Categories: About Waël, Privacy

Privacy in Design: A Practical Guide to Corporate Compliance

I am pleased to announce that Privacy in Design Book is now available for preorder on Amazon and Kindle.

The book describes a journey into achieving corporate compliance while maintaining and improving business objectives.

Compliance is an essential resource for privacy officers, executive leadership, and boards of directors.

From developing a privacy program, through data handling and protection, to auditing and monitoring privacy maturity, Waël Hassan presents his expert advice, clearly delineating applicable legal obligations and increased regulatory requirements, including the GDPR. He explores privacy best practices on numerous topical issues, such as workplace and employment privacy practices, data transfer and cloud computing, data analytics, and data breach avoidance and management.

The book is divided into four sections:

  1. Part I: Navigating the Legal Landscape of Privacy Protection
  2. Part II: Bringing Your Organization into Best-practices Privacy Part
  3. III: How to De-identify Personal Information
  4. Part IV: Privacy and Big Data

By implementing the principles and practices outlined in this book, you’ll make privacy compliance benefit your business and become a competitive advantage.

About Waël Hassan:

Dr. Waël Hassan is the founder of KI Design – his full bio is available at About

Categories: Privacy

Laws for Big Data

What would a law about big data say?

After participating with the Privacy Commissioner of Canada’s consultation on consent, and reading about Ontario’s privacy commissioner reflection on the drivers for a legal change.

I tell you that it wont be easy.

I will be writing about this shortly for now, I will simply ask the question.


Cyberwarefare & National Security

It is the digital age, and there is a new type of warfare. Cyberwarfare refers to the utilization of modern technologies and software to mount politically-motivated attacks against information systems; in the past, it has successfully brought down websites, networks, services, financial systems, data warehouses, and more. It is increasingly used by nation states, terrorists, extremist groups, “hacktivists,” and other criminal organizations as a method to create disruption or damage.

Politics and geopolitics has moved online. Many of the revolts and international headlines we read today involve some aspect of the web, whether directly or indirectly. Digital mediums can be used by the government to repress citizens in countries such as China and Saudi Arabia; it can organize and raise awareness for national or political uprisings, such as the case in the Arab Spring; it can be used to access and release confidential information, such as the case during the US presidential election. Cyberterrorism, cyberwarfare, and cyber espionage has become one of the most pressing national and international issues.


Motivating Examples


Trying to control the cyber landscape is near impossible. For instance, the sheer number of mobile applications designed for everything from communications to social media to fitness tracking make up a global marketplace that isn’t ready for innumerable threats. Individuals disclose their personal information across multiple platforms and apps that provide vastly different levels of privacy and security.

Categories: social, Training

The Startup’s Guide to Privacy: Turning Privacy into a Competitive Advantage – MaRS Best Practices MaRS Discovery District, Toronto, ON

This is an event announcement. Register Here

On January 28, 2016, Canada, along with many countries, will celebrate Data Privacy Day. Recognized by privacy professionals, corporations, government officials, academics and students around the world, Data Privacy Day highlights the impact that technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.

MaRS Discovery District and Privacy Horizon have teamed up to offer this special program for entrepreneurs and startup companies. Learn what you need to know to turn privacy into a competitive advantage.


1:30 – 2:00 p.m. – Registration

2:00 – 2:30 p.m. – Welcome and introduction to privacy: Brendan Seaton (Privacy Horizon Inc.)

2:30 – 3:00 p.m. – Privacy and the law: Stephen Whitney (Norton Rose Fulbright)

3:00 – 3:30 p.m. – Gap assessment workshop (bring your laptop, tablet or smartphone): Brendan Seaton (Privacy Horizon Inc.)

3:30 – 4:30 p.m. – Panel discussion: Who cares? Your customers, your investors and your regulators: Mark Kohler, CPA, CA, ICD.D (Exelerate Capital), Wael Hassan (KI Design), Vance Lockton (Office of the Privacy Commissioner of Canada)

4:30 – 5:00 p.m. – Startup’s guide to privacy: Patrick Lo, CIPP/C, CISSP (eHealth Ontario)

5:00 p.m. – Closing remarks: Brendan Seaton (Privacy Horizon Inc.)


Who should attend?

This program will be of interest to any startup that is developing innovative solutions that involve the collection, use, disclosure or retention of personal information. This session is relevant to:

  • Entrepreneurs
  • Developers (those working with mobile apps, the Internet of Things, or the cloud)
  • Customer experience personnel
  • Sales and marketing specialists
  • Board directors
  • Investors

What will you learn?

  • Fundamentals of privacy and Privacy by Design
  • Key areas of the related legal landscape, including legislation, regulatory sanctions, class action lawsuits, agreements and contracts
  • Privacy expectations of customers, regulators and investors
  • Tools and resources to help you build privacy into your products and services


 Brendan Seaton, Founder, Privacy Horizon

Brendan Seaton is one of Canada’s leading experts in the management of e-health privacy, security and safety. He is the founder of Privacy Horizon, a company dedicated to providing privacy education, tools and resources for Canadian healthcare organizations and companies. Brendan has more than 30 years of experience in health service administration, information system project management, and information privacy and security in both the public and private sectors.

Since 2000, Brendan has trained more than 1,000 privacy officers and specialists from across Canada. In 2013, he was designated as a Privacy by Design ambassador by former Information and Privacy Commissioner for Ontario, Dr. Ann Cavoukian.

Brendan has a passion for privacy and healthcare. He has dedicated his life to ensuring that Canadians can have both.

Stephen Whitney, Of Counsel, Norton Rose Fulbright

Stephen Whitney has significant international expertise in complex technology transactions. He works with companies of all sizes, from startups to international corporations, drafting templates and negotiating agreements. He regularly advises on privacy and data protection, export controls, lawful access, product and service legal and regulatory compliance, content regulation, and legal policy and regulatory compliance.

Stephen worked previously at BlackBerry, where he oversaw the devices and emerging solutions team and the global regulatory team. During this tenure, he helped the company enter and grow their business in Europe, Asia Pacific, the Middle East and the Caribbean. In doing so, he gained deep mobile and technology sector expertise as well as an understanding of how legal, cultural, political and business issues can intersect to create challenging problems that require creative and practical solutions. Stephen has completed innovative deals with a wide range of technology companies in Canada, the US and other countries around the world.

Mark Kohler, Chairman & CEO, EXELERATE Capital

Mark Kohler is Chairman and CEO of EXELERATE Capital, a private advisory group that provides services in strategy, mergers and acquisitions, and governance/risk/compliance (GRC) to healthcare technology organizations and private equity funds in Canada, New York and California. Mark leads the group’s growth capital investing activities at EXELERATE Health. He has over 28 years of senior executive and operational experience leading public and private organizations in North America and has also served as a chairman, corporate director and advisory board member for some of Canada’s leading healthcare technology and financial services companies.

Mark has a BComm from Queen’s University, and a Certified Corporate Director (ICD.D) designation from Rotman School of Management (University of Toronto). He is also a Chartered Professional Accountant, and a member of the Healthcare Information Management Systems Society (HIMSS), and Canada’s Health Informatics Association (COACH).

Waël Hassan, CEO, KI Design LLC

Waël Hassan leads KI Design LLC. His work focuses on helping organizations to transform to maximize the benefit of new technologies, to understand privacy and compliance requirements and to implement portfolio management. He also helps executives take on the challenges of data analytics with their existing computing infrastructure. Twitter: @drwhassan

Vance Lockton, Senior Analyst, Stakeholder Relations, Office of the Privacy Commissioner of Canada

Vance Lockton is Senior Analyst, Stakeholder Relations in the Toronto office of the Office of the Privacy Commissioner of Canada (OPC). His primary role involves developing and maintaining strong relationships with private-sector stakeholders, with three primary end goals:

i. Encouraging proactive compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA)

ii. Advancing industry awareness of OPC findings, guidance and other materials

iii. Increasing the OPC’s knowledge of current industry practices, as well as the challenges faced by organizations and technology developers, as they relate to the collection, use and disclosure of personal information

Vance holds a BMath and an MSc in computer science, as well as an MPP in public policy.


Patrick Lo, Senior Program Director, Identity, Access and Privacy, eHealth Ontario

Patrick Lo has more than 20 years of experience in the field of information privacy. An expert in the development and implementation of privacy programs, he is also a Certified Information Systems Security Professional (CISSP) and a Certified Information Privacy Professional/Canada (CIPP/C).

As Senior Program Director for the Identity, Access and Privacy portfolio at eHealth Ontario, Patrick is accountable for strategy and planning, and the product management and adoption of the provincial client and provider registries within the healthcare sector. Previously, he led the privacy office at eHealth Ontario, and built the province’s first “eHealth Privacy Centre of Excellence”—establishing eHealth Ontario as a leader in the development and implementation of privacy best practices. Before joining eHealth Ontario, Patrick held executive positions in the private sector focused on the development and implementation of privacy and data protection programs across the Canadian healthcare sector.

Categories: Security

The Best Encryption ceases to work upon the first authorized access

Has encryption protect google and yahoo against NSA snooping, simply not.   Was the NSA protected against data extract by an ‘authorized’ user who threatened the nations security? not really.  Hence we say that best encryption ceases to work upon the first authorized access.



Governance Analysis Method – PhD Thesis Waël Hassan

Governance Analysis is a logic-based, computer assisted framework for validating legal compliance of enterprise governance models. This framework is intended to help check whether governance systems are consistent with the law. My approach to Governance Analysis includes legal and enterprise models, a governance analysis method (GAM), a governance analysis language (GAL), and an implemented governance analysis tool (GAT) (see Publications). GAM consists in extracting legal requirements and translating them into GAL statements by using patterns and translating them into a logic model for consistency checking.

The GAM, GAL, and GAT evolved as a result of their application to governance laws related to privacy and financial management. The method’s main processes were validated through application to Canadian and US laws (mainly PIPEDA and Sarbanes-Oxley) combined with various examples taken from enterprise systems.

Governance Analysis begins with an extraction process, which uses patterns to match legal and enterprise requirements. Next, the representation process maps extracted requirements to GAL statements. The generation process takes as input GAL statements to generate a logic model, and the Alloy logic analyser is used to check legal consistency. Three legal compliance validation techniques can then be applied: model, ontology, and scenario checks (see What are the Methods for Validating Legal Compliance?). Model checks validate the combined legal and enterprise requirements for logical consistency; ontology checks validate the enterprise structure and process; and scenario checks validate enterprise scenarios.

These Governance Analysis techniques have proven to be useful not only for identifying conflicts between laws and enterprise governance models, but for identifying the specific scenarios in the enterprise which threaten legal compliance.

De-Identification Maturity Model

Recently I have been working on a formal framework for evaluating the maturity of de-identification services within an organization. The framework gauges the level of an organization’s readiness and experience with respect to de-identification, in terms of people, processes, technologies and consistent measurement practices.
The De-Identification Maturity Model (DMM) is used as a measurement tool and enables the enterprise to implement an empirically-based improvement strategy.

The DMM was published under the auspices of Privacy Analytics, a leader in de-identification technology solution delivery.  Alternatively, the article can be downloaded from DMM Khaled El-Emam & Wael Hassan. Or download a one-page DMM Summary.