Privacy Legislation and Standards in Canada The Demand for Privacy Alec Campbell, Principal Excela Associates Inc. Distinguished Associate, Bell PCE

Compliance Requirements 24 privacy laws in Canada today  15 provincial/territorial public sector laws (incl 2 municipal in SK & ON)  1 federal public sector law (Privacy Act)  1 federal private sector law (PIPEDA)  3 provincial private sector laws (BC, AB, QC)  4 provincial healthcare sector laws (AB, SK, MB, ON)

Trust requirements Epidemic of breaches  SK - ISM data tapes with insurance data  GoC - CRA laptops with taxation data  GoC - HRDC data matching with almost everything  BC - surplus sales with social services data  AB – employee security clearances with personal financial info  ON & AB – various personal health information  ON – federal PC’s personal phone records  Massive US breaches – credit card information, travel details, correspondence, aggregated PI, others

Trust requirements Epidemic of breaches – Just the first trimester of 2006  Jan 1: “Car thief walked away with the medical records of 365,000 patients across Oregon and Washington.”  Jan 27: “ChoicePoint Hit With Record $15 Million FTC Penalty”  Jan 27: “Medical records stolen from courier in Langley BC”  Mar 8: “BC Minister offers plan to address health-data ‘screw-up’”  Mar 9: “Edmonton police rapped for improper CPIC use”  Mar 9: “Hacker hits B.C. government computers”  Mar 13: “Another mess for CIBC: Confidential papers sent to wrong firm”  Mar 27: “4,000 BC Hydro employees info at risk after B&E”  Apr 10: “Tax agency mailed personal data to wrong addresses”  Apr 10: “Personal data stolen from Bank of Canada CSB accounts” Winners/HomeSense: 47.5 million credit card numbers stolen in database breach.

Trust requirements E-services initiatives threatened by privacy and security concerns Identity theft a major issue  According to the FTC, ID theft cost American consumers $5bn and businesses $48bn in 2005 Identification and authentication are critical  Biometrics  Electronic signature standards Post-911  Communications monitoring  Surveillance

Risk Management Requirements Identify the risks associated with privacy breaches and failures  Legal liability, loss of stakeholder trust, loss of political credibility, financial costs  Privacy impact assessments Mitigate the risks identified  Minimize the likelihood of occurrence  Minimize the severity of the impacts  Maximize learning from occurrences

Management Issues Security  Privacy ≠ Security, Security > Privacy  Some security measures are not compatible with privacy  Security and privacy should be addressed in tandem, especially as they relate to information management  Like privacy, security is a risk management issue – you can reduce security risks but you cannot eliminate them  Security requires regular reviews and audits

Management Issues Information technology  ‘Privacy by design’: privacy is a design consideration, not an obstacle Privacy architecture and technical standards  Privacy must be built in at the start Retrofitting privacy measures to existing IT applications can be very expensive Often need a PIA to identify privacy issues and approaches  Must have adequate security to support privacy, but security ≠ privacy  Privacy enhancing technology

Management Issues Incident Response  A weakness in most organizations  Poor incident response increases severity of incident & consequences  Must ensure that decisions are made quickly, by the right people  Slow incident response & notification can be a problem with contractors and outsourcers  When and how do you notify victims of breaches?

Selected Strategic Issues E-services  Policy, standards to generate & maintain trust in electronic services involving personal information PIA policy  Should have clear, explicit requirements for PIAs  PIA is heart of the privacy risk assessment process Privacy architecture and technical standards  Critical element of IT privacy strategy, but often overlooked  Link security and privacy standards

Selected Strategic Issues Privacy enhancing technologies  In their infancy, but show great potential Search encrypted database without decryption Automatically anonymize a dataset to the minimum extent necessary Locally authenticate biometric identifiers Incident response procedures  Most organizations have poor privacy incident response, which exacerbates the severity of the incident  Learn from the security field Incident notice requirements  Increasing pressure to notify victims of privacy breaches  Over 30 state laws proposed in US

Elements of a Strategic Framework Legislation  Comprehensive, up to date, practical Policy  Rules should be mandatory but general  Commitment to legislative requirements should be explicit  Specifies accountability Standards  Mandatory specifications for technical issues, like database design, user authentication, security, file management, QA procedures, etc.  Use national or international standards where possible

Elements of a Strategic Framework Guidelines  Non-mandatory best practices  Should be as detailed as necessary  Allow flexibility to accommodate circumstances  Best at the procedural level Training and Awareness  Awareness programs critical for everyone, but especially for senior management and front-line workers  Specialized training for privacy coordinators and managers of sensitive programs

Selected Strategic Issues 1/2 E-services  Policy, standards to generate & maintain trust in electronic services involving personal information PIA policy  Should have clear, explicit requirements for PIAs  PIA is heart of the privacy risk assessment process Privacy architecture and technical standards  Critical element of IT privacy strategy, but often overlooked  Link security and privacy standards

Selected Strategic Issues 2/2 Privacy enhancing technologies  In their infancy, but show great potential Search encrypted database without decryption Automatically anonymize a dataset to the minimum extent necessary Locally authenticate biometric identifiers Incident response procedures  Most organizations have poor privacy incident response, which exacerbates the severity of the incident  Learn from the security field Incident notice requirements  Increasing pressure to notify victims of privacy breaches  Over 30 state laws proposed in US

Summary Compliance and trust requirements have made privacy a major public policy issue today Privacy by risk management:  assessment and mitigation Elements of privacy strategy:  Legislation  Policy  Standards  Guidelines  Training and awareness Selected strategic issues:  E-services  PIA policy  Privacy architecture & stds  Privacy enhancing technologies  Incident response procedures  Incident notice requirements

17 Privacy Impact Assessments What is a PIA?  A formal assessment of the privacy implications associated with a given project, initiative, or collection of records, usually in reference to applicable legislation or policy.

18 Privacy Impact Assessments PIAs have become a critical tool in privacy management  PIAs are proactive, not reactive  Well-suited to risk management  Provide evidence of due diligence Inspired by the environmental impact assessment Formal PIA processes have taken some time to develop, and there is still no widespread standard

19 Issues in PIA Planning and Preparation Why do it?  Due diligence If you have a privacy complaint later, having done a PIA will demonstrate efforts to protect privacy  Risk management PIA will identify potential privacy risks before they materialize, allowing you to take measures to prevent problems Risks: IPC inquiry costs, loss of stakeholder trust, bad publicity, cost of retroactive privacy measures, legal costs, etc.  Cost containment A PIA will often cost less than a privacy breach resulting from a failure to do the PIA.

20 Issues in PIA Planning and Preparation Who should do it?  Those who will be responsible for the project or initiative after it is up and running – they have to know the privacy issues  Involve all responsible business areas - actively  If it’s an IT project, make sure both IT and the business area are involved – not just the development team  If project is complex or it’s your first PIA, bring in a consultant – but you should not need a consultant for every PIA.  PIA findings should be approved by the senior manager responsible for the project

21 Issues in PIA Planning and Preparation When to do it?  As early in project planning as possible Need to know PI data elements and flows to complete  For IT projects, make it part of the system design phase  For administrative and management projects, do PIA after process design but before implementation  Need for PIA, or lack thereof, should be part of the project proposal or business case.