Why should a privacy or data protection assessment conducted by a company be trusted? That question was asked by some Canadian stakeholders when the IAF held a meeting in 2017 to review the big data assessment developed by the IAF based on grant from the Federal Office of the Privacy Commissioner. That question motivated the IAF to apply for a grant from the OPC to see if the attributes that make Research Ethics Boards (similar to U.S. Independent Review Boards) trustworthy could be applied to comprehensive impact assessments to make them trustworthy. IAF received that grant from the IAF, and that research was conducted in late 2017 and in the first quarter of 2018. The project included two discussions, one with business and the other with a multi-stakeholder group very similar to the one that raised the question. The project report may be found here.
IAF’s findings include the following:
- REBs are independent of the researcher but not the organization. They are credible in part because they have common rules and processes that link to a public external criterion.
- A similar criterion could be developed in Canada by the private sector or a regulatory body as a code of best practice.
- At the Canadian multi-stakeholder session, it was suggested a good place to start would be a set of principles. So, the paper includes straw-person principles as a starting point for future discussion.
This was a Canadian project. However, the paper informs discussions in other regions where comprehensive data impact assessments are necessary to create the authority for thinking with data.
Please share your comments with us.