Category Archives: Data Governance

Demonstrable Accountability and People Beneficial Data Use

Data driven societies and economies must create a means for data that pertains to people to be used in a productive and protected manner.  Those methods include processing so complex that people need specialized knowledge beyond many people’s ability in order to effectively govern that processing through consent.  If consent is beyond a person’s capabilities and is then less effective for permissioning data processing, then a trustworthy alternative to consent must be found.  An alternative is especially  necessary when processing creates real value for people, groups of people and society. 

Use of an alternative means of permissioning does not mean a reduction in transparency.  Transparency, robust corporate data governance, subject to the law, and internal and external oversight are necessary to hold organisations accountable.  The Canadian Ministry for Innovation, Science and Economic Development (“ISED”) shares the IAF interest in this issue and helped fund a multi-stakeholder project to suggest “A Path to Trustworthy People Beneficial Data Activities.”[1] 

Canadian private sector national and provincial privacy laws typically require consent in order to process personal data.  Newer privacy laws such as the European Data Protection Regulation specify that personal data processing must be based on a legal basis, and consent is only one of the six legal bases.  The IAF’s task was to set forth the elements of an accountability process for situations where consent is not effective, but the processing creates tangible, well-documented benefits for people.  This process is demonstrable accountability which, among the requirements, includes an assessment process that balances the risk of harm and the benefits to people.

The components of a demonstrable accountable process include:

  • Designating senior officers who are accountable for People Beneficial Data Activities
  • Conducting People Beneficial Impact Assessments (PBIAs)
  • Achieving an enhanced standard of transparency covering People Beneficial Data Activities and their associated governance processes
  • Having specific internal oversight
  • Being subject to independent external oversight
  • Keeping records of People Beneficial Data Activities
  • Protecting individual rights and implementing transparent redress systems

The IAF suggests all of these components must exist for people beneficial processing to be trustworthy.

The IAF report includes recommendations to ISED for them to consider as they draft any proposals related to existing Privacy laws that might be considered by  Parliament:

  • Explicitly recognize People Beneficial Data Activities as serving a legitimate purpose because on balance the activities are beneficial to people when the risks to people are reduced to an acceptable level.  Limiting People Beneficial Data Activities to those provided within the “conditions of the supply of a product or service” might contribute to personal data not being used for people beneficial purposes. 
  • Explicitly move beyond consent as the primary authority to process personal information for People Beneficial Data Activities where consent is not fully effective.
  • Explicitly recognize People Beneficial Data Activities as a new or expanded authority to process personal information beyond reliance on the concepts of consent and legitimate purposes tied to the provision of products and services. This recognition would lessen reticence risk (i.e. a reduction of any inhibition to data driven innovation) and would provide more benefits to stakeholders because these activities have not been limited to those provided within the “condition of the supply of a product or service,” as long as the People Beneficial Data Activities meets all the elements of demonstrable accountability and are aligned with the objectives, culture, and values of the organization. 
  • Expressly provide a method for determining what data activities are people beneficial and provide clarity regarding this processing through public policy. This express provision will reduce reticence risk to people, society and organizations and help to implement Canada’s Digital Charter while protecting the privacy of Canadians.
  • So that People Beneficial Data Activities are transparent, expressly provide in policy requirements the elements of demonstrable accountability:  be accountable, conduct a people beneficial data impact assessment (PBIA), be transparent, have internal oversight, be subject to independent external oversight, keep records, and protect individual rights.

The IAF also suggests that further work is needed to determine the degree and type of effective oversight and governance for organisations processing data for people beneficial uses. Effective oversight and governance  are necessary for this type of processing to be fully trusted. 

Canadian businesses contributed to the research and the development of the report and participated in a multi-stakeholder session that included academics, privacy advocates and regulators.

While this project was specific to Canada, the IAF believes the findings are applicable to other jurisdictions.  Europe is struggling to make legitimate interest work as a trusted legal basis to process data, and the United States is only beginning the public policy process for advanced data use.  The IAF will be updating its prior work on legitimate interests based on the people beneficial data activity report.

The project report, which includes a model assessment process, can be found here

Please let us know what you think.

[1] The IAF is solely responsible for the report findings.  They do necessarily reflect the views of ISED, participants, or the IAF Board. 

IAF Releases Model Legislation Summary

The California Consumer Privacy Protection Act went into effect on January 1, and a ballot initiative to update that law is slated for November.  State privacy legislation has been reintroduced in Washington state, and Nevada is following.  Privacy Shield may be overturned by the European Court of Justice, and more countries are adopting legislation that… Continue Reading

Legitimate Processing Invented here in the U.S.

Privacy law began in the United States when Congress enacted the Federal Fair Credit Reporting Act (“FCRA”) in 1970.  While framed as a consumer protection law, it was most certainly fair processing legislation.  FCRA established rights of access, correction, and accuracy, but most importantly it created the concept of permissible purpose.  The concept of permissible purpose is the seed… Continue Reading

The Need for An Ethical Framework

The vast amount of data made possible and accessible through today’s information technologies, and the ever-increasing analytical capabilities of this data, are unlocking tremendous insights that are enabling new solutions to health challenges, business models, personalization and benefits to individuals and society. At the same time, new risks to individuals can be created. Against this… Continue Reading

Detailed Overview of the Effective Data Protection Governance Framework and Components—A Data- and Use-Based Approach

In the Information Accountability Foundations blog in Sept, the Effective Data Protection Governance (EDPG) project was introduced. The EDPG proposes a re-alignment of responsibilities, the introduction of new obligations and a different way to think about obligations for each participant in increasingly complex information ecosystems. The objective the framework is to better align responsibilities while… Continue Reading

The Data Use Imperatives – Effective Data Protection Governance

We are on a cusp of many dramatically new ways to think about data and data use that will increasingly place pressure on public policy models and organisational governance. This overall challenge was introduced in our blog last month and is the cornerstone of The Information Accountability Foundation (IAF) work on an Effective Data Protection Governance… Continue Reading

IAF Background Material for Marrakech Side Event

The Information Accountability Foundation looks forward co-hosting with the Future of Privacy Forum a side event entitled “Technology, Challenges and Effective Governance”.  The session will be held at the 38th International Data Protection and Privacy Commissioners Conference in Marrakech during 18 October. To provide a better understanding of issues and questions to be discussed during… Continue Reading

Accountability in an Observational, Analytics-Driven Digital Economy

Since a multi-stakeholder group first defined them in 2009, the essential elements of accountability have become well established in the field of data protection. These elements are reflected in guidance from data protection and privacy authorities in Canada, Hong Kong, Australia, Colombia and France. They have been adopted as key elements in the European General… Continue Reading

IAF Holds Brainstorming Event on Ethics, Created Data, AI and Accountability

On 13 September, IAF held its Annual Brainstorming Meeting. HP Inc. hosted the event. This year’s sessions focused on ethics and data protection, created data and accountability, and artificial intelligence and governance. Below are documents related to the meeting and photos of the event. Meeting Documents Brainstorming Session Agenda Session Attendee List Background Reading IAF… Continue Reading

Year-End Policy Call

2015 has been a most remarkable year for data protection, and 2016 will be full of challenges. To provide food for thought over the holiday break, the team at the Information Accountability Foundation will provide insights on accountability-based challenges for 2016. The discussion will touch on recent and upcoming policy as well as regulatory developments… Continue Reading