BIG DATA SURVEILLANCE PLENARY RESEARCH WORKSHOP

Similar documents
Keynote Presentation to. Simon Fraser University Vancouver, BC November 8, Elizabeth Denham Information and Privacy Commissioner for B.C.

Driving Excellence through Data Governance Personal Data Protection Seminar. Singapore, May 16, 2014

SUBMISSION TO THE SPECIAL COMMITTEE TO REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT

MEMORANDUM. I. Accurate Framing of Communications Privacy Policy Should Acknowledge Full Range of Threats to Consumer Privacy

Accountable Privacy Management in BC s Public Sector

3. Consent for the Collection, Use or Disclosure of Personal Information

Cloud Computing: Privacy and Other Risks

How To Ensure Health Information Is Protected

PIPA and the Hiring Process

The guidance will be developed over time in the light of practical experience.

Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010

What s New in Access, Privacy and Health Care. Brian Beamish Commissioner. Ontario Connections May 21, 2015

Federation of Law Societies of Canada. Ottawa, November 26, 2013

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

Investigation reveals major deficiencies in the access to information practices of two government ministries and the Office of the Premier

Vice-President for Budget and Human Resources

National Energy Benchmarking Framework: Report on Preliminary Working Group Findings

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

VIDEO SURVEILLANCE GUIDELINES

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

IN THE SUPREME COURT OF BRITISH COLUMBIA

Big Data, Big Risk? Data Management and Privacy. Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi

Cloud Computing Contracts. October 11, 2012

IN THE SUPREME COURT OF BRITISH COLUMBIA NOTICE OF CIVIL CLAIM. This action has been started by the plaintiff for the relief set out in Part 2 below.

BBA submission on the HM Treasury (HMT) Consultation Competition in banking: improving access to SME credit data

Order F14-16 PRIVATE CAREER TRAINING INSTITUTIONS AGENCY. Ross Alexander Adjudicator. June 2, 2014

AN EXAMINATION OF BC GOVERNMENT S PRIVACY BREACH MANAGEMENT

Insights and Commentary from Dentons

Memorandum of Understanding ( MOU ) Respecting the Oversight of Certain Clearing and Settlement Systems. among:

2015 Trends & Insights

Policy Brief: Protecting Privacy in Cloud-Based Genomic Research

The USA Patriot Act Government Briefing. Kirsten Tisdale, Chris Norman, Sharon Plater & Alexandra (Gina) Henley September 30, 2004

LEGAL UPDATE INFORMATION AND PRIVACY DECISION USE OF EMPLOYEE MONITORING SOFTWARE BY THE DISTRICT OF SAANICH

DATA PROTECTION POLICY

Corporate ICT & Data Management. Data Protection Policy

Judicial Independence (And What Everyone Should Know About It) 15 March 2012

Practice Guideline Self-Employment

Response to Consultation. Strengthening Home and Community Care: Successful Transition to a New Model

FORUM ON TAX ADMINISTRATION

National Standards for Disability Services. DSS Version 0.1. December 2013

IT Security and Employee Privacy: Tips and Guidance

Privacy Law in Canada

The role of modern board. Chartered Institute of Management Accountants

5.00 Employee in relation to the university, includes a volunteer and a service provider.

Regulation of Investigatory Powers Act 2000

INTRODUCTION...3 THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT...3 THE INFORMATION AND PRIVACY COMMISSIONER...5

PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS [ABC SCHOOL]

Best Practices in Data Management - A Guide for Marketers -

It s tough to make the right IT decisions...

Center for Audit Quality Update

Law Society of Saskatchewan Queen s Bench Rules of Court webinars Part 1: Overview

Transferring Personal Information about Canadians Across Borders Implications of the USA PATRIOT Act

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

ISO Payments Standard Initiative Consultation Summary

Fire Commissioner Office of the Fire Commissioner Emergency Management BC Ministry of Justice Victoria

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario

Overview of. Health Professions Act Nurses (Registered) and Nurse Practitioners Regulation CRNBC Bylaws

Annual Assessment of the External Auditor

Office of the Information and Privacy Commissioner Province of British Columbia Order No July 8, 1994

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

Guide for Developing Personal Information Sharing Agreements. Revised October 2003 (updated to reflect A.R. 186/2008)

EXAMINATION OF BRITISH COLUMBIA HEALTH AUTHORITY PRIVACY BREACH MANAGEMENT. Elizabeth Denham Information and Privacy Commissioner

Instant Messaging and Personal Accounts: Meeting Your Access and Privacy Obligations

ONLINE PAYMENT PRIVACY POLICY

CROSS-BORDER INSOLVENCY PROTOCOL FOR 360NETWORKS INC. AND ITS AFFILIATED COMPANIES

GUIDELINES FOR RESPONSIBLE USE OF IDENTITY MANAGEMENT SYSTEMS

Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1

A Guide to Ontario Legislation Covering the Release of Students

Toronto School of Theology Guidelines for the Preparation and Ethics Review of Doctor of Ministry Thesis Projects Involving Human Subjects

Immigrant Settlement Support Funding Guidelines

Framework for Compliance Audits Under the Employment Equity Act

Framework for Cooperative Market Conduct Supervision in Canada

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

AN INTRO TO. Privacy Laws. An introductory guide to Canadian Privacy Laws and how to be in compliance. Laura Brown

USE OF EMPLOYEE MONITORING SOFTWARE

A Year in Review: CIHI s Annual Privacy Report

Proudly Presents. Navigating the Cloud Across the US & Canada Border

Due Diligence and Effective Vendor Management. Corporate America Credit Union 30 th Annual Meeting May 1, 2012

Funding Privacy Commissioner of Canada: Secondary use of data from the EHR current governance challenges & potential approaches

FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments

Service Alberta BUSINESS PLAN ACCOUNTABILITY STATEMENT THE MINISTRY

Data Protection Working Group. Final Report on the Draft Data Protection Bill

35 PROMOTE CHOICE, WELL-BEING AND THE PROTECTION OF ALL INDIVIDUALS

Children s Hearings (Scotland) Act asp 1

Medicines and Healthcare products Regulatory Agency

Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps

Amendments to the Rules to Civil Procedure: Yours to E-Discover. Prepared by Christopher M. Bartlett Cassels Brock & Blackwell LLP

Work programme

Social Enterprise and Charitable Systems in Canada

Testimony of David Sohn Senior Policy Counsel Center for Democracy and Technology. Before. The House Committee on Small Business.

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Bankruptcy and Restructuring

CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING?

Re: Big Data: A Tool for Inclusion or Exclusion? Workshop Project No. P145406

Privacy Update Recent Updates in Privacy Law

1. LIMITATIONS ON ACCESS TO, OR DISCLOSURE OF, PERSONALLY IDENTIFIABLE INFORMATION.

Privacy Impact Assessment

Strengthening Public Sector Transparency and Privacy

Transcription:

CHECK AGAINST DELIVERY SPEECH TO THE BIG DATA SURVEILLANCE PLENARY RESEARCH WORKSHOP MAY 12, 2016 ELIZABETH DENHAM INFORMATION AND PRIVACY COMMISSIONER FOR BC Thank you David. I m glad to have a chance to connect with the group before I leave for the United Kingdom. Over the course of the next 5 years, this research will open Canadians eyes to the realities of big data surveillance. And I am honoured that my office is a part of this team. I think it s critically important to have privacy regulators around the table. Privacy Commissioners are action figures. We investigate, consult, educate and call for legislative and policy reform. But we need clear, practical and evidence-based research to propel us into action. This research project will set the groundwork for regulators like me to take action on big data surveillance.

Page 2 We will experience the greatest success if we can persuade law-makers and the general public why they should care and why these issues matter. Which is why clear and strategic communication will be so important to this project. We need to make sure our key findings make their way into the public realm. I am disappointed to be leaving my role in this project behind. BUT you are in good hands with my Deputy Commissioner, Michael McEvoy. Michael will be the executive lead on this project going forward. *** It was a stroke of genius to host this meeting on the border of the International Association of Privacy Professionals conference in Toronto. There were 9 sessions and 20 speakers categorized as big data topics on the IAPP agenda including a session on big data and privacy protection, with Colin Bennett earlier today. Those of you who were at the conference heard speakers talking about the need for a strong ethical and legal framework for big data -- and how innovation and privacy work together. I am heartened to see those conversations taking place. That said, it s a conversation being driven almost entirely by the private sector. B.C. Examples Which might lead one to believe that the private sector is where the big data party is happening. But it s big business in the public sector, too. In my view, there is a lack of transparency for big data activity on the part of government, and a lack of knowledge about government s big data activities in the public mind.

Page 3 Yet it s where the most pressing policy challenges for big data surveillance lie. Government agencies beyond law enforcement are seeking access to larger and larger data sets -- to search, aggregate and cross-reference data. Their goal: offer new insights into previously unsolvable policy problems. The public is, at most, superficially aware of big data s purported benefits. But they re not aware of the big data processing that s happening behind the curtain. They may not know, for example, that the B.C. government has a plan to build a platform for researchers to access personal health information for research purposes. While still in the planning stages, the Data Innovation Centre is envisioned to be a one-stop shop where large health data sets are brought together under one roof for research purposes. In future, the Centre aims to integrate social services, education, health and justice data. Those planning the Centre know little about the privacy implications of predictive uses of big data targeting large populations where public agencies are using client databases to target problem individuals. POLICY QUESTIONS All of these cases raise big picture, capital-p policy questions. What is the threshold for the use of big data in the public sector remembering that citizens have little choice but to hand over personal information in exchange for public services? Who decides what types of datasets can be used for predictive analytics or pattern identification and what are the no-go zones? When should personal information be used, and when can anonymization fulfill the same purpose? When and to whom should public agencies disclose their big data activities including the people whose information it is about and the general public? And who is assessing the risks of amassing large data sets in-house? There is the risk of breaches but also legal and ethical liabilities.

Page 4 Some of you will know there is a case before the B.C. courts where a tobacco company is requesting access to large datasets containing the health information of millions of British Columbians over a 20-year period. They ve made this request because the provincial government is using this data in a lawsuit against big tobacco. 1 The most recent decision saw the BC Supreme Court rule that Imperial Tobacco should get access to individual-level data from provincial databases so that it can adequately defend itself in court. The decision is currently being appealed. And late breaking news, I sought and today succeeded in getting intervenor status in this case. The Court said I would bring a different and useful perspective to the issue before the courts. That perspective is important because the patients whose records are at issue are not before the courts. So these are all complex questions. And they demand proactive policy leadership to ensure that data can be used to harness innovation not for mass surveillance purposes or vague policy outcomes. The challenge facing this group is to document and describe the real-world impacts of big data surveillance outline where there gaps in law and oversight and use that information to press legislators and policy-makers to fill those gaps. Legal Challenges There are several advantages to taking a privacy law approach to challenging big data surveillance: The laws are principle-based, which gives them the flexibility to address the emergent challenges of data processing and predictive analytics. Privacy law is a familiar framework for citizens and governments giving them a lens or through which to assess the opportunities of big data surveillance and the legal uses of that data for compliance. It provides for independent oversight and enforcement. And it gives us the language to describe the individual impacts and broader societal harms of ubiquitous, creeping surveillance. 1 HMTQ v. Imperial Tobacco Canada 2015 BCSC 844. Accessed April 29, 2016 via web: http://www.canlii.org/en/bc/bcsc/doc/2015/2015bcsc844/2015bcsc844.pdf

Page 5 Commissioners and Data Protection Authorities around the world have been engaging experts in big data, and talking amongst themselves about how to map privacy law against big data. And there are some mechanisms within the law that could be used to challenge certain big data activities. In B.C. s public sector legislation, for example FIPPA authorizes the collection of personal information for the purposes of evaluating programs or activities of a public body. But the threshold for collection in the law is one of necessity. And one could ask, in what circumstances would big data be truly necessary to a program or activity? B.C. s private sector law has a lower threshold a reasonableness standard against which private sector organizations must justify collection of personal information. Again, such a provision could potentially allow for big data processing but what is reasonable? And what is reasonable might not be what is ethical. Independent of the letter of the law, there are also tried-and-true policy positions Commissioners have established to defend against the growth of more traditional forms of surveillance. These are guideposts that could be extended to challenge big data surveillance. Canada s Commissioners have long established through legal rulings, consultations and policy that public agencies must first make the business case for surveillance, and clearly show that other less privacy-invasive tools could not achieve the same purpose. If they meet this threshold, the surveillance must be limited to the identified problem. Notice must be provided. Programs must be put in place for controlling the personal information collected, ensure its secure storage and disposal, and ongoing review to ensure the program is actually addressing the problem. Challenging big data surveillance from a privacy law perspective puts these tools in regulators hands, but also the public s hands. Yet big data is in some ways a different beast. And it turns privacy law completely on its head. Big data is the very definition of function creep using personal information and data for purposes other than for which it was collected.

Page 6 Opaque big data processing restricts a person s right to request their own personal information, or call to account how their information was used to make a decision affecting them for example, withholding of a public benefit or service. And big data fundamentally challenges the requirements of knowledge and consent. Data-Linking Regulation One possible model to address big data surveillance challenges within a privacy law framework is British Columbia s forthcoming regulations on data-linking. Data-linking matches and compares personal information: From more than one public agency Where the purpose of collection in at least one of the data sets is different from the purposes of the linking. This is not anonymized data. This is personal information being linked, often across agencies. Data-linking authorities were granted to public agencies in 2011 with amendments to B.C. s FIPPA. Those new authorities were balanced with increased oversight powers for my office, notice to my office and including mandatory Privacy Impact Assessments in certain cases. I am of the view that there should be a principle-based regulation governing datalinking that provides for transparency, accountability and appropriate use. First and foremost, public agencies should have to demonstrate why they need to participate in data-linking. They need to make a clear business case for why linking personal information is the only way for a specific policy outcome can be achieved, instead of anonymized data or another less privacy-invasive method. If a public agency makes the case to use data-linking, certain best practices should apply, including controls around personal identifiers no use of SIN or personal health numbers and retention and destruction policies for when the data is no longer needed. In addition to the general principles, there should be specific requirements where data-linking activities could adversely affect an individual. These cases need more stringent oversight and controls, including: Privacy impact assessments A direct or public notice informing affected individuals Manual verification to make sure the right person has in fact been identified And annual public reporting on the aggregate results of data-linking activities, including how many people were affected and how many linkages made

Page 7 Taking a similar approach to big data would provide certain advantages: It would give independent oversight and transparency to big data initiatives and could mandate privacy impact assessments in certain cases. It could promote public disclosure of big data activities of public agencies to the affected individuals if it is a narrowing exercise or the general public, if it is a predictive or undefined exercise. And regular reporting to the Commissioner s office could provide opportunity to share those results with the public. For example, New Zealand s Privacy Commissioner regularly publishes summary information about government s data-linking activities on its website in an effort to inform the general public. However big data is different from data linking: With data-linking the focus is on individual privacy harms, whereas big data analysis focuses on the collective. We would need to articulate how to capture the broader societal harms of persistent and ubiquitous big data surveillance and build that into the oversight model. And there may be indirect consequences or harms associated with big data that are not the case with data-linking (i.e. being in a predictive category vs. targeted as an individual). There is a need to reach out to academics and regulators in the human rights area. I would be interested to hear from all of you whether you think such a model could be made to work for big data. Oversight Challenges Privacy law and Commissioner oversight is only one piece of the puzzle. Big data raises human rights issues and ethical issues. Oversight of big data surveillance will require a constellation of actors, many of whom are represented on this research team. But we also need oversight from citizens.

Page 8 I believe there needs to be a public discourse about the ethical and legal underpinning of the big data ecosystem, including who is responsible to ensure that individuals and communities are not harmed by algorithms that sort us, take our data out of context or by opaque decisions based on statistical predictions. This dialogue must include what types of government-held information we are prepared to leverage in the name of big data, and what types we are not. I called on the provincial government to lead this conversation. They haven t yet taken me up on that offer. But in the interim, the public sector is in the big data game whether citizens know it or not. Perhaps there is a role for this group to play to act as a catalyst for that public dialogue and debate about big data. Closing I will continue to follow this project with interest in my new role in the UK. In the meantime, I look forward to engaging with you on these topics to further explore the questions and the dilemmas of big data surveillance over the coming days.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information