Many consider Canadian privacy law as the pragmatic mid-point between European omnibus rights driven data protection and U.S. sectoral privacy laws balanced against free expression and risk of harm. The Personal Information Protection and Electronic Documents Act (PIPEDA) is probably the cleanest translation of the OECD Guidelines into law and by extension is a principles-based law. Schedule One of PIPEDA, which contains the principles, was completed in 1996 – 23 years ago. Since then a constant revolution has taken place in information communications and technologies (ICT). Today, many tech-enabled and data driven models are providing real value to consumers, society and business. PIPEDA’s preamble makes clear that its purpose is to facilitate both individual protection and broad data use. However, the broad use of data is putting increasing strain on how the principles, developed and put in law and practice two decades ago, are meeting the goals of protection. The revolution in data and its technology enabled data use makes a compelling case for the need to evolve how the core principles are put into effect. When the goal of international interoperability is added, and as other economies update their own public policy models, it is clear changes to Canadian public policy will be made.
The IAF today issued a Canadian discussion paper entitled “Trusted Digital Transformation, Considerations for Canadian Public Policy.” The paper makes five policy recommendations and suggests a framework for implementing core Canadian values. The discussion paper is intended to accompany the National dialogue that is associated with this sort of public policy change. These five recommendations are:
- Data pertaining to individuals should be used to create real value for identified stakeholders in a balanced, fair fashion that serves individuals, society and private organizations. This balancing should take place in all sectors, and the risk of not using data should be as important a consideration as the risk of negative consequences.
- Individuals have clear rights related to data and its uses, and those rights should be explicit and actionable as well as theory.
- Accountability requires organizations to be reasonable and responsible in what they do with data pertaining to individuals and to be answerable for how they demonstrate that they are acting as effective data stewards.
- Organizations should have checks and balances in place, so their data stewardship is conducted effectively. When organizations cause negative consequences that are consequential, they should take actions to mitigate those consequences.
- Enforcement agencies should have powers and resources so that they may act in a manner trusted by the public and seen as predictable by those subject to enforcement.
The discussion paper suggests a risk-based approach to accountability that requires the risks to individuals associated with using data be considered co-equally with the risk to individuals of not using data. To achieve the dual goals of data driven economic growth and protection of individuals, the principles-based approach to individual rights and interests needs to evolve and consideration needs to be given to what it means to be an accountable data steward. The IAF believes these dual, supporting pillars are key concepts as societies consider fourth phase fair processing governance to match the issues associated with the Fourth Industrial Revolution where the physical, digital and biological spheres come together.
This paper can be found here and has been posted to a new section on the IAF’s publication page entitled Fourth Phase Frameworks. In coming months, the IAF will be adding to that section.
Please let us know what you think.