, you know, what are the different tools that we can leverage to communicate information in public, and then use the appropriate language so that it’s meaningful and well-understood.

And I think that – when it comes to privacy, and really all the things that government wants to do – I think trust is essential, and that being more transparent will help build that trust. So I think, or hope, maybe, that going forward we’ll see more examples of transparency like we did with COVID Alert. Not just in my department or agency, but across government.

SB: Nice, that’s awesome. Completely agree on all of that. I’d love to see it. Thank you to you both for taking the time to chat!