In our digitally interconnected world, most organizations that handle personal information will transfer it to a third party at some stage of the data life cycle. Your company may send personal information (PI) to an external service provider such as PayPal to process customer payments – that’s a data transfer. Perhaps you hired a data disposal company to destroy data at the end of its life span – that’s a data transfer. Your company may outsource payroll – that means you’re transferring employee data. Any sharing or transmitting of data, electronic or hard copy, is considered a transfer.
But remember: all transfers of personal information must be compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) and any relevant provincial and sector-specific privacy laws. So, be aware that the many business advantages of data outsourcing are offset by increased security risks, as we’ll see below. And when PI flows into another jurisdiction, the situation becomes more complex.
The key take-away is this:
When you transfer personal information, even if it passes into another jurisdiction, you retain accountability for its care.
A common type of data transfer is outsourcing: handing over aspects of the provision and management of data computing and storage to a third party. A cloud database managed by a third party is a common example of data outsourcing. Within a data outsourcing design, data sets are often stored together with an application – this connects to an external server, which can then assume data management.
There are many advantages to delegating a business process to an external service provider; these can include efficiency, lower labour costs, and enhanced quality and innovation. (Data processing is often outsourced offshore, to foreign businesses: this raises other issues, which are addressed in Part II: Cross-border Data Transfers.
However, data outsourcing brings its own challenges and security risks. Can you guarantee that your data processor will not misuse the data in its care? Can you ensure that access controls will be enforced, and policy updates supported, by your processor? Will the processor commit to as rigorous a Privacy Framework as your company has?
The greatest danger with data outsourcing is the risk of a security breach. According to Trustwave’s 2013 Global Security Report, in 63% of global data breach investigations, “a third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers.”[i] Patrick Thibodeau, senior editor of Computerworld, stresses that companies utilizing the advantages of data outsourcing “need to go through an exhaustive due-diligence process and examine every possible contingency.”[ii]
Encrypting the data to be outsourced can prevent both outside attacks and inappropriate access from the server itself. It’s also helpful to combine authorization policies with encryption methods, so that access control requirements are bundled together with the data.
Before transferring data, think carefully: is the personal information component actually needed? If you can ensure that the data is (irreversibly) anonymized, and keep careful records of having done so, the personal information will disappear and data protection principles will no longer apply.
PIPEDA doesn’t prevent organizations from outsourcing the processing of data, but the Office of the Privacy Commissioner cautions that organizations outsourcing PI need to take “all reasonable steps to protect that information from unauthorized uses and disclosures while it is in the hands of the third-party processor.”[iii]
CANADA: Under PIPEDA, the “transfer” of data is considered a “use” by a company, as opposed to a “disclosure” – this is because the processing of information by a third party is still done for the purposes for which the PI was originally collected. “Processing” is interpreted as any use of the information by a third party for its intended purpose at the time of collection.
PIPEDA’s first Privacy Principle, Accountability, states:
“An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
This statement has three key clauses; we’ll look at each in turn.
1) “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.” The onus of responsibility lies with your organization, even once information has been transferred to a third party; you cannot outsource legal liability. This means that you’ll need to know exactly what data protection safeguards your data processor has in place, and be able to monitor them during the transfer process.
2) An organization needs to ensure a “comparable level of protection while the information is being processed by a third party.” According to the Office of the Privacy Commissioner, this means that the third party must provide a level of data protection comparable to the protection that would have been in place had the data not been transferred.[iv] (The protection should be generally equivalent, but it doesn’t necessarily have to be exactly the same across the board.)
3) “The organization shall use contractual or other means” to comply with legal privacy requirements. There should be a written agreement in every instance where personal information is transferred to a third party. A contract cannot transfer responsibility, but it can describe necessary measures a data processor must take to optimally safeguard personal information, and clearly delineate the responsibilities of each party.
In an effort to protect PI and reduce risks, PIPEDA’s restrictions encourage organizations to minimize data transfers, and only to use them for reasonable purposes.
Quebec has passed legislation[v] that imposes strict rules on private-sector organizations using, transferring, or disclosing personal information outside Quebec, even if the PI is being transferred to another Canadian province. Under the law, data transfer or disclosure is prohibited unless it can be guaranteed that the PI will not be used or disclosed for other purposes than those for which it was transferred, or disclosed to third parties without consent.
UNITED STATES: While no federal law creates a general requirement for data owners regarding data protection during transfer, sectoral laws may do so: for example, the Health Insurance Portability and Accountability Act imposes strict regulations on covered entities seeking to disclose personal health information to a service provider. State laws may also impose security standards; for example, California requires organizations transferring data to third parties to contractually oblige those third parties to maintain reasonable security protocols.
EUROPE: Free transfer of personal data within member states is integral to the founding principles of the EU. As long as the data is transferred in compliance with the strict requirements of the General Data Protection Regulation, the Regulation does not restrict data flows within the European Union or European Economic Area.
For further information on data transfers, and privacy compliance matters generally, see Waël Hassan’s book Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.
A three-part series from KI Design:
[i] Trustwave 2013 Global Security Report, p. 10, online at: https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/.
[ii] Patrick Thibodeau, “Offshore risks are numerous, say those who craft contracts,” Computerworld, 3 November 2003, p. 12, online at: https://www.computerworld.com/article/2573865/it-outsourcing/offshore-risks-are-numerous–say-those-who-craft-contracts.html.
[iii] For more information, see the OPC’s “Privacy and Outsourcing for Businesses” guidelines, online at: https://www.priv.gc.ca/en/privacy-topics/outsourcing/02_05_d_57_os_01/.
[iv] Office of the Privacy Commissioner, “Guidelines for Processing Personal Data Across Borders,” January 2009, online at: https://www.priv.gc.ca/en/privacy-topics/personal-information-transferred-across-borders/gl_dab_090127/.
[v] P-39.1 – Act respecting the protection of personal information in the private sector, online at:
IPCS Smart Privacy Auditing Seminar
On September 13, Dr. Waël Hassan, was a panelist at the Innovation Procurement Case Study Seminar on Smart Privacy Auditing, hosted by Mackenzie Innovation Institute (Mi2) and the Ontario Centres of Excellence (OCE). The seminar attracted leaders from the health care sector, the private information and technology industry, and privacy authorities. The seminar explored the concept of innovative procurement via the avenue of competitive dialogue, in addition to demonstrating the power and benefits of using artificial intelligence to automates the process of auditing all PHI accesses within a given hospital or health network.
What are the benefits of participating in an innovative procurement process, particularly competitive dialogue?
An innovative procurement partnership between Mi2, Mackenzie Health, Michael Garron Hospital, and Markham Stouffville Hospital was supported by the OCE’s REACH grant and sought to identify an innovative approach to auditing that could be applicable to the privacy challenges faced by numerous hospitals with different practices, policies, and information systems. Rather than focus on how the solution should operate, the partners collaboratively identified six outcome-based specifications the procured audit tool would be required to meet.
By identifying key priorities and specifying the outcomes a solution should achieve, Competitive Dialogue establishes a clear and mutual understanding of expectations. This can help the private sector narrow down solution options to a model best-suited for the contracting authority’s unique context. The feedback loop provided by the iterative rounds (if used) enables vendors to clarify any confusion and customize proposals to the contracting authority’s unique needs, staff workflows, and policy contexts.
Competitive Dialogue is an opportunity for transparent communication that gives vendors the opportunity to learn more intimate details of what the contracting authority, in this case Mackenzie Health, needs from a solution. Because hospitals are not tech or security experts, they often struggle to accurately identify and define what solutions they need to solve a particular issue, and thus a traditional procurement process is rarely ideal since there is little to no room for clarification or feedback. This process is more flexible than the traditional procurement process and thereby allows for more creativity and innovative thinking processes during the initial proposal development. Encouraging creativity and creating a competitive environment in which competing vendors may be sounding ideas off each other results in higher quality proposals and final solutions.
Mackenzie Health Case Study
Mackenzie Health employs over 450 physicians and 2,600 other staff members, processes nearly 55,000 patient medical record accesses every day, and has just one privacy officer to monitor everything. Mackenzie Health’s privacy needs far outweigh its capacity, so they turned to the private sector for an innovative solution.
Section 37(1) of PHIPA outlines the possible uses of personal health information, and these guidelines are based on the purpose underlying the activities. Because the legal framework is centred on purpose, KI Design’s approach is to explain the purpose for accessing a given medical record. The core of this technology is more commonly known as an explanation-based auditing system (EBAS) designed and patented by Dr. Fabbri of Maize Analytics.
To detect unauthorized accesses, the technology has the capability of identifying an intelligible connection between the patient and the employee accessing the patient’s records. AI changes the fundamental question underlying auditing tools from “who is accessing patient records without authorization?” to, “for what purpose are hospital staff accessing patient records?” Asking this question helps the technology break down staff workflows and identify common and unique purposes for accessing any given medical record, which are further categorized as either authorized access or unexplained access, which may then flagged as potentially unauthorized behaviour. The technology is able to filter out the authorized accesses, which are usually 98% to 99% of all accesses, so that the Privacy Officer can focus on the much smaller number of unexplained and flagged accesses.
Why is the private sector interested in health care?
Health care is an extremely complex system operated by the province and service providers. The province is a specialist in governance and regulation, the service providers are specialists in medicine – neither are experts in privacy or security. Companies such as KI Design are interested in filling the expertise gap within the health care sector by working closely in tandem with health care providers and the Information & Privacy Commissioner to adapt privacy and security solutions that are suitable for their working realities. There is irrevocable value added in having a privacy and security expert working directly with hospitals and other health service providers to assist in refining privacy best practices and implementing a privacy tool that will improve privacy and security outcomes without restricting the workflows of health practitioners.
To learn more on how AI solutions improve Audit visit https://phipa.ca/
PRIVACY INNOVATION IN CANADIAN LAW, TECHNOLOGY, AND CORPORATE CULTURE
I invite you and other privacy leaders to join me in co-authoring a privacy-affirmative position paper, the Privacy Accord. This statement will propose new relationships between government, technology entrepreneurs, and corporate and business leaders to strengthen and enhance privacy in Canada and around the world.
WHY THIS PRIVACY ACCORD IS NEEDED
Privacy under Attack
Government and healthcare agencies, financial institutions, and corporations store massive amounts of personal data. Yet 90% of Canadians are concerned about their privacy: 73% feel they have less protection of their personal information than 10 years ago, and 56% are not confident that they have enough information to know how new technologies affect their privacy (Office of the Privacy Commissioner of Canada, 2014). Rapid changes in technology and communications are altering the ways we interact, and much of our private information is slipping out of our hands. In social media forums, we can instantly share personal details with a public of our own choosing. Such sharing is part of the developing cultural norm. What is less easy to control is what happens to the data tracked from our Internet use. As more and more of our interactions and transactions take place online, more and more of our personal information is finding its way onto the Internet.
Major Internet corporations such as Google and Facebook track consumers’ activities online, creating identity profiles of consumer preferences in every area of life, by analyzing browsing history, consumption patterns, status updates, and email content. As this data is shared amongst corporations, and with government security agencies, personal privacy faces an unprecedented challenge. There is little real transparency: consumers routinely agree to terms and conditions so lengthy that it isn’t practical to read them. Few citizens are aware of the level of data sharing that takes place between major corporations, and with federal agencies. As larger and larger volumes of data are collected and aggregated by big data initiatives, it is becoming more difficult to define precisely what is considered personal information.
The advent of the Internet of Things adds another dimension of complexity to the sharing of personal information. In this new paradigm, informed consent is more important than ever. Yet legislation lags behind technological innovation, and organizational culture is still reorienting itself to respond to these new privacy challenges.
In this rapidly-changing technological environment, it is crucial for privacy leaders to find innovative new ways to bolster privacy, and to communicate these recommendations clearly to government, corporations, and the general public.
THE ECONOMIC POTENTIAL OF PRIVACY PROTECTION
Privacy is a relatively untapped resource in Canada. Working with government and the private sector, privacy leaders can help raise the profile of privacy protection by spelling out its economic potential. Privacy-focused strategic alliances between government, major corporations, and innovation agencies can offer significant benefits to their various stakeholders. Privacy commissioners and data protection authorities could play a pivotal role in inviting these stakeholders to the table.
When government agencies (federal, provincial, and municipal) and corporations invest in startups working on privacy innovation:
- They are contributing to economic growth: New companies, new jobs, new Canadian innovation.
- Corporations are investing in their own economic future: As well as ensuring they are fully compliant with privacy legislation, the innovations that corporations adopt will give them a competitive edge in a challenging market.
- Individuals’ personal information is better protected: All Canadians benefit from a climate in which issues of privacy and informed consent are given priority.
DATA PROTECTION LEGISLATION
Prioritizing Privacy: The EU Approach
Current data protection laws in Canada, like those in the US, are vertical (sector-specific). By contrast, the European Union and many of its constituent states follow a horizontal model. This allows for a more mature, integrated approach to the protection of personal information. With more data sharing across organizational boundaries, sector-specific laws are becoming increasingly difficult to apply, and many initiatives now require extensive consultation to establish relevant privacy obligations. Data sharing across jurisdictions raises further complications; in Canada, some provinces have similar privacy laws, both in the realms of commerce and healthcare, but others have very divergent legislation. The EU has irreversibly committed itself to data protection reform, and this pending legislation offers much that Canada could consider emulating.
Some ideas and practices Canada should consider adopting from the EU:
- A horizontal legal approach: allowing for streamlined provision and enforcement of data protection.
- Mutual responsibility for privacy of shared data: in which both the primary service provider who first collected the data and third parties with whom that data is shared are held responsible for enforcing privacy provisions. A shared responsibility model reflects greater privacy maturity by shifting from an exclusive focus on adequate policy and agreements to ensuring effective implementation through monitoring and governance of all data holders.
- National regulation of multinational corporate activity: The EU approach to data sharing across jurisdictions is based on territories, which means that foreign companies must comply with the laws of the countries in which their customers reside. The pending legislation will give national regulators the power to assess the legal compliance of multinational companies’ codes of conduct. Codes of conduct must contain satisfactory privacy principles and effective implementation tools, and demonstrate that they are binding. By contrast, Canadian citizens have little recourse to protect the privacy of their personal information held by American multinational companies (which include most cloud computing service providers), since under the US Patriot Act all information collected by American companies is subject to US government surveillance.
- Validating compliance: While current Canadian law requires privacy impact assessments for all initiatives handling personal information, the content of these assessments is defined only in terms of compliance with general principles. The pending EU legislation, on the other hand, defines very specific criteria for privacy impact assessments. Similarly, while North American laws require only that organizations create risk mitigation plans, the EU Regulation makes corporate rules and policies binding, and through auditing and monitoring holds organizations accountable for their publicly and internally published policies.
- Data breaches: In line with a greater focus on privacy risk management and enforcement, the new EU Regulation will require that companies (inside or outside Europe) holding information pertaining to EU citizens should notify citizens in the case of data breaches. The pending Regulation requires that companies notify regulators of breaches within 24 hours, and affected individuals within 72 hours, particularly if the breach increases the risk of identity theft, humiliation, or damage to reputation. North American laws only mandate notifying local regulators of breaches at the company’s earliest convenience, which in practice means within two or three months, and notifying individuals within a similar time frame if there is a risk of harm to individuals as a result of the breach.
Under the new EU legislation, fines for large data breaches will be a proportion (currently 2%) of the company’s gross revenue. Most North American laws define a set amount for fines, averaging a few hundred thousand dollars, which is insignificant for large companies. For companies to take privacy seriously, fines for violations must be set as a proportion of revenue.
- Crowd consent: As in the US, citizens in Canada can only launch complaints through the provincial or federal privacy commissioner. This makes it much more difficult to launch class action suits and otherwise advocate for privacy as a citizen collective. The new EU Regulation will allow individual citizens to exercise their right to protect their personal data, including the right to be removed from databases and the right to transfer their data elsewhere. Citizens can appeal individually or through any agency, organization, or association that works to protect their rights and interests. While North American laws do not offer any specific recourse, the pending EU Regulation guarantees the right to compensation for damages in the case of a privacy breach involving a single or multiple data custodians.
Since the EU Court of Justice struck down the former EU/US “Safe Harbor” agreement, Canadian companies with transnational business interests wishing to avoid legal complexities would be well advised to bring their privacy policies in line with EU standards.
Personal Content Privacy
Personality rights are an evolving field in Canadian jurisprudence. The provinces of British Columbia, Manitoba, Newfoundland and Labrador, and Saskatchewan have enacted privacy legislation dealing with personality rights, and Canadian common law also recognizes a limited right to personality. Such rights can also be found in the Civil Code of Quebec. Recent technologies create new possibilities of recording audio and video – strengthening and expanding such legislation will help keep privacy protection in step with these technological advances.
While recent technological advances have often undermined personal privacy, emerging technologies can strengthen and protect an individual’s activity online. Investing in privacy-bolstering technologies is a smart business move. The erosion of online privacy is of significant concern to the public: for example, 90% of polled US citizens say that having control over what information is collected about them is important (Pew Research Center, 2015). The further development of privacy-bolstering technologies would thus be responding to the concerns of a significant majority of Internet users, who desire greater control over their personal data.
Here are just some of the ways in which future technological development could support information privacy:
Investing in Data Liberation Technologies
Such technologies allow users access to data while masking or erasing the identity of the data source, utilizing de-identification techniques such as tokenization or anonymization. Optimally used with automated risk analysis tools, de-identification allows both ongoing utilization of data and protection of individual privacy.
Investing in Personal Content Privacy
Most current privacy technologies focus on the protection of text records. Given the proliferation of recording technologies (such as smartphone cameras, Google Glass, or drones) future privacy-bolstering technologies will need to adapt to different kinds of content, and an individual’s rights therein. For example:
- Video privacy: Does an individual consent to be photographed or filmed? If not, privacy-bolstering technology could allow the image to be masked or erased.
- Audio privacy: Does an individual consent to be recorded? If not, privacy-bolstering technology could allow the relevant part of the recording to be masked or erased.
And, more generally:
- Personal control: Privacy-bolstering technology could allow an individual to manage, maintain, track, and destroy documents, images, audio, or content in general even after it is released through email or posted on the Internet.
Investing in Defensive Online Security
Programs that block tracking software tend to be accessed by the technologically savvy rather than the average computer user. Such technologies need to become more visible, and easy to use, perhaps bundled with other defensive tools such as anti-virus programs.
Investing in Crowd Consent
Big data offers many opportunities for market research and social analysis, but these can raise privacy concerns. For example, if a statistic shows a particular demographic to be more susceptible to a given disease, or have a higher crime rate, that information could be used by insurance companies to penalize a consumer. Limited protections are in place in healthcare – researchers must have their statistics cleared by the Research Ethics Board before publishing – but as yet no technologies have been developed to allow individual consent.
CORPORATE INVESTMENT: THE PRIVACY ADVANTAGE
Within corporate culture, data protection is often seen negatively, as another unfortunate overhead. Protection of private information is understood as a threat to profit, draining resources to avoid the risk of a security breach and the attendant liabilities. Yet privacy-bolstering technology is also a business opportunity. Far from being a liability, privacy can be a powerful opportunity for companies to differentiate themselves as leaders in corporate responsibility and service to the public.
Meeting a Clearly-expressed Social Need
As citizens and as consumers, individuals consistently express concern over their lack of control and consent when it comes to privacy. Just one example: according to a 2014 poll by Microsoft, as many as 83% of Americans agree with the US Supreme Court decision that police should get a warrant before searching an individual’s cellphone.
Gaining a Competitive Advantage
Corporations and businesses choosing to develop protocols that protect rather than undermine privacy will differentiate themselves from their competitors. Consumers are often faced with a choice between very similar products and services. Adopting a pro-active privacy strategy positions a business to appeal to the many consumers for whom data protection is an issue.
Negative publicity related to privacy issues can be highly damaging to companies, while positive communications on privacy matters can greatly enhance a company’s reputation. Companies that are open about how they gather, manage, and use personal information are better able to offer a sense of security and trust to customers and partners. By integrating effective privacy practices across their enterprise, providing information that addresses people’s concerns about privacy, and engaging the public and government in discussing privacy issues, companies can become known as leaders committed to protecting individual privacy.
Investment in de-identification technologies, automated risk analysis tools, and other techniques of data protection will help smooth the interface between data users and individuals. With proper safeguards in place, market researchers can access the data they require without compromising individual privacy. More focused research means more accurate prediction of consumer preferences, and thus more effective marketing strategies.
Privacy as a Customer Service
As yet, few major companies are pro-active about privacy. Many put minimal protections in place and then suffer the consequences when a data breach occurs As the hack of Target’s Canadian operations demonstrated, as well as any legal penalties, these consequences include a massive loss of customer goodwill, and the attendant loss of revenue. Even major corporations whose data has remained secure rarely invest in privacy innovation, or engage with privacy as a customer service.
Privacy as we know it is at a crossroads. Can data protection flourish in this brave new world of technological change, or will it decay? Economic, legal, technical, and corporate innovation will all be crucial in helping to direct the future of data protection in Canada. That is why I am asking you to co-author the Privacy Accord.
I am actively seeking your participation. As a data protection authority, your experience, insight, and expertise will bring great value to this project. Once the Privacy Accord has been finalised, we will promote it to private industry. Members of the investment community have already expressed interest in participating. Then, we will approach federal, provincial, and municipal regulators across the country.
I do hope you will join me in this exciting new venture to promote privacy and informed consent in Canada. Please let me know:
- Whether you would be interested in co-authoring the Privacy Accord
- Whether your communications staff could help with preparing and promoting the Accord
- Whether you would like further information before making a decision
I look forward to hearing from you.
Waël Hassan, Ph.D
Identity and Access Management (IAM) has two seemingly opposed purposes: to enable user access to information, and to block user access to restricted information. In fact, strong security and user-friendly access are by no means mutually exclusive: a mature IAM solution provides both. Read a summary of my IAM Maturity Model.