PREPARING FOR DATA TRANSFER – CLAUSES FOR VENDOR CONTRACTS
A three-part series from KI Design:
Part I: Data Outsourcing
Part II: Cross-border Data Transfers
The following guidelines are best-practice recommendations for ensuring that transferred data is processed in compliance with standard regulatory privacy laws.
While a contract creates legal obligations for a Vendor, your company must still take proactive measures to oversee data protection, as it retains legal responsibility for transferred data. So where the Vendor is providing services that involve data transfer, include the following clauses in your contract:
Privacy and Security Standards
- The Vendor confirms that it will manage the data through the data lifecycle according to the privacy standards followed by [your company]. The Vendor will provide documentation to confirm that these standards are being followed.
- The Vendor will demonstrate that it has audited, high-level technical and organizational security practices in place.
- The Vendor will ensure that all data to be transferred is encrypted or de-identified as needed.
- If the Vendor will be using another downstream data processor to fulfill part of the contract, the Vendor will inform [your company] of this, and will implement with that third party a contract containing data protection measures equal to those in the contract between [your company] and the Vendor.
Integrity of Data
- The Vendor will ensure that all data to be transferred is within the limits of the original intended purpose of data collection.
- The Vendor will ensure that all data to be transferred is accurate, current, and complete. Data will be updated or deleted as needed, and confirmation will be provided that this has occurred.
Data Breaches
- The Vendor confirms that it has insurance that will cover a data breach.
- The Vendor confirms that it will notify [your company] immediately in the event of a data breach.
Data Ownership
- Ownership of data assets transferred to the Vendor remains with [your company].
Auditing
- The Vendor agrees to ongoing monitoring of the data transfer process by [your company], and will provide any data that [your company] requests for auditing purposes.
OTHER THINGS TO CONSIDER
Have you:
- Ensured that your Vendor has a high level of technical expertise?
- Familiarized yourself with all relevant legislation, both in your home jurisdiction and the jurisdiction into which the data will be transferred?
- Done a risk analysis of the data transfer, so that you are aware of potential security risks?
- Done a data breach impact assessment, so that you’re aware of any areas of potential risk, and have planned out how your organization would respond to a breach?
- Ensured that your contract spells out the precise responsibilities of each party regarding data security through the different stages of the data life cycle?
- Confirmed with your Vendor that the Vendor’s own legal requirements under the GDPR will not be compromised by any part of the contract?
- If the data will be crossing jurisdictional boundaries, have you notified data subjects that their personal information is being transferred, and why? Have you tagged the data with its country of origin and the data subject’s “opt in/opt out” preferences?
Focusing on data protection issues from the procurement process onward will diminish data breach and other security risks. Create a Request For Proposals template that ensures security elements are included in the evaluation process, and audit and monitor outsourcing operating environments for early detection of any suspicious activity. Limit data transfers across company, provincial, or national borders, and avoid any unintended cross-border data transfers.
REMEMBER: Your company is still legally responsible for transferred data
A three-part series from KI Design:
For further information on data transfers, and privacy compliance matters generally, see Waël Hassan’s book Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.
CROSS-BORDER DATA TRANSFERS
A three-part series from KI Design: Part I: Data Outsourcing , Part III: Preparing for Data Transfer – Clauses for Vendor Contracts
When personal information (PI) is moved across federal or provincial boundaries in the course of commercial activity, it’s considered a cross-border data transfer.
Transferring data brings risk. As well as increasing the dangers of unauthorized access and use, it raises legal complications: the data will become subject to the laws of the country to which it’s being transferred. Your company will need to take legal advice to make sure you’re aware of what laws are applicable, and what that may mean in terms of compliance.
Remember: Once the data is transferred, your organization will continue to have the same legal obligations to data subjects. Even when the PI is in a different jurisdiction, privacy requirements laid down by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), such as obtaining a data subject’s consent for sharing their data, are still in play.
If your organization chooses to transfer PI to a company outside Canada, you’ll need to notify any affected individuals, ideally at the time of data collection. Depending on the type of information involved, these individuals may be customers or employees. The notice must make it clear to the data subject that their personal information may be processed by a foreign company, and thus become subject to foreign laws. Data subjects should be advised that foreign legislation (such as the USA PATRIOT Act) might grant that country’s courts, law enforcement, or national security authorities the power to access their PI without their knowledge or consent.
Once an individual has consented to the terms and purposes of data collection, they don’t then have the right to refuse to have their information transferred, as long as the transfer is in accordance with the original intended purpose of collection.
Legal Requirements: Data Outsourcing across Jurisdictions
CANADA: PIPEDA regulates all personal data that flows across national borders in the course of private sector commercial transactions, regardless of other applicable provincial privacy laws.[i]
Outsourcing personal data processing activities is allowed under PIPEDA, but all reasonable steps must be taken to protect the data while it is abroad.
Because of the high standards PIPEDA sets for protecting Canadians’ personal information, the privacy risks of sharing data with non-EU-based foreign companies are greater than if your company were sharing data with a Canadian organization.
When personal information is transferred internationally, it also becomes subject to the laws of the new jurisdiction. These cannot be bypassed by contractual terms asserting protection from data surveillance. Foreign jurisdiction laws cannot be overridden.
US privacy law is constantly evolving, through a series of individual cases and a patchwork of federal and state laws. This piecemeal approach to privacy regulation makes it challenging to evaluate privacy compliance.
For Canadian organizations using US-based data processing services, the differences between Canadian and US privacy models raise valid concerns about enforcement. Canadians do not have access to Federal Trade Commission complaint processes (unless a US consumer law has been broken). Despite signing contracts that include privacy provisions, Canadian organizations rarely have the resources to pursue litigation against major US Internet companies. In practical terms, this means that US companies may not be legally accountable to Canadian clients.
Recent US data surveillance laws make Canadian PI held by US companies even more vulnerable. Several provinces have passed legislation prohibiting public bodies, such as healthcare and educational institutions, from storing personal information outside Canada. Alberta’s Personal Information Protection Act creates statutory requirements regarding private sector outsourcing of data. The Act requires that organizations transferring PI across Canadian borders for processing (rather than a simple transfer of PI) must have given affected individuals prior notice of the transfer, as well as the opportunity to contact an informed company representative with any questions. It also imposes a mandatory data breach reporting obligation. BC’s Personal Information Protection Act contains similar requirements. Quebec’s stricter private-sector privacy law restricts the transfer of data outside the province.[ii]
“Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.”
– Office of the Privacy Commissioner
Sector-specific Canadian operations may face additional legal requirements. Outsourcing the processing of health information will be regulated by the various provincial health information laws, for example. While the Ontario Personal Health Information Protection Act doesn’t limit cross-border PI transfers, it does prohibit the disclosure of PI to persons outside Ontario without the consent of affected individuals.
UNITED STATES: The USA PATRIOT Act declares that all information collected by US companies or stored in the US is subject to US government surveillance. Foreign data subjects have little recourse to protect the privacy of their personal information held by US multinational corporations, which include most cloud computing service providers.
EUROPE: The European approach to data sharing across jurisdictions is based on territory: foreign companies must comply with the laws of the countries in which their customers reside.
The EU’s General Data Protection Regulation (GDPR) generally prohibits the transfer of personal information to recipients outside the EU unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
- the data exporter puts in place appropriate safeguards; or
- a derogation or exemption applies.[iii]
For foreign companies to operate in Europe, national regulators in each jurisdiction within the EU will have to assess the legal compliance of company codes of conduct. These will have to contain satisfactory Privacy Principles (e.g., transparency, data quality, security) and effective implementation tools (e.g., auditing, training, complaints management), and demonstrate that they are binding. Codes of conduct must apply to all parties involved in the business of the data controller or the data processor, including employees, and all parties must ensure compliance. (For instance, under the GDPR, cloud computing service providers will almost certainly have to locate servers outside the US to protect data from American surveillance privacy violations.)
Canada is currently deemed an “adequate” jurisdiction by the EU because of the privacy protections provided by PIPEDA (although be aware that adequacy decisions are reviewed every four years, and so that may change). Your company will still need to make sure that data transfer protocols follow the GDPR’s requirements, which are stricter than those mandated by PIPEDA. Consent is something you’ll need to pay particular attention to. The GDPR does not allow an opt-out option; consent to data processing must be informed and specific.
Given the scale of financial penalties under the GDPR, it’s best to consult legal counsel to ensure that you have dotted your i’s and crossed your t’s.
Regulating Data Sharing between Organizations: A Cross-border Analysis
EU and North American laws around data sharing reflect very different understandings of responsibility for protecting privacy. At first glance, US and Canadian laws mandate that personal data shared with a third party be bound by a policy, the provisions of which ought to be equally or more stringent than the terms to which data subjects agreed when they initially released their personal information. However, these North American privacy laws only hold accountable the primary service provider that first collected the data; privacy breaches by data recipients are considered to be violations of contractual obligations, but not violations of privacy rights.
The European Union’s General Data Protection Regulation, in contrast, adopts a shared responsibility model for data sharing; both service providers (in this context, data collectors) and subcontractors (data processors or other third-party vendors) are responsible for enforcing privacy provisions. Data collectors are not permitted to share personal data with a third party unless it is possible to guarantee the enforcement of equal or stronger privacy provisions than those found in the original agreements with data subjects. This shared responsibility model reflects greater privacy maturity, by shifting from an exclusive focus on adequate policy and contracts to ensuring effective implementation through monitoring and governance of all data holders.
For further information on data transfers, and privacy compliance matters generally, see Waël Hassan’s book Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.
A three-part series from KI Design:
[i] For further information, see Office of the Privacy Commissioner, “Businesses and Your Personal Information,” online at: https://www.priv.gc.ca/en/privacy-topics/your-privacy-rights/businesses-and-your-personal-information/.
[ii] For further information, see George Waggott, Michael Reid, & Mitch Koczerginski, “Cloud Computing: Privacy and Other Risks,” McMillan LLP, December 2013, online at: https://mcmillan.ca/Files/166506_Cloud%20Computing.pdf.
[iii] For further information, see the analysis by Dr. Detlev Gabel & Tim Hickman in Unlocking the EU General Data Protection Regulation: A Practical Handbook on the EU’s New Data Protection Law, Chapter 13, White & Case website, 22 Jul 2016, online at: https://www.whitecase.com/publications/article/chapter-13-cross-border-data-transfers-unlocking-eu-general-data-protection.
DATA OUTSOURCING
In our digitally interconnected world, most organizations that handle personal information will transfer it to a third party at some stage of the data life cycle. Your company may send personal information (PI) to an external service provider such as PayPal to process customer payments – that’s a data transfer. Perhaps you hired a data disposal company to destroy data at the end of its life span – that’s a data transfer. Your company may outsource payroll – that means you’re transferring employee data. Any sharing or transmitting of data, electronic or hard copy, is considered a transfer.
But remember: all transfers of personal information must be compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) and any relevant provincial and sector-specific privacy laws. So, be aware that the many business advantages of data outsourcing are offset by increased security risks, as we’ll see below. And when PI flows into another jurisdiction, the situation becomes more complex.
The key take-away is this:
When you transfer personal information, even if it passes into another jurisdiction, you retain accountability for its care.
A common type of data transfer is outsourcing: handing over aspects of the provision and management of data computing and storage to a third party. A cloud database managed by a third party is a common example of data outsourcing. Within a data outsourcing design, data sets are often stored together with an application – this connects to an external server, which can then assume data management.
There are many advantages to delegating a business process to an external service provider; these can include efficiency, lower labour costs, and enhanced quality and innovation. (Data processing is often outsourced offshore, to foreign businesses: this raises other issues, which are addressed in Part II: Cross-border Data Transfers.
However, data outsourcing brings its own challenges and security risks. Can you guarantee that your data processor will not misuse the data in its care? Can you ensure that access controls will be enforced, and policy updates supported, by your processor? Will the processor commit to as rigorous a Privacy Framework as your company has?
The greatest danger with data outsourcing is the risk of a security breach. According to Trustwave’s 2013 Global Security Report, in 63% of global data breach investigations, “a third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers.”[i] Patrick Thibodeau, senior editor of Computerworld, stresses that companies utilizing the advantages of data outsourcing “need to go through an exhaustive due-diligence process and examine every possible contingency.”[ii]
Encrypting the data to be outsourced can prevent both outside attacks and inappropriate access from the server itself. It’s also helpful to combine authorization policies with encryption methods, so that access control requirements are bundled together with the data.
Before transferring data, think carefully: is the personal information component actually needed? If you can ensure that the data is (irreversibly) anonymized, and keep careful records of having done so, the personal information will disappear and data protection principles will no longer apply.
PIPEDA doesn’t prevent organizations from outsourcing the processing of data, but the Office of the Privacy Commissioner cautions that organizations outsourcing PI need to take “all reasonable steps to protect that information from unauthorized uses and disclosures while it is in the hands of the third-party processor.”[iii]
Legal Requirements
CANADA: Under PIPEDA, the “transfer” of data is considered a “use” by a company, as opposed to a “disclosure” – this is because the processing of information by a third party is still done for the purposes for which the PI was originally collected. “Processing” is interpreted as any use of the information by a third party for its intended purpose at the time of collection.
PIPEDA’s first Privacy Principle, Accountability, states:
“An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
This statement has three key clauses; we’ll look at each in turn.
1) “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.” The onus of responsibility lies with your organization, even once information has been transferred to a third party; you cannot outsource legal liability. This means that you’ll need to know exactly what data protection safeguards your data processor has in place, and be able to monitor them during the transfer process.
2) An organization needs to ensure a “comparable level of protection while the information is being processed by a third party.” According to the Office of the Privacy Commissioner, this means that the third party must provide a level of data protection comparable to the protection that would have been in place had the data not been transferred.[iv] (The protection should be generally equivalent, but it doesn’t necessarily have to be exactly the same across the board.)
3) “The organization shall use contractual or other means” to comply with legal privacy requirements. There should be a written agreement in every instance where personal information is transferred to a third party. A contract cannot transfer responsibility, but it can describe necessary measures a data processor must take to optimally safeguard personal information, and clearly delineate the responsibilities of each party.
In an effort to protect PI and reduce risks, PIPEDA’s restrictions encourage organizations to minimize data transfers, and only to use them for reasonable purposes.
Quebec has passed legislation[v] that imposes strict rules on private-sector organizations using, transferring, or disclosing personal information outside Quebec, even if the PI is being transferred to another Canadian province. Under the law, data transfer or disclosure is prohibited unless it can be guaranteed that the PI will not be used or disclosed for other purposes than those for which it was transferred, or disclosed to third parties without consent.
UNITED STATES: While no federal law creates a general requirement for data owners regarding data protection during transfer, sectoral laws may do so: for example, the Health Insurance Portability and Accountability Act imposes strict regulations on covered entities seeking to disclose personal health information to a service provider. State laws may also impose security standards; for example, California requires organizations transferring data to third parties to contractually oblige those third parties to maintain reasonable security protocols.
EUROPE: Free transfer of personal data within member states is integral to the founding principles of the EU. As long as the data is transferred in compliance with the strict requirements of the General Data Protection Regulation, the Regulation does not restrict data flows within the European Union or European Economic Area.
For further information on data transfers, and privacy compliance matters generally, see Waël Hassan’s book Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.
A three-part series from KI Design:
ENDNOTES
[i] Trustwave 2013 Global Security Report, p. 10, online at: https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/.
[ii] Patrick Thibodeau, “Offshore risks are numerous, say those who craft contracts,” Computerworld, 3 November 2003, p. 12, online at: https://www.computerworld.com/article/2573865/it-outsourcing/offshore-risks-are-numerous–say-those-who-craft-contracts.html.
[iii] For more information, see the OPC’s “Privacy and Outsourcing for Businesses” guidelines, online at: https://www.priv.gc.ca/en/privacy-topics/outsourcing/02_05_d_57_os_01/.
[iv] Office of the Privacy Commissioner, “Guidelines for Processing Personal Data Across Borders,” January 2009, online at: https://www.priv.gc.ca/en/privacy-topics/personal-information-transferred-across-borders/gl_dab_090127/.
[v] P-39.1 – Act respecting the protection of personal information in the private sector, online at:
http://www.legisquebec.gouv.qc.ca/en/showdoc/cs/P-39.1.
Infographic representing key issues concerning future of data broken by country.
Link to source https://waelhassan.com/wp-content/uploads/2019/01/Future-Value-of-Data-World-Map-Infographic-2018-002.pdf
The Honourable Navdeep Bains, P.C., M.P. extends his gratitude for report of the Standing Committee on Access to Information, Privacy and Ethics titled, Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. His response encompasses the following summary.
He shows his appreciation for the OPC and other witnesses that supported this study and states that the recommendations provide valuable guidance. The Government of Canada agrees that changes are required to ensure that the use of personal information in a commercial context has clear rules to support the expectations of Canadians.
A critical step was made with the announcement of new regulations under the PIPEDA on April 18, 2018, to assure Canadians that they will be informed about risks with the distribution of their personal information. The next step is to engage Canadians in conversations about data and digital issues on a national level.
Consent under the PIPEDA
The Government agrees that consent should remain a core element of the PIPEDA, as it provides individuals with control over how their personal information is shared. Maintaining a progressive view on consent additionally ensure that the internationally recognized standards align with those of Canada. However, there is work to be done to ensure that consent remains meaningful under the PIPEDA, as it can be enhanced in a variety of ways. Furthermore, the Government is committed to maintaining the principles-based approach to the PIPEDA, as it has been noted as a source of the Act’s strength.
In response to recent incident involving unintended uses of personal information from social media, the Government acknowledges the need to closely consider redefining “publicly available” information for the purpose of the PIPEDA. The amendments to the PIPEDA’s consent requirements resulted in consent only be considered valid if the individual can understand the consequences providing that consent. This was aimed to prohibit deceptive collection of a child’s personal information, however it presents unique challenges as it involves the definition of a minor, which is within provincial jurisdiction.
Online Reputation and Respect for Privacy
The Government acknowledges public concerns about the accumulation of personal information online and agrees that it poses a risk to privacy protection. Furthermore, the Government acknowledges the work by the OPC in this area and that there are legitimate concerns about the impacts of this position on other rights. Therefore, the OPC has called for further study to provide an appropriate balance between these competing rights.
Public commentary on the divergent views of these matters results in the need for providing further certainty on how the PIPEDA applied within various contexts is necessary to ensure a “level playing field”. The Government agrees that the appropriate destruction of information after it is no longer needed provides unintended future uses that can lead to harm on their reputation.
Enforcement Powers of the Privacy Commissioner
In agreeance with the Committee, the Government states that the time has come to closely examine how the PIPEDA’s enforcement model can be improved to ensure that the objectives are met of supporting innovation and growth of the digital economy, while providing robust protections for personal privacy. Similar recommendations were made by the Senate Standing Committee on Transport and Communications.
In order to determine an optimal model for compliance and enforcement, the Government must assess all options that can strengthen the compliance and enforcement regime of the Act. As part of this assessment, the Government must look at other models of compliance and enforcement to consider potential impacts on the mandate of the OPC, the principles of fundamental justice, and the countervailing risks with increased powers. Options for change must also be assessed, including those regarding consent.
Impact of the European Union (EU) General Data Protection Regulation (GDPR)
The Government supports the following: (1) Canada’s Adequacy Status (ref. recommendations 17-19) and acknowledges that data flows are a significant enabler in a growing digital economy. In discussion with trade partners, including the EU nations and institutions, the key is to work towards harmonization of different frameworks to ensure data protection is levels all jurisdictions. Officials are using a cross-government approach and working closely with the European Commission to understand the requirements for maintaining Canada’s adequacy standing under the EU GDPR.
The Committee’s study has made a significant contribution to this work by providing the government with recommendations to ensure effectiveness of the PIPDEA of international developments.
New Rights to Align with the GDPR
In recognition of the importance of interoperability of privacy regimes, in the GDPR the EU has added concept of “essential equivalence” to examine the adequacy of non-member regimes. Therefore, it is not clear that the PIPEDA’s requirements must reflect each of the GDPR’s right and protections in order to maintain its adequacy standing.
Moving forward, the Government will engage Canadians in a conversation on making Canada more data-savvy, focusing on how companies can use personal information to innovate and compete while protecting privacy. This is a value that Canadians hold dear.
Once again, thank you to the Committee on behalf of the Government for the careful examination of these important issues.
Privacy, Data Management, and Risk Mitigation
While no clear definition or requirements of a “smart city” exist, the general consensus is that it is an innovative development initiative that combines urban planning with creative digital infrastructure. Areas of focus often include reducing traffic congestion, improving sustainable energy use, and making public spaces more accessible and adaptable to its residents’ needs and desires. To achieve these goals, these initiatives incorporate innovative methods of data collection to improve service provision for local residents, however this innately sparks concerns surrounding consent, privacy, and data protection.
When Sidewalk Labs announced its interest in developing a 12-acre property along Toronto’s eastern waterfront to be North America’s most advanced smart city neighbourhood, many people were concerned about what kinds of data would be collected and how it would be used. Sidewalk Labs is a subsidiary of Alphabet Inc., the parent company of Google, so there is no doubt that this project could bring both incredible innovation as well as possible data exploitation or breaches. This said, the project developers have been vigilant in consulting with the community and releasing updated data privacy frameworks to calm tech-induced fears.
An exciting aspect of smart city development is the opportunity to build new collaborations between municipal and provincial governments, innovation hubs, entrepreneurs and their startups, research institutions, the leading educational institutions, and local residents. When combined, these various actors and organizations can collectively source the innovative ideas, design thinking, policy frameworks, and financial investment required to ensure that new ideas take hold.
Past and potential future efforts include:
- Partnerships with mobile apps that map out traffic congestion, motor vehicle accidents, and other on-road incidents (Toronto/Waze);
- Providing free Wi-Fi in public spaces to connect residents (Vancouver);
- Improving innovation procurement through research and entrepreneurial partnerships (Guelph/MaRSDD);
- Establishing a network of digital and physical engagement and innovation hubs targeted for youth (Ottawa); and,
- Building a technology-enabled “Circular Food Economy” (Guelph/Wellington County).
There are many approaches to planning and developing a smart city project, but all projects involve basic issues: privacy, data management, and risk mitigation.
Multi-Domain Privacy Impact Assessments
The combination of information sharing initiatives and innovative approaches to service delivery, such as smart city projects, has led to a growing need for multi-institutional and multi-jurisdictional PIAs. Guidelines from the Office of the Privacy Commissioner recommend that such PIAs include a clear business case for information sharing, a common communications strategy to inform the public of information sharing, and a set of expected privacy practices shared by all institutions participating in the data sharing initiative.
Our unique approach builds on these basic requirements to define a clear, seven-step process that we use both to guide our clients as they develop privacy policy prior to developing a smart city project, and to conduct PIAs after a smart city project has been completed.
1. Purpose: We begin by defining the reasons for which smart city projects collect, use, retain and disclose personal information.
2. Custodianship: A key next step to ensuring private information is protected is to adopt a custodianship model. In the context of a smart city initiative, a custodian will be designated to review and revise policies, processes, and procedures to ensure any sensitive information is shared securely.
3. Liability: In order to establish liability, we help to define the roles, responsibilities, and accountabilities of smart city project participants. We define different participants’ right and ability to manage (collect, retain, disclose, and correct) personal information.
4. Data Management: We define policies for management of data quality, records management, assurance of accuracy, retention and archiving, and secondary use of data.
5. Controls: We define policies for the application of legislative requirements, including management of information safeguards, compliance auditing, identity validation and management, implementation of consent rules, breach management, and proactive and reactive monitoring of technology assets. Controls also include frameworks such as provider agreements, resident disclaimers, and mandatory and discretionary requirements that define the roles of smart city participants.
6. Process: We apply privacy policy to workflows and interactions throughout service delivery processes, including service model, delivery model, management of consent, reporting procedures, incident management, and resident feedback mechanisms.
7. Adoption: In this final step we develop instruments for the implementation of privacy policy during the planning and ongoing development of the smart city project, such as provider agreements, resident disclaimers, mandatory and discretionary requirements, and system feedback.
Recommendations for Smart City Risk Mitigation
Given the opportunities and challenges associated with developing a function and advanced smart city project, we recommend planners and project managers consider the following six areas of risk and mitigation.
- Role of AI: Artificial intelligence is still very much uncharted territory, meaning there are abundant opportunities for leading edge technological development, but there is also a policy void. Governments, software developers, and researchers will need to collaborate and actively engage with each other’s sectors to gain a better understanding of their goals, practices, and needs to will help foster secure but innovative development.
2. Handling Personal Information: The policies and practices that guide how personal information collected by smart city initiatives are fundamental for maintaining the trust of community members and ensuring the initiatives do not violate privacy laws. The data that the new smart technologies collect and analyze come from many sources including sensors and cameras. These technologies may be able to interact with people or their personal devices without any positive action required by the individual (i.e. consent) or an opportunity to out.
The vast amounts of data that can be collected could lead to negative practices (or suspicions of such practices) such as surveillance, profiling, or using personal information for difference purposes than originally stated, either without consent or without public input. This practices are to be avoided wherever possible, and so whatever body is responsible for smart city data management must be vigilant in data-minimization practices by only collecting, using, or disclosing personal information where it is necessary for the initiative’s outcomes and there are no other alternatives. Lastly, smart city operations should have meaningful consent agreements where required by law and/or opt-out opportunities to ensure participants are able to make informed decisions.
3. Privacy Governance and Oversight: Technology has thus far kept a faster pace than the policy regulating it. Smart city initiatives must be supported by updated data governance and privacy management policies. These policies should address a wide range of privacy and security requirements, including: appoint a privacy lead; monitoring and auditing for regulatory and legal compliance; responding to and maintaining transparency during breaches; and contractual protections and accountability frameworks for all the diverse actors and organizations involved in the initiative. This last requirement is particularly important for encouraging strong partnerships as it helps mitigate the risks of entering into the collaboration at the starting point.
4. Transparency and Public Notice: For smart city projects to be most successful, a thorough level of community engagement will be required to not only collect and make use of residents’ experiences and ideas, but to also maintain proper feedback channels and project transparency. Project goals and practices should be transparent and made easily understandable so that community members will understand how they might be affected.
5. Privacy Impact Assessments: Collaborating partners responsible for the security of smart city data must conduct privacy impact and threat risk assessments to ensure privacy and security risks are identified and adequately addressed in the design and implementation of new technologies and programs.
6. Safeguarding Data: Any smart city endeavours that make use of data collection must include appropriate measures to secure all personal information. Given the diverse formats of implemented technology in the smart cities context, it is especially difficult to establish effective safeguards. Generally speaking, more points of data collection, processing, and access also mean more points of vulnerability and therefore greater risks of a security breach. To mitigate this serious risk, smart city data systems must de-identify personal information at the earliest stage in the collection process as possible and reduce the risk of re-identification that is inherent with connected devices. Lastly, smart cities should only retain, use, and disclose de-identified information, particularly in an aggregated format when possible.
Smart cities offer an incredible opportunity for exercising creative design thinking and harnessing the entrepreneurial spirit. However, government policy must be in line with the best interests of the public, particularly those who will be directly impacted by the programs and new technologies introduced by these innovative initiatives. Two-way, open and transparent discussions and partnerships between the innovative research and design sectors and the government and affected communities will be required to ensure smart cities are designed and implemented in a way that advances technology and urban planning while improving the lives and experiences within the communities. It is clear that following privacy and security best practices are absolute paramount for the success of these initiatives.
To Learn more about smart cities follow @drwhassan
Two arguments that can’t be more dangerous, People don’t care about Privacy, Get all the data you can
Well that’s a good question, everyone is asking today what happened with the elections. Thinking that all that we knew and heard from media outlets was wrong. Big Data is subject to a few simple rules which often get ignored.
- Subjects (People) involved ought to be connected, i.e. they are feeding data into the machine.
- Subjects are willing to express their opinions. Without express consent of the individual, its questionable to correlate behavioral data, such as someone clicking on an article in favor of a Candidate to rule out that they vote for them
- Interpretation ought to be accurate. All big data offers is a set of data points. Interpretation cannot be wishful thinking.
When the next election or event comes along, there is one thing to remember.
Big Data has a human side, do not forget it.
Source: https://kidesignmagazine.com/can-big-data-wrong-election-post-mortem/
About Waël Hassan:
Dr. Waël Hassan is the founder of KI Design – his full bio is available at
About
This is an event announcement. Register Here
On January 28, 2016, Canada, along with many countries, will celebrate Data Privacy Day. Recognized by privacy professionals, corporations, government officials, academics and students around the world, Data Privacy Day highlights the impact that technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.
MaRS Discovery District and Privacy Horizon have teamed up to offer this special program for entrepreneurs and startup companies. Learn what you need to know to turn privacy into a competitive advantage.
Agenda
1:30 – 2:00 p.m. – Registration
2:00 – 2:30 p.m. – Welcome and introduction to privacy: Brendan Seaton (Privacy Horizon Inc.)
2:30 – 3:00 p.m. – Privacy and the law: Stephen Whitney (Norton Rose Fulbright)
3:00 – 3:30 p.m. – Gap assessment workshop (bring your laptop, tablet or smartphone): Brendan Seaton (Privacy Horizon Inc.)
3:30 – 4:30 p.m. – Panel discussion: Who cares? Your customers, your investors and your regulators: Mark Kohler, CPA, CA, ICD.D (Exelerate Capital), Wael Hassan (KI Design), Vance Lockton (Office of the Privacy Commissioner of Canada)
4:30 – 5:00 p.m. – Startup’s guide to privacy: Patrick Lo, CIPP/C, CISSP (eHealth Ontario)
5:00 p.m. – Closing remarks: Brendan Seaton (Privacy Horizon Inc.)
Who should attend?
This program will be of interest to any startup that is developing innovative solutions that involve the collection, use, disclosure or retention of personal information. This session is relevant to:
- Entrepreneurs
- Developers (those working with mobile apps, the Internet of Things, or the cloud)
- Customer experience personnel
- Sales and marketing specialists
- Board directors
- Investors
What will you learn?
- Fundamentals of privacy and Privacy by Design
- Key areas of the related legal landscape, including legislation, regulatory sanctions, class action lawsuits, agreements and contracts
- Privacy expectations of customers, regulators and investors
- Tools and resources to help you build privacy into your products and services
Speakers
Brendan Seaton, Founder, Privacy Horizon
Brendan Seaton is one of Canada’s leading experts in the management of e-health privacy, security and safety. He is the founder of Privacy Horizon, a company dedicated to providing privacy education, tools and resources for Canadian healthcare organizations and companies. Brendan has more than 30 years of experience in health service administration, information system project management, and information privacy and security in both the public and private sectors.
Since 2000, Brendan has trained more than 1,000 privacy officers and specialists from across Canada. In 2013, he was designated as a Privacy by Design ambassador by former Information and Privacy Commissioner for Ontario, Dr. Ann Cavoukian.
Brendan has a passion for privacy and healthcare. He has dedicated his life to ensuring that Canadians can have both.
Stephen Whitney, Of Counsel, Norton Rose Fulbright
Stephen Whitney has significant international expertise in complex technology transactions. He works with companies of all sizes, from startups to international corporations, drafting templates and negotiating agreements. He regularly advises on privacy and data protection, export controls, lawful access, product and service legal and regulatory compliance, content regulation, and legal policy and regulatory compliance.
Stephen worked previously at BlackBerry, where he oversaw the devices and emerging solutions team and the global regulatory team. During this tenure, he helped the company enter and grow their business in Europe, Asia Pacific, the Middle East and the Caribbean. In doing so, he gained deep mobile and technology sector expertise as well as an understanding of how legal, cultural, political and business issues can intersect to create challenging problems that require creative and practical solutions. Stephen has completed innovative deals with a wide range of technology companies in Canada, the US and other countries around the world.
Mark Kohler, Chairman & CEO, EXELERATE Capital
Mark Kohler is Chairman and CEO of EXELERATE Capital, a private advisory group that provides services in strategy, mergers and acquisitions, and governance/risk/compliance (GRC) to healthcare technology organizations and private equity funds in Canada, New York and California. Mark leads the group’s growth capital investing activities at EXELERATE Health. He has over 28 years of senior executive and operational experience leading public and private organizations in North America and has also served as a chairman, corporate director and advisory board member for some of Canada’s leading healthcare technology and financial services companies.
Mark has a BComm from Queen’s University, and a Certified Corporate Director (ICD.D) designation from Rotman School of Management (University of Toronto). He is also a Chartered Professional Accountant, and a member of the Healthcare Information Management Systems Society (HIMSS), and Canada’s Health Informatics Association (COACH).
Waël Hassan, CEO, KI Design LLC
Waël Hassan leads KI Design LLC. His work focuses on helping organizations to transform to maximize the benefit of new technologies, to understand privacy and compliance requirements and to implement portfolio management. He also helps executives take on the challenges of data analytics with their existing computing infrastructure. Twitter: @drwhassan
Vance Lockton, Senior Analyst, Stakeholder Relations, Office of the Privacy Commissioner of Canada
Vance Lockton is Senior Analyst, Stakeholder Relations in the Toronto office of the Office of the Privacy Commissioner of Canada (OPC). His primary role involves developing and maintaining strong relationships with private-sector stakeholders, with three primary end goals:
i. Encouraging proactive compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA)
ii. Advancing industry awareness of OPC findings, guidance and other materials
iii. Increasing the OPC’s knowledge of current industry practices, as well as the challenges faced by organizations and technology developers, as they relate to the collection, use and disclosure of personal information
Vance holds a BMath and an MSc in computer science, as well as an MPP in public policy.
Patrick Lo, Senior Program Director, Identity, Access and Privacy, eHealth Ontario
Patrick Lo has more than 20 years of experience in the field of information privacy. An expert in the development and implementation of privacy programs, he is also a Certified Information Systems Security Professional (CISSP) and a Certified Information Privacy Professional/Canada (CIPP/C).
As Senior Program Director for the Identity, Access and Privacy portfolio at eHealth Ontario, Patrick is accountable for strategy and planning, and the product management and adoption of the provincial client and provider registries within the healthcare sector. Previously, he led the privacy office at eHealth Ontario, and built the province’s first “eHealth Privacy Centre of Excellence”—establishing eHealth Ontario as a leader in the development and implementation of privacy best practices. Before joining eHealth Ontario, Patrick held executive positions in the private sector focused on the development and implementation of privacy and data protection programs across the Canadian healthcare sector.