1. www.ipc.on.ca The Privacy Imperative: Go Beyond Compliance to Competitive Advantage Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Cambridge Chamber of Commerce March 2, 2004

2. www.ipc.on.ca Slide 2 Impetus for Change  Growth of Privacy as a Global Issue  EU Directive on Data Protection  Increasing amounts of personal data collected, consolidated, aggregated  Consumer Backlash; heightened consumer expectations

3. www.ipc.on.ca Slide 3 The New Debate: Privacy After 9/11  It’s business as usual: Clear distinction between public safety and business issues – make no mistake NO reduction in consumer expectations Increased value of trusted relationships

4. www.ipc.on.ca Slide 4 Consumer Attitudes  Business is not a beneficiary of the post-9/11 “Trust Mood”  Increased trust in government has not been paralleled by increased trust in business handling of personal information Privacy On and Off the Internet: What Consumers Want Harris Interactive, November 2001 Dr. Alan Westin

5. www.ipc.on.ca Slide 5 Importance of Consumer Trust  In the post-9/11 world: Consumers either as concerned or more concerned about online privacy Concerns focused on the business use of personal information, not new government surveillance powers  If consumers have confidence in a company’s privacy practices, consumers are more likely to: Increase volume of business with company……....91% Increase frequency of business……………….…...90% Stop doing business with company if PI misused…83% Harris/Westin Poll, Nov. 2001 & Feb. 2002

6. www.ipc.on.ca Slide 6 Information Privacy Defined  Information Privacy: Data Protection Freedom of choice; control; informational self-determination Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

7. www.ipc.on.ca Slide 7 What Privacy is Not Security  Privacy

8. www.ipc.on.ca Slide 8  Authentication  Data Integrity  Confidentiality  Non-repudiation  Privacy; Data Protection  Fair Information Practices Privacy and Security: The Difference Security: Organizational control of information through information systems

9. www.ipc.on.ca Slide 9 Fair Information Practices: A Brief History  OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data  EU Directive on Data Protection  CSA Model Code for the Protection of Personal Information  Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

10. www.ipc.on.ca Slide 10 Summary of Fair Information Practices  Accountability  Identifying Purposes  Consent  Limiting Collection  Limiting Use, Disclosure, Retention  Accuracy  Safeguards  Openness  Individual Access  Challenging Compliance

11. www.ipc.on.ca Slide 11 The Ten Commandments  Accountability –for personal information –designate an individual(s) accountable for compliance  Identifying Purposes –purpose of collection must be clear at or before time of collection  Consent –individual has to give consent to collection, use, disclosure of personal information

12. www.ipc.on.ca Slide 12 The Ten Commandments  Limiting Collection –collect only information required for the identified purpose; information shall be collected by fair and lawful means  Limiting Use, Disclosure, Retention –consent of individual required for all other purposes  Accuracy –keep information as accurate and up-to-date as necessary for identified purpose  Safeguards –protection and security required, appropriate to the sensitivity of the information

13. www.ipc.on.ca Slide 13 The Ten Commandments  Openness –policies and other information about the management of personal information should be readily available  Individual Access –upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and be given access to that information, be able to challenge its accuracy and completeness and have it amended as appropriate  Challenging Compliance –ability to challenge all practices in accord with the above principles to the accountable body in the organization.

14. www.ipc.on.ca Slide 14 Federal Privacy Legislation in Canada  Personal Information Protection and Electronic Document Act (PIPEDA)  Staggered implementation: Federally regulated businesses, 2001 Federal health sector, 2002 Provincially regulated private sector, 2004

15. www.ipc.on.ca Slide 15 Extension of PIPEDA  As of January 1, 2004, PIPEDA has extended to:  all personal information collected, used or disclosed in the course of commercial activities by provincially regulated organizations (including insurance companies and independent insurance adjusters)  unless a substantially similar provincial privacy law is in force

16. www.ipc.on.ca Slide 16 Provincial Private-Sector Privacy Laws Québec: Act respecting the protection of personal information in the private sector B.C.: Personal Information Protection Act Alberta: Personal Information Protection Act Ontario: draft Privacy of Personal Information Act, 2002 – not introduced…so PIPEDA applies

17. www.ipc.on.ca Slide 17 Application of PIPEDA in Ontario  January 2004 PIPEDA applies to the commercial activity of provincially regulated organizations  Uncertainty as to what exactly is covered in “commercial activity.” For example: The practice of law, even legal aid ? Health care delivery, such as doctors, hospital care?  Await decisions of federal Privacy Commissioner

18. www.ipc.on.ca Slide 18 Employee Information  Employee information of provincially regulated employers will not be covered  However, where an Ontario organization is part of a cross- border enterprise, it may fall under PIPEDA as an employer

19. www.ipc.on.ca Slide 19 Ontario: Health Information Protection Act, 2003 (HIPA)  Ontario government introduced health privacy bill (Bill 31) on December 17, 2003  Referred to Standing Committee on General Government, which held public hearings and clause- by-clause deliberations  Expected to come into effect January 1, 2005

20. www.ipc.on.ca Slide 20 The Bottom Line Privacy should be viewed as a business issue, not a compliance issue

21. www.ipc.on.ca Slide 21 The Promise  Electronic Commerce projected to reach $220 billion by 2001 WTO, 1998  Electronic Commerce projected to reach $133 billion by 2004 Wharton Forum on E-Commerce, 1999 Estimates revised downward to reflect lower expectations

22. www.ipc.on.ca Slide 22 Privacy is affecting E-Commerce United States: e-commerce sales were only 1.6% of total sales -- $54.9 billion in 2003 -U.S. Dept. of Commerce Census Bureau, February 2004 Canada: Online sales were only 0.6% of total revenues -- $13.7 billion in 2002 Statistics Canada, April 2003

23. www.ipc.on.ca Slide 23 Lack of Privacy = Lack of Sales “Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.” Forrester Research, September 2001 “Privacy and security concerns could cost online sellers almost $25 billion by 2006.” Jupiter Research, May 2002

24. www.ipc.on.ca Slide 24 The Business Case  “Our research shows that 80% of our customers would walk away if we mishandled their personal information.” CPO, Royal Bank of Canada, 2003  Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.

25. www.ipc.on.ca Slide 25 How The Public Divides on Privacy The “Privacy Dynamic” - BattleDr. Alan Westin for the minds of the pragmatists

26. www.ipc.on.ca Slide 26 Make Privacy a Corporate Priority  An effective privacy program needs to be integrated into the corporate culture  It is essential that privacy protection become a corporate priority throughout all levels of the organization  Senior Management and Board of Directors’ commitment is critical

27. www.ipc.on.ca Slide 27 Good Governance & Privacy “Privacy and Boards of Directors: What You Don’t Know Can Hurt You” Guidance to corporate directors faced with increasing responsibilities and expectation of openness and transparency Privacy among the key issues that Boards of Directors must address Potential risks if Directors ignore privacy Great benefits to be reaped if privacy included in a company’s business plan

28. www.ipc.on.ca Slide 28 Privacy Diagnostic Tool  Simple, plain-language tool (paper and e-versions)  Free & self-administered  CSA model code to examine an organization’s privacy management practices  www.ipc.on.ca/PDT www.ipc.on.ca/PDT

29. www.ipc.on.ca Slide 29 Final Thought “Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.” Forrester Research, March 5, 2001

30. www.ipc.on.ca How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 80 Bloor Street West, Suite 1700 Toronto, Ontario M5S 2V1 Phone: (416) 326-3333 Web: www.ipc.on.ca E-mail: commissioner@ipc.on.ca