Submission to the OPC’s Consultation on Consent under PIPEDA (CCUA)

Canadian Credit Union Association

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

Thank you for the opportunity to provide feedback on the discussion paper, Consent and Privacy, dated May 2016.

The Canadian Credit Union Association (CCUA), formerly Credit Union Central of Canada, is the national trade association for five provincial/regional credit union Centrals and more than 300 affiliated credit unions across Canada. Collectively, credit unions outside Quebec control more than $188 billion in assets and serve approximately 5.5 million Canadians through 1,819 branch locations. This submission has been prepared in consultation with the member organizations of CCUA.

As institutions dedicated to maximizing the financial well-being of their member/owners, credit unions are committed to protecting the personal information that is integral to this process and utilizing the data in as transparent and as ethical a manner as possible. Today’s consent framework is predicated on “meaningful” consent that requires individuals to have a clear understanding of what data will be collected, how it will be used and with whom it will be shared. From the discussion paper, we understand that the continuing viability of this model is being questioned “in an ecosystem of vast, complex information flows and ubiquitous computing” and that several options have been floated as possible solutions. We are therefore pleased to see that the Office of the Privacy Commissioner of Canada (OPC) is seeking input from a wide range of parties before proposing changes to the extensive consent regime that already exists within the Personal Information Protection and Electronic Documents Act (PIPEDA).

In our opinion, further guidance from the OPC, coupled with “surgical” amendments to PIPEDA could best enhance and strengthen the current consent framework and facilitate a better understanding of the potential impacts of Big Data and other technological developments on privacy. While we agree that the technology environment has changed dramatically since the consent framework was originally developed and will, no doubt, continue to evolve in ways currently unimaginable, we have doubts as to the benefits of radically amending a legislative structure that is already “technology neutral” and that both organizations and individuals have had over 15 years to adapt to and familiarize themselves with. 

Our comments on the Questions for Reflection follow.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Enhancing Consent

We concur that given the complexity of business relationships and the advent of complicated algorithms that can connect disparate pieces of non-personal data to synthesize personal profiles, informed consent is likely no longer a reasonable expectation of individuals in the absence of decision-making support. That said, we strongly support the view noted in the discussion paper that “consent should not be a burden for either individuals or organizations” and that a balance needs to be achieved “between an individual’s right to privacy and the organization’s need to manage personal information for reasonable business purposes.”

In order to accomplish this, it would seem that individuals should not only be informed of the potential uses of their information, but organizations should also be able to select the methods of communication and data management that best fit their business model and circumstances. We have concerns, therefore, that mandating the adoption of particular practices to accomplish this without taking into account factors such as the nature, sensitivity and source of the personal information being gathered, as well as, the resources available to manage them, may be impractical for some organizations, unnecessarily creating both financial strain and additional regulatory burden.

Our preference would be to see enhancements made to the current consent framework that improve an “individual’s practical ability to exercise meaningful consent.” Therefore, we favour the OPC’s suggestion that “organizations should endeavor to convey privacy information at key points in the user experience to help users overcome the challenges of trying to understand complex information flows.” Moreover, such a “just-in-time” approach to privacy protection could be supplemented by the inclusion of a prominent summary of the salient points of an organization’s privacy policy, as well as, a list of changes from previous versions that draws attention to important concepts.

Similarly, we are of the opinion that Privacy by Design, or “PbD,” should be encouraged as a “best practice” and not be a legislated requirement. The operational benefits that will accrue to organizations that incorporate compliance measures at the development stage of new products/services will provide a natural incentive to adoption.

Alternatives to Consent

As mentioned in the paper, “pseudonymised” data poses a higher risk of re-identification than truly “anonymized” data, as it includes subsets of facts specific to de-identified subjects. Since this risk of re-identification will continue to increase over time as access to additional data sets grows, it would seem reasonable to adopt an approach that requires information at the greatest risk of being re-identified to be subject to the greatest protection.

To that end, the criteria used in determining the risk associated with re-identification should focus on the sensitivity of the information and the potential impact that re-identification would have on the data subjects. In order to promote a consistent approach across organizations in this regard, we recommend that the OPC devise a tool/template that could be used for this purpose, outlining the specific factors to be considered in the assessment.

In our view, the requirement for consent should also be driven by the type of information contained within the data set and risk of re-identification it poses. Such a “risk based approach” to obtaining consent, could for example, be structured so that there is integration between the purpose for which the data was collected and the level, or nature, of consent required.

For example, this could mean that implied consent can be relied upon when use of the data is consistent with the purpose for which it was collected, and the information is nominal and will be anonymised or pseudonymised. However, should there be a moderate to high risk of re-identification, and the information is considered to be moderately to highly sensitive, then express consent would be required for the collection, use and disclosure of the information. In addition, there could be certain types of data, or uses, that would be prohibited under any circumstances, with or without express consent, i.e. a true “no-go” zone.

The effectiveness of such a scheme would be dependent on the clear and precise understanding of what constitutes “sensitive information.” Though typically thought of as medical, financial, or ethnic information, the sensitivity of data is often situational, as the discussion paper points out, so it may be necessary to have sector-specific variations of this definition.

As well, we suggest that measures that deter or present barriers to re-identification, such as appropriate policies and procedures, as well as, contracts with provisions that prohibit attempts at re-identification when information is shared between organizations, be required elements in organizations’ privacy frameworks.

“No-Go” Zones

With respect to true “no-go” zones, we are supportive of prohibitions similar to those included in the OPC’s policy position on Online Behavioural Advertising that prohibit tracking of children and require the use of tracking devices that are controllable by the individual. We also suggest a prohibition on the collection, use, or disclosure of information without consent, if re-identification would pose a real risk of significant harm. The reasonable person test could be used to judge such information.

While we have no specific proposals on whether there should be further rules on certain types of information or uses, we would like to suggest that “respect for context” as included within the proposed U.S. Consumer Privacy Bill of Rights Act may be something worth considering in the Canadian context, as it would ensure increased transparency to individuals in cases when the use or disclosure does not respect the context.

Codes of Practice

Credit unions would be supportive of sector specific codes of conduct, if they are developed in conjunction with the target industries. We believe that they can provide a useful tool in establishing industry best practices when formulated in this manner. In the past, the CSA has coordinated the establishment of industry working groups that have developed such sectoral codes and we would welcome them playing a similar role again should the OPC decide to move forward with this initiative.

That said, the Model Code for the Protection of Personal Information started as a voluntary code, and has now been incorporated into PIPEDA. Amending it within the legislative context could also prove to be useful, although in a less industry-specific way.

With respect to enforcement, the Financial Consumer Agency of Canada (FCAC) has typically administered federally regulated organizations’ compliance with the voluntary codes that it oversees. If a national code is developed, it would make sense that the FCAC also be the oversight body. Organizations/sectors that are not national could belong to an association that could play the oversight role on a self-governing model.

Privacy Trustmarks

The creation of a third party trustmark, or “seal of approval,” that an organization could apply for and then display, would give customers assurance that the organization is meeting a certain standard for privacy management. Such a program could provide independent assurance that the organization is following best practices.

But for this to happen, the trustmark certification process will not only have to be respected by the privacy community at large, but organizations will also need to see a benefit in certification under a privacy seal program. To encourage participation, the OPC will at a minimum have to build awareness of the value of the mark with consumers. As well, the OPC will have to recognize the trustmark as a sign of commitment to compliance in the organizations that choose to certify, and further acknowledge that certified organizations have committed to certain elements of personal information protection that are consistent with PIPEDA requirements.

However, certification should not be made mandatory, but rather used as a marketing advantage to attract consumer participation. We expect that a third party will need to work with the OPC in establishing the criteria for certification.

Ethical Assessments

The frameworks developed by organizations such as the Centre for Information Policy Leadership (CIPL), the Future of Privacy Forum (FPF) and the Information Accountability Forum (IAF) may be useful in providing structure to the assessment of risks and rewards associated with the usage of personal information specifically in regard to big data. However, we do not see an ethics board for the private sector working from a practical perspective: organizations will be hesitant to use it due to competitive/proprietary issues. Self-regulation could be a practical solution for organizations, since it is not readily obvious to us how the OPC could monitor compliance without great administrative effort.

Lastly, we would like to bring to your attention the need for greater consistency and better alignment between federal and provincial legislative requirements. Currently, the differences in requirements from province to province and federally create compliance challenges for organizations that operate in multiple jurisdictions.

Thank you for the opportunity to provide feedback on these issues. We welcome the opportunity to provide comments on any specific changes proposed to PIPEDA that result from this consultation.

We would be pleased to meet with you to further discuss our responses.

Yours sincerely,

Brenda O’Connor
Vice President, General Counsel
& Corporate Secretary
Canadian Credit Union Association

Date modified: