Privacy Legislation and Standards in Canada

The Demand for Privacy

Alec Campbell, PrincipalExcela Associates Inc.

Distinguished Associate, Bell PCEalec@excela.info

780-945-0123

Compliance Requirements

24 privacy laws in Canada today 15 provincial/territorial public sector laws (incl 2 municipal

in SK & ON) 1 federal public sector law (Privacy Act) 1 federal private sector law (PIPEDA) 3 provincial private sector laws (BC, AB, QC) 4 provincial healthcare sector laws (AB, SK, MB, ON)

Trust requirements

Epidemic of breaches SK - ISM data tapes with insurance data GoC - CRA laptops with taxation data GoC - HRDC data matching with almost everything BC - surplus sales with social services data AB – employee security clearances with personal financial info ON & AB – various personal health information ON – federal PC’s personal phone records Massive US breaches – credit card information, travel details,

correspondence, aggregated PI, others

Trust requirements

Epidemic of breaches – Just the first trimester of 2006 Jan 1: “Car thief walked away with the medical records of 365,000 patients

across Oregon and Washington.” Jan 27: “ChoicePoint Hit With Record $15 Million FTC Penalty” Jan 27: “Medical records stolen from courier in Langley BC” Mar 8: “BC Minister offers plan to address health-data ‘screw-up’” Mar 9: “Edmonton police rapped for improper CPIC use” Mar 9: “Hacker hits B.C. government computers” Mar 13: “Another mess for CIBC: Confidential papers sent to wrong firm” Mar 27: “4,000 BC Hydro employees info at risk after B&E” Apr 10: “Tax agency mailed personal data to wrong addresses” Apr 10: “Personal data stolen from Bank of Canada CSB accounts”

Winners/HomeSense: 47.5 million credit card numbers stolen in database breach.

Trust requirements

E-services initiatives threatened by privacy and security concerns

Identity theft a major issue According to the FTC, ID theft cost American consumers $5bn and

businesses $48bn in 2005 Identification and authentication are critical

Biometrics Electronic signature standards

Post-911 Communications monitoring Surveillance

Risk Management Requirements

Identify the risks associated with privacy breaches and failures Legal liability, loss of stakeholder trust, loss of political

credibility, financial costs Privacy impact assessments

Mitigate the risks identified Minimize the likelihood of occurrence Minimize the severity of the impacts Maximize learning from occurrences

Management Issues

Security Privacy ≠ Security, Security > Privacy Some security measures are not compatible with privacy Security and privacy should be addressed in tandem,

especially as they relate to information management Like privacy, security is a risk management issue – you

can reduce security risks but you cannot eliminate them Security requires regular reviews and audits

Management Issues

Information technology ‘Privacy by design’: privacy is a design consideration, not

an obstacle Privacy architecture and technical standards

Privacy must be built in at the start Retrofitting privacy measures to existing IT applications can be

very expensive Often need a PIA to identify privacy issues and approaches

Must have adequate security to support privacy, but security ≠ privacy

Privacy enhancing technology

Management Issues

Incident Response A weakness in most organizations Poor incident response increases severity of incident &

consequences Must ensure that decisions are made quickly, by the right

people Slow incident response & notification can be a problem

with contractors and outsourcers When and how do you notify victims of breaches?

Selected Strategic Issues

E-services Policy, standards to generate & maintain trust in electronic services

involving personal information PIA policy

Should have clear, explicit requirements for PIAs PIA is heart of the privacy risk assessment process

Privacy architecture and technical standards Critical element of IT privacy strategy, but often overlooked Link security and privacy standards

Selected Strategic Issues

Privacy enhancing technologies In their infancy, but show great potential

Search encrypted database without decryption Automatically anonymize a dataset to the minimum extent necessary Locally authenticate biometric identifiers

Incident response procedures Most organizations have poor privacy incident response, which

exacerbates the severity of the incident Learn from the security field

Incident notice requirements Increasing pressure to notify victims of privacy breaches Over 30 state laws proposed in US

Elements of a Strategic Framework

Legislation Comprehensive, up to date, practical

Policy Rules should be mandatory but general Commitment to legislative requirements should be explicit Specifies accountability

Standards Mandatory specifications for technical issues, like database design,

user authentication, security, file management, QA procedures, etc. Use national or international standards where possible

Elements of a Strategic Framework

Guidelines Non-mandatory best practices Should be as detailed as necessary Allow flexibility to accommodate circumstances Best at the procedural level

Training and Awareness Awareness programs critical for everyone, but especially for senior

management and front-line workers Specialized training for privacy coordinators and managers of sensitive

programs

Selected Strategic Issues 1/2

E-services Policy, standards to generate & maintain trust in electronic services

involving personal information PIA policy

Should have clear, explicit requirements for PIAs PIA is heart of the privacy risk assessment process

Privacy architecture and technical standards Critical element of IT privacy strategy, but often overlooked Link security and privacy standards

Selected Strategic Issues 2/2

Privacy enhancing technologies In their infancy, but show great potential

Search encrypted database without decryption Automatically anonymize a dataset to the minimum extent necessary Locally authenticate biometric identifiers

Incident response procedures Most organizations have poor privacy incident response, which

exacerbates the severity of the incident Learn from the security field

Incident notice requirements Increasing pressure to notify victims of privacy breaches Over 30 state laws proposed in US

Summary

Compliance and trust requirements have made privacy a major public policy issue today

Privacy by risk management: assessment and mitigation

Elements of privacy strategy: Legislation Policy Standards Guidelines Training and awareness

Selected strategic issues: E-services PIA policy Privacy architecture & stds Privacy enhancing

technologies Incident response

procedures Incident notice requirements

17

Privacy Impact Assessments

What is a PIA? A formal assessment of the privacy

implications associated with a given project, initiative, or collection of records, usually in reference to applicable legislation or policy.

18

Privacy Impact Assessments

PIAs have become a critical tool in privacy management PIAs are proactive, not reactive Well-suited to risk management Provide evidence of due diligence

Inspired by the environmental impact assessment Formal PIA processes have taken some time to

develop, and there is still no widespread standard

19

Issues in PIA Planning and Preparation

Why do it? Due diligence

If you have a privacy complaint later, having done a PIA will demonstrate efforts to protect privacy

Risk management PIA will identify potential privacy risks before they materialize,

allowing you to take measures to prevent problems Risks: IPC inquiry costs, loss of stakeholder trust, bad publicity,

cost of retroactive privacy measures, legal costs, etc. Cost containment

A PIA will often cost less than a privacy breach resulting from a failure to do the PIA.

20

Issues in PIA Planning and Preparation

Who should do it? Those who will be responsible for the project or initiative

after it is up and running – they have to know the privacy issues

Involve all responsible business areas - actively If it’s an IT project, make sure both IT and the business

area are involved – not just the development team If project is complex or it’s your first PIA, bring in a

consultant – but you should not need a consultant for every PIA.

PIA findings should be approved by the senior manager responsible for the project

21

Issues in PIA Planning and Preparation

When to do it? As early in project planning as possible

Need to know PI data elements and flows to complete For IT projects, make it part of the system design phase For administrative and management projects, do PIA after

process design but before implementation Need for PIA, or lack thereof, should be part of the project

proposal or business case.