Categories: social

Measuring Fear? #Coronavirus

Disease Sentiment Analysis for diseases and pandemics

No alt text provided for this image

COVID-19 is a global concern. It is affecting communities with over 2500 deaths while the number of cases continues to climb. Canada has issued travel advisory level 3 ( avoid non-essential travel to several countries including China.

Thousands of health professionals continue to deal with the risk of infection. Some countries are shutting down schools, factories, to an outright travel ban. This is causing anger, frustration, and more importantly, fear.

Whereas solving the clinical challenge is the top priority, the public safety challenge should be a concern in case of further exasperation of the situation.

We built an AI tool to help raise awareness of the amount of negativity resulting from the corona virus

World/Country Health organizations continue to publish guidance and statistics on the number of infections, cases, and deaths. Whereas statistics are very important, analyzing sentiment, goes beyond the surface.

Using Artificial Intelligence KI Design can separate sentiment into Surprise, Disgust, Joy, Anger, Neutral, Sadness, Fear.

Fear and Anger are two strong sentiments that are often the determinant of public behavior.

Study Dimensions

Duration  : Jan 1st, 2019 - Mar 3rd, 2020 
# of posts: 553,216,088
Sources: Twitter 79% Forums 10% News 6% other 5%

KI Design released an AI powered tool that analyses world sentiment on Corona Virus COVID19

Virus and infection volume of conversation

The first graph shows the overall data captured related to various communicable diseases.

Basic Sentiment

Looking at the basic sentiment bar chart, by comparing negative and positive sentiment over time one can notice that there has been an increase in relative negativity. The relative amount of fear is also increasing as shown in this chart.

emotional analysis for the corona virus


The tool can also present information about volume, which when combined with sentiment should give us an idea about the potential impact.

No alt text provided for this image


If you have any questions please do not hesitate to reach out to our team. comment and share the article on social media.

Categories: Privacy

Best-Practice Data Transfers for Canadian Companies – III – Vendor Contracts


A three-part series from KI Design:

Part I: Data Outsourcing

Part II: Cross-border Data Transfers

The following guidelines are best-practice recommendations for ensuring that transferred data is processed in compliance with standard regulatory privacy laws.

While a contract creates legal obligations for a Vendor, your company must still take proactive measures to oversee data protection, as it retains legal responsibility for transferred data. So where the Vendor is providing services that involve data transfer, include the following clauses in your contract:

Privacy and Security Standards

  1. The Vendor confirms that it will manage the data through the data lifecycle according to the privacy standards followed by [your company]. The Vendor will provide documentation to confirm that these standards are being followed.
  2. The Vendor will demonstrate that it has audited, high-level technical and organizational security practices in place.
  3. The Vendor will ensure that all data to be transferred is encrypted or de-identified as needed.
  4. If the Vendor will be using another downstream data processor to fulfill part of the contract, the Vendor will inform [your company] of this, and will implement with that third party a contract containing data protection measures equal to those in the contract between [your company] and the Vendor.

Integrity of Data

Data Breaches

Data Ownership




Have you:

Focusing on data protection issues from the procurement process onward will diminish data breach and other security risks. Create a Request For Proposals template that ensures security elements are included in the evaluation process, and audit and monitor outsourcing operating environments for early detection of any suspicious activity. Limit data transfers across company, provincial, or national borders, and avoid any unintended cross-border data transfers.

REMEMBER: Your company is still legally responsible for transferred data

A three-part series from KI Design:

For further information on data transfers, and privacy compliance matters generally, see Waël Hassan’s book Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.


Categories: Privacy

Best-Practice Data Transfers for Canadian Companies – Part II


A three-part series from KI Design: Part I: Data Outsourcing , Part III: Preparing for Data Transfer – Clauses for Vendor Contracts

When personal information (PI) is moved across federal or provincial boundaries in the course of commercial activity, it’s considered a cross-border data transfer.

Transferring data brings risk. As well as increasing the dangers of unauthorized access and use, it raises legal complications: the data will become subject to the laws of the country to which it’s being transferred. Your company will need to take legal advice to make sure you’re aware of what laws are applicable, and what that may mean in terms of compliance.

Remember: Once the data is transferred, your organization will continue to have the same legal obligations to data subjects. Even when the PI is in a different jurisdiction, privacy requirements laid down by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), such as obtaining a data subject’s consent for sharing their data, are still in play.

If your organization chooses to transfer PI to a company outside Canada, you’ll need to notify any affected individuals, ideally at the time of data collection. Depending on the type of information involved, these individuals may be customers or employees. The notice must make it clear to the data subject that their personal information may be processed by a foreign company, and thus become subject to foreign laws. Data subjects should be advised that foreign legislation (such as the USA PATRIOT Act) might grant that country’s courts, law enforcement, or national security authorities the power to access their PI without their knowledge or consent.

Once an individual has consented to the terms and purposes of data collection, they don’t then have the right to refuse to have their information transferred, as long as the transfer is in accordance with the original intended purpose of collection.

Legal Requirements: Data Outsourcing across Jurisdictions

CANADA: PIPEDA regulates all personal data that flows across national borders in the course of private sector commercial transactions, regardless of other applicable provincial privacy laws.[i]

Outsourcing personal data processing activities is allowed under PIPEDA, but all reasonable steps must be taken to protect the data while it is abroad.

Because of the high standards PIPEDA sets for protecting Canadians’ personal information, the privacy risks of sharing data with non-EU-based foreign companies are greater than if your company were sharing data with a Canadian organization.

When personal information is transferred internationally, it also becomes subject to the laws of the new jurisdiction. These cannot be bypassed by contractual terms asserting protection from data surveillance. Foreign jurisdiction laws cannot be overridden.

US privacy law is constantly evolving, through a series of individual cases and a patchwork of federal and state laws. This piecemeal approach to privacy regulation makes it challenging to evaluate privacy compliance.

For Canadian organizations using US-based data processing services, the differences between Canadian and US privacy models raise valid concerns about enforcement. Canadians do not have access to Federal Trade Commission complaint processes (unless a US consumer law has been broken). Despite signing contracts that include privacy provisions, Canadian organizations rarely have the resources to pursue litigation against major US Internet companies. In practical terms, this means that US companies may not be legally accountable to Canadian clients.

Recent US data surveillance laws make Canadian PI held by US companies even more vulnerable. Several provinces have passed legislation prohibiting public bodies, such as healthcare and educational institutions, from storing personal information outside Canada. Alberta’s Personal Information Protection Act creates statutory requirements regarding private sector outsourcing of data. The Act requires that organizations transferring PI across Canadian borders for processing (rather than a simple transfer of PI) must have given affected individuals prior notice of the transfer, as well as the opportunity to contact an informed company representative with any questions. It also imposes a mandatory data breach reporting obligation. BC’s Personal Information Protection Act contains similar requirements. Quebec’s stricter private-sector privacy law restricts the transfer of data outside the province.[ii]

“Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.” 

– Office of the Privacy Commissioner

Sector-specific Canadian operations may face additional legal requirements. Outsourcing the processing of health information will be regulated by the various provincial health information laws, for example. While the Ontario Personal Health Information Protection Act doesn’t limit cross-border PI transfers, it does prohibit the disclosure of PI to persons outside Ontario without the consent of affected individuals.


UNITED STATES: The USA PATRIOT Act declares that all information collected by US companies or stored in the US is subject to US government surveillance. Foreign data subjects have little recourse to protect the privacy of their personal information held by US multinational corporations, which include most cloud computing service providers.


EUROPE: The European approach to data sharing across jurisdictions is based on territory: foreign companies must comply with the laws of the countries in which their customers reside.


The EU’s General Data Protection Regulation (GDPR) generally prohibits the transfer of personal information to recipients outside the EU unless:

For foreign companies to operate in Europe, national regulators in each jurisdiction within the EU will have to assess the legal compliance of company codes of conduct. These will have to contain satisfactory Privacy Principles (e.g., transparency, data quality, security) and effective implementation tools (e.g., auditing, training, complaints management), and demonstrate that they are binding. Codes of conduct must apply to all parties involved in the business of the data controller or the data processor, including employees, and all parties must ensure compliance. (For instance, under the GDPR, cloud computing service providers will almost certainly have to locate servers outside the US to protect data from American surveillance privacy violations.)

Canada is currently deemed an “adequate” jurisdiction by the EU because of the privacy protections provided by PIPEDA (although be aware that adequacy decisions are reviewed every four years, and so that may change). Your company will still need to make sure that data transfer protocols follow the GDPR’s requirements, which are stricter than those mandated by PIPEDA. Consent is something you’ll need to pay particular attention to. The GDPR does not allow an opt-out option; consent to data processing must be informed and specific.

Given the scale of financial penalties under the GDPR, it’s best to consult legal counsel to ensure that you have dotted your i’s and crossed your t’s.

Regulating Data Sharing between Organizations: A Cross-border Analysis

EU and North American laws around data sharing reflect very different understandings of responsibility for protecting privacy. At first glance, US and Canadian laws mandate that personal data shared with a third party be bound by a policy, the provisions of which ought to be equally or more stringent than the terms to which data subjects agreed when they initially released their personal information. However, these North American privacy laws only hold accountable the primary service provider that first collected the data; privacy breaches by data recipients are considered to be violations of contractual obligations, but not violations of privacy rights.

The European Union’s General Data Protection Regulation, in contrast, adopts a shared responsibility model for data sharing; both service providers (in this context, data collectors) and subcontractors (data processors or other third-party vendors) are responsible for enforcing privacy provisions. Data collectors are not permitted to share personal data with a third party unless it is possible to guarantee the enforcement of equal or stronger privacy provisions than those found in the original agreements with data subjects. This shared responsibility model reflects greater privacy maturity, by shifting from an exclusive focus on adequate policy and contracts to ensuring effective implementation through monitoring and governance of all data holders.

For further information on data transfers, and privacy compliance matters generally, see Waël Hassan’s book Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.

A three-part series from KI Design:

[i] For further information, see Office of the Privacy Commissioner, “Businesses and Your Personal Information,” online at:

[ii] For further information, see George Waggott, Michael Reid, & Mitch Koczerginski, “Cloud Computing: Privacy and Other Risks,” McMillan LLP, December 2013, online at:

[iii] For further information, see the analysis by Dr. Detlev Gabel & Tim Hickman in Unlocking the EU General Data Protection Regulation: A Practical Handbook on the EU’s New Data Protection Law, Chapter 13, White & Case website, 22 Jul 2016, online at:

Categories: social

Should Laws Regulate Online Discourse?


Most Canadians woke up to news of the #RCMP #GRC launching a probe into hate speech by an Alt-Right group leader w

No alt text provided for this image

ho is seeking national party status. The probe came after an Anti Hate group filed a report.

The news article was shared hundreds of times.

The RCMP probe is timely, because hate online is a virus that is attacking democratic society

While hate online is not new, fake news and hate online have the potential of impacting democracy.

At this moment, a dis-information article is one of the most shared. The post claims that more than 100K foreigners are registered to vote. That article has been shared more than 4 thousand times.

#fakenews article

Is dis-information online persistent?

No alt text provided for this image

The answer is, it does fluctuate, however there is always a considerable amount of dis-information. The graph above shows how the volume of content indicating that illegals or foreigners are voting in Canada.

The bad news, currently there is no legal mechanism, to address this kind of discourse.

What do you think?

Tell us your opinion – here or through a twitter poll.

Categories: social

Canada’s Digital Charter

Following the G7 meeting in Paris last week, the government of Canada announced its first ever Digital Charter. Minister of Innovation, Science and Economic Development, @NavdeepSBains unveiled the 10 principles meant to govern digital communications.

During the G7 World leaders and heads of global technology companies have pledged at a Paris summit to tackle terrorist and extremist violence online in what they described as an “unprecedented agreement”.

Known as the Christchurch Call, it was organised by New Zealand’s prime minister, Jacinda Ardern, and the French president, Emmanuel Macron, & Justin Trudeau in response to the attack on the Christchurch mosque on 15 March in which 51 people were killed.

The 10 principles of the Charter

1. Universal Access:

All Canadians will have equal opportunity to participate in the digital world and the necessary tools to do so, including access, connectivity, literacy and skills.

2. Safety and Security:

Canadians will be able to rely on the integrity, authenticity and security of the services they use and should feel safe online.

3. Control and Consent:

Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.

4. Transparency, Portability and Interoperability:

Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.

5. Open and Modern Digital Government:

Canadians will be able to access modern digital services from the Government of Canada, which are secure and simple to use.

6. A Level Playing Field:

The Government of Canada will ensure fair competition in the online marketplace to facilitate the growth of Canadian businesses and affirm Canada’s leadership on digital and data innovation, while protecting Canadian consumers from market abuses.

7. Data and Digital for Good:

The Government of Canada will ensure the ethical use of data to create value, promote openness and improve the lives of people—at home and around the world.

8. Strong Democracy:

The Government of Canada will defend freedom of expression and protect against online threats and disinformation designed to undermine the integrity of elections and democratic institutions.

9. Free from Hate and Violent Extremism:

Canadians can expect that digital platforms will not foster or disseminate hate, violent extremism or criminal content.

10. Strong Enforcement and Real Accountability:

There will be clear, meaningful penalties for violations of the laws and regulations that support these principles.

KI Design is a leader in dis-information and mis-information discovery, identification, and reporting. Follow @drwhassan or visit

Categories: Privacy

Open Media: What do you think Lithuania, Estonia, Malta, and the Netherlands have in common?

Defend Border Privacy

This post simply is broadcasting Open Media’s Message. 

What do you think Lithuania, Estonia, Malta, and the Netherlands have in common?

What if I told you they’re in a list of countries whose citizens’ private data receive greater legal protection from the U.S. than Canadians’ data does? 1

We share a lot with our neighbours to the south: we’re the U.S.’s second biggest trading partner, and we share the world’s longest international border. We also share data – lots of it.

Everything from your financial status, to your medical history, your sexual orientation, and even your religious and political beliefs — information that can reveal all these things is frequently shared with the U.S by our own government.

But one thing we don’t have is any serious legal protection for our private, personal data.

Right now, I’m asking you to take action to put an end to this. Stand up and demand that our own government fight for our privacy and security!

Here’s how I know this is going to work.

Just last month, in the wake of an Executive Order from President Trump removing Privacy Act protections from foreigners, we sent an urgent letter of concern to the Office of the Privacy Commissioner.

Not only did he reply to say he shared our concerns that there is “a significant gap in protection of Canadians’ personal information south of the border,” he also wrote directly to three key ministers, calling on them to ask their U.S. counterparts to add Canada to a list of countries that are given significant additional protections under the U.S. Privacy Act.2

Now we need to move urgently to add crucial pressure. Our actions are clearly working, but if we don’t follow through this victory could slip through our fingers.

Add your name to the letter to these key ministers, and show them that there is huge public support behind this call.

The stakes are huge: right now, there are simply zero protections for our personal, sensitive information when it is shared with the U.S.

Canadians have had their personal or professional lives ruined due to information disclosures, despite never having broken the law. Some have faced career limitations, while others have had to deal with travel restrictions.3

And refugees, Muslims, and other vulnerable minorities are more at risk now than ever before.4 These concerns are compounded by the Trump administration’s openness to returning to torture policies.5 It means we could see many more cases like that of Maher Arar.

So please, take a minute to add your voice to this urgent call and help get these vital protections for our most personal information.

Thanks for everything that you do.

Victoria with OpenMedia

P.S. We need sustained pressure alongside long-term campaigning to get desperately-needed privacy protections like these made into law. Another great way to support this work is by making a small monthly contribution. Thanks again!


  1. Judicial redress act of 2015: The United States Department of Justice
  2. Commissioner’s letter to the ministers of Justice, Public Safety and Defence calling for greater protection of Canadians’ privacy rights in the U.S.: Office of the Privacy Commissioner of Canada
  3. ‘No judgment, no discretion’: Police records that ruin innocent lives: The Star
  4. Trump threatens to publicly release private data of immigrants and foreign visitors, ACLU responds: Boingboing
  5. Can Trump Bring Back Torture?: The Atlantic

We are an award-winning network of people and organizations working to safeguard the possibilities of the open Internet. We work toward informed and participatory digital policy.

You can follow us on Twitter, and like us on Facebook.

Categories: Privacy

Cyber Review Consultations Report

“The digital economy increasingly shapes and drives the broader economy. For Canadians to prosper and be confident digital innovators, they need to know that the networks that enable their efforts and safeguard their assets and information are secure. I am committed to making Canada a global centre for innovation – one that creates jobs, drives growth across all industries and improves the lives of Canadians. That’s why I am pleased to support Public Safety Canada in this important cyber security consultation.”- The Honourable Navdeep Bains, Minister of Innovation, Science and Economic Development

The number, complexity, and severity of cyber-attacks on companies and individuals in Canada are each on the rise.

On January 17, 2017, Public Safety Canada posted a report on the views of Canadians on the Canadian cyber security environment. The report was based off the findings 2095 submissions that contained 2,399 responses to individual questions across four main topics, as follows:

The results established that cyber security in Canada is an extremely multifaceted issue with multiple challenges and a rising range of opportunities. Throughout the consultation, three ideas were consistently raised as being important and relevant to cyber security in Canada: privacycollaboration, and using skilled cyber security personnel.

The report concluded that it is the shared responsibility of governments, the private sector, law enforcement and the public, to address these challenges and seize new opportunities.

This is part of the Government’s commitment to keep Canadians safe in cyberspace and position Canada as an innovative leader in cyber security. This report is just one example of how the Canadian government is striving to take full advantage of the digital economy, while protecting the safety and security of all Canadians.

Quick Facts


Categories: eHealth

When Apps Claim HIPAA Compliance

Do health applications advertised as “HIPAA-compliant” offer some legal assurance?

Often, the answer is no. HIPAA does not apply to technological applications as such. Rather, it governs personal health information managed by covered entities such as hospitals, physicians, pharmacies, and health insurance companies. Health applications managed by covered entities are subject to HIPAA rules. Consumer health applications managed by private businesses or independent developers are not.

What developers of consumer health applications likely mean, when they advertise themselves as “HIPAA-compliant,” is that their solution aligns with HIPAA standards, and that they are willing to sign Business Associate Agreements (BAA) with healthcare organizations. A BAA makes a service provider to a healthcare organization directly liable under HIPAA rules. Canadian healthcare organizations can obtain some legal protection by signing a BAA with a U.S.-based information service provider.

HIPAA definitely does not apply to consumer health applications, such as mobile apps and wearable devices that collect health information for an individual’s use (e.g., monitoring one’s exercise habits or diet), but do not share this information with a healthcare provider. Healthcare providers who wish to recommend these applications to patients should be aware that Canadians have few legal avenues to enforce their privacy rights with respect to consumer applications.

Legal Obligations for Energy Boards

In this guide you will explore:

  1. Obligations of Energy Boards
  2. FTC and Fair Information principle requirements
  3. Smart Grid Data Protection Requirements
  4. Employee Privacy in the Energy Space
  5. Federal and state law requirements

In recent years, news of massive data breaches has become almost commonplace.  We are witnessing an unprecedented increase in cyberattacks, with energy utilities and the smart grid in particular under threat.
For directors and their boards, compliance is a vital aspect of governance. Utility boards and management focus attention on NERC’s Critical Infrastructure Protection Reliability Standard.  Traditionally “Security” meant securing energy management system or EMS.  With the recent regulations it also means securing personal data.

Categories: Privacy

A Proposal for Privacy Innovation in Canadian Law Technology and Corporate Culture


Many believe that privacy as we know it is at a crossroads. Can data protection flourish in this brave new world of technological change, or will it decay? Economic, legal, technical, and corporate innovation will all be crucial in helping to direct the future of data protection in Canada.  The OPC’s consultation paper is on point and rather needed as privacy laws have become dated. This proposal will address the four questions put to stakeholders:

1. What roles, responsibilities and authorities should the parties responsible for promoting the development and adoption of solutions have to produce the most effective system?

We will begin by proposing new relationships between government, technology entrepreneurs, and corporate and business leaders to strengthen and enhance privacy in Canada. Privacy-focused strategic alliances between government, major corporations, and innovation agencies can offer significant benefits to their various stakeholders, resulting in economic growth, improved legal compliance, and stronger privacy protections for individuals.

2. What, if any, legislative changes are required?

The EU’s pending data protection legislation contains many elements that Canada should consider adopting, including a horizontal legal approach, mutual responsibility for data, national regulation of multinational corporations, strong compliance validation mechanisms, breach notification requirements, financial penalties, and individual and collective options for recourse.

3. Of the solutions identified in the discussion paper, which ones have the most merit and why?

Emerging technologies have great potential to support privacy and individual control over personal data. Risk-based de-identification can be used effectively to protect privacy in big data contexts. Data “tagging” can support the management of privacy preferences across services, and in future could allow individuals to maintain control over personal content shared online.

Additional enforcement powers for the OPC are another key solution. The European Union offers an example of a strong governance and enforcement model that can effectively motivate corporate compliance with privacy laws.

4. What solutions have we not identified that would be helpful in addressing consent challenges and why?

Apart from the question of individual consent, a public conversation is needed about the ethical use of big data, even in anonymized form. The OPC can act to create more dynamic and accessible forums for individuals to express their concerns and complaints about how their data is used by corporations and other entities.

Waël Hassan, PhD

Wael {at} KIDesign {dot} io

For more content please see