An Enhanced Governance Solution to Address Consent Challenges (Nymity)

Nymity

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Summary

In response to “Consent and Privacy, A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act”, issued from the Office of the Privacy Commissioner of Canada (OPC) — Nymity proposes an Enhanced Governance Solution with advanced accountability mechanisms.

Increased Dependence on the Accountability Principle

Decreased Dependence on the Consent Principle

This potential solution is for organizations processing personal data where meaningful consent is difficult or impossible to attain. It is designed to ensure reasonable processing of data subjects personal data and strong privacy protection. It also provides the OPC and other regulators with advanced oversight capabilities.

This solution includes three advanced accountability mechanisms:

Demonstrable Ethical Assessment Processes
A governance approach that integrates the notions of fairness and ethics when balancing the organization’s needs to process data for legitimate business purposes with the individual’s right to privacy.
Demonstrable Compliance Infrastructure
Demonstrable and appropriate accountability mechanisms - “a compliance infrastructure” - that includes putting in place responsible policies and practices, assigning ownership of those practices and producing documentation to align the obligations under PIPEDA.
Increased Role of the Privacy Office
The Privacy Office “stands ready” to demonstrate an ethical assessment process and the capacity to comply to PIPEDA.

The potential benefits of this solution include:

For individuals:

Enables respect for individuals right to privacy
Furthers data protection
Furthers transparency

For organizations:

Provides responsible organizations a means to demonstrate accountability
Provides responsible organizations the ability to demonstrate their capacity to comply
Facilitates interoperability with other data privacy laws internationally

For regulators:

Provides OPC and other regulators advanced oversight abilities
May work with, or without, amendments to PIPEDA or other laws
Does not require codes of practice or certifications

This solution draws from Nymity’s many years of accountability research, ongoing research for the EU General Data Protection Regulation, (Article 24 - Responsibility of the controller), carried out by our team of former senior officials at Data Protection Authorities and our team of privacy professionals.

View infographic of this summary.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Nymity is a global privacy and data protection Research Company with its head office located in Toronto, Ontario Canada. For many years Nymity has conducted research that has been made available in the field of demonstrating accountability and compliance. For example, in 2012 Nymity released the Nymity Privacy Management Accountability Framework™.

The area of “demonstrable compliance and accountability” is one in which Nymity has done extensive research on both the concept and the implementation. In fact, Nymity has been conducting research since the notion of demonstrating accountability to a supervisory authority was first introduced in the 2009 Madrid Resolution. In March of 2016, Nymity partnered with the International Association of Privacy Professionals (IAPP) and published the latest version of this research, which has two parts: the first is a set of accountability tools for privacy officers that provide an operationalized approach to privacy management accountability; the second is a set of tools that provides an accountability approach to demonstrating compliance with privacy laws. The tool for demonstrating compliance is based on the organization having a compliance infrastructure in place. This tool includes a Demonstrating Compliance Manual, training video and an Accountability Scorecard™. These resources are intended to assist organizations to demonstrate compliance. This public toolkit is a key component of the Enhanced Governance Solution introduced in this paper.

Over the past several years Nymity has been conducting specific research in preparation for the EU General Data Protection Regulation (GDPR). The ongoing research is now lead by four former senior representatives from Data Protection Authorities (DPAs).^{Footnote 1} It is this research that has led Nymity to present its “Enhanced Governance Solution” as a potential means to address the challenges of meaningful consent outlined in the discussion paper “Consent and privacy – A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act” (OPC Consent Paper, the Paper).

Consent Challenges

According to the Paper, the consent principle is considered the cornerstone of the Personal Information and Electronic Documents Act (PIPEDA). Some stakeholders however question the continued viability of the consent model in an ecosystem of vast, complex information flows and ubiquitous computing, as explained by the OPC in the Privacy Priority Setting discussion in 2015.^{Footnote 2} The challenge when using consent as the cornerstone of compliance, is it is difficult to obtain meaningful consent from all individuals with the complexities of developments like the Internet of Things and Big Data. This is made perfectly clear in the Paper. PIPEDA recognizes the needs of the individual and the organization is balanced, as it states:

“Purpose 3. The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”^{Footnote 3}

If consent indeed can no longer be the cornerstone of this balance, it is time for accountability to become the new cornerstone. Like consent, accountability is also a principle in PIPEDA. For accountability to become the cornerstone, it needs to be operationalized especially for organizations involved in processing where obtaining meaningful consent is a challenge, such as big data.

Operationalizing Accountability

The solution presented in this paper is for organizations that already maintain fundamental data privacy accountability. For readers not familiar with operationalizing the accountability principle there are two key documents that should be reviewed:

Getting Accountability Right with a Privacy Management Program
In 2012, the Office of the Privacy Commissioner of Canada, and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia have worked together to develop this document with the goal of providing consistent guidance on what it means to be an accountable organization.^{Footnote 4} This document outlines what is expected as a core or foundational privacy management program.
Nymity Privacy Management Workbook – A Structured Approach to Privacy Management Accountability
Nymity research into operationalizing accountability and released in partnership with the International Associations of Privacy Professionals includes a set of tools to maintain privacy management accountability. One of the resources provided is a manual called A Structured Approach to Privacy Management Accountability – Getting Started Manual. This document will provide the reader a fundamental understanding of operationalizing accountability throughout the organization.

It is recognized that implementing accountability frameworks provides data protection to individuals. This has been validated by Nymity’s research and by Data Protection Authorities in the EU. For example, EU DPAs recognize that effective implementation of Binding Corporate Rules (BCRs), an accountability framework that was introduced without a change of the relevant EU legislation, provides adequate safeguards enabling data transfers within the accountable organization around the world. BCRs are currently only based on regulator guidelines, providing an interpretation of the legal requirement “to adduce adequate safeguards” to transfer personal data to countries outside the EU that do not have data protection legislation in place equivalent to that of the Union. Without BCRs, an organization would have to rely on some other legal means for data transfers with its branches outside of the EU, including consent in certain one-off situations. Therefore, BCRs are often used by organizations for data transfers of employee data, as it is recognized it is difficult to obtain meaningful consent in the employee context.

Nymity proposes an Enhanced Governance Solution which augments the Governance^{Footnote 5} solution “c) Ethical Assessments” as outlined in the OPC Consent Paper.

1. Ethical Assessment Processes

The concept of Ethical Assessments is presented in the Paper as a governance solution to the challenge of obtaining meaningful consent in the context of new technologies such as big data analytics, Internet of Things and other business models and factors. The OPC Consent Paper draws analogies to the existing ethical assessments (for example those currently carried out by research ethics boards) utilized in the scientific research community where it is difficult or not possible to obtain meaningful consent.^{Footnote 6}

Our Enhanced Governance Solution is made up of three advanced accountability mechanisms. The first one is an ethical (self-)assessment, implemented via a demonstrable Ethical Assessment Process. In the Paper, reference is made to the work in this area of three organizations: the Centre for Information Policy Leadership (CIPL), the Future of Privacy Forum (FPF) and the Information Accountability Foundation (IAF). Nymity is a member of each of these organizations and contributes where possible to their research, and thus supports their contributions related to Ethical Assessment Processes and Ethical Frameworks.

Also, the IAF received funding for the OPC Contributions Program for independent research for the project “Big Data Ethics Initiative: Assessment for Canadian Organizations” which will contribute further to the Ethical Assessment Processes for Big Data. Nymity is a member of this project.

Enforcement Models

The OPC Consent Paper introduces a challenge to the proposed use of Ethical Assessment Processes by recognizing that “the process remains internal to an organization and the organization’s interest remain paramount^{Footnote 7}” and therefore introduces the potential need for independent oversight bodies. Nymity’s research indicates there may be a practical, scalable and cost-effective alternative to independent oversight bodies. In addition, Nymity’s research shows that if organizations implement two additional advanced accountability mechanisms this may provide the additional oversight necessary to address the challenge posed in the OPC Consent Paper.

After all, accountable organizations will be able to provide useful information allowing a Data Protection Authority to monitor compliance levels. As already stated by the EU DPAs in their Opinion on Accountability, “data controllers will have to be able to demonstrate to the authorities whether and how they have implemented the measures, very relevant compliance related information would be available to authorities. They will then be able to use this information in the context of their enforcement actions. Moreover, if such information is not provided upon request, data protection authorities will have an immediate cause of action against data controllers, independently of the alleged violation of other underlying data protection principle”.^{Footnote 8}

We believe the Enhanced Governance Solution will also allow organizations to be more accountable to individuals, because they are better aware of their own data processing operations. This allows for a quicker and more detailed response when individuals exercise their rights of access and/or redress, and a better explanation of the reasoning behind data processing when questioned. Accordingly, an ethical assessment does not essentially decrease the rights of individuals. The two additional advanced accountability mechanisms could provide the OPC the additional oversight and potentially an Enhanced Governance Solution established through guidelines and other means.

The Ethical Assessment Processes are the first part of our solution to reinforce accountability to address the challenges posed by consent in the current day and age. In addition, the two advanced accountability mechanisms discussed below will allow an organization to effectively communicate accountability and compliance to Data Protection Authorities and to other stakeholders, as well as to the organization’s senior management. Our Enhanced Governance Solution is a combination of the Ethical Assessment Processes, and two additional advanced accountability mechanisms: Demonstrate Compliance Infrastructure, and an Increased Role of the Privacy Officer.

2. Demonstrating a Compliance Infrastructure: “The Capacity to Comply”

The first additional advanced accountability mechanism of an Enhanced Governance Solution requires an organization to demonstrate a compliance infrastructure, in other words their capacity to comply, as touched on in the OPC Consent Paper.^{Footnote 9} In “Getting Accountability Right with a Privacy Management Program”, the concept of an accountable organization being able to demonstrate the capacity to comply was first introduced:

“An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.”^{Footnote 10}

Former Information and Privacy Commissioner of British Columbia and now the UK Information Commissioner, Elizabeth Denham, spoke to investigating an organization’s capacity to comply in her keynote presentation to the 2014 CISO Executive Summit. She stated:

“In those investigations we took a more holistic view of these organization’s overall privacy program – whether they had the capacity to comply with their obligations, and included specific recommendations to improve their security policies and practices.”^{Footnote 11}

This first additional accountability mechanism of an Enhanced Governance Solution is described in detail in the Demonstrating Compliance Manual^{Footnote 12}. This Manual goes beyond detailing the concept of demonstrating a compliance infrastructure – it provides, step by step instructions. This advanced accountability mechanism only works for organizations that operationalize accountability consisting of the following 3 elements:

Responsibility

Responsible organizations maintain the right set of privacy management activities.

Ownership

An individual is answerable for the management and monitoring of each of the privacy management activities.

Evidence

Documentation that is a by-product of privacy management activities is made available by the owner.

Once in place, the Manual shows how privacy management activities can be mapped to rules sources, in this case PIPEDA, that result in a compliance infrastructure. Once the appropriate provisions in PIPEDA (the provisions that require evidence) are mapped to the appropriate privacy management activities (Mandatory activities) the organization has a compliance infrastructure and a demonstrable capacity to comply.

3. Increased Role of the Privacy Office

The Enhanced Governance Solution has a second additional advanced accountability mechanism. It requires an individual, the Privacy Officer, or individuals, the Privacy Office, to stand ready to demonstrate Ethical Assessment Processes and a Compliance Infrastructure with the contextual understanding to communicate to the OPC or another Regulator. Our research has resulted in an understanding that the Privacy Office is in the best position to understand and be able to articulate demonstrable compliance in the context of:

the rules of privacy law;
the organization’s business and data processing practices;
how privacy management is embedded throughout the organization; and
the risk of harm to individuals and the organization.

The Privacy Office has the appropriate context with the support of the actual owners of the data processing as well as evidence in the form of operational documentation. As discussed in the Nymity Demonstrating Compliance Manual, owners reside in the operational or business unit, for example Human Resources, Product Development, Marketing, Legal, Procurement, etc. It is the Privacy Office, and our research indicates only the Privacy Office, that can speak to the effectiveness of appropriate accountability mechanisms in achieving ongoing compliance and ethical processing.

Conclusion

Nymity continues its ongoing research related to demonstrating compliance globally. The research provided in this paper is considered a potential solution to address the challenges to meaningful consent, but should not be considered a solution for all organizations. The research presented has been implemented by organizations, in most cases international organizations that have also adopted Binding Corporate Rules. In these cases, the implementation of advanced accountability mechanisms has the benefit to the organization of enabling cross-border transfers, and to the individuals of heightened data protection. Similarly, an organization that maintains an Enhanced Governance Solution as presented in this paper, that in other words is proactively demonstrable accountable, should obtain benefits such as the understanding they are processing in the spirit of PIPEDA where there is a challenge of obtaining meaningful consent.

As for implementation, the EU Data Protection Authorities implemented BCRs as an advanced accountability mechanism without legislative changes, even though BCRs are now codified in the GDPR. As such, the OPC may implement this solution through the traditional approach of publishing guidelines or be able to follow the EU example and implement new accountability mechanisms based on an extended interpretation of the current legislation.

Footnote 1

Jennifer Stoddart, Nymity Regulator Advisor – Demonstrating Compliance Project and the former Privacy Commissioner of Canada; José Bermudez, Nymity Managing Director, Latin America and the former Colombian Superintendent for Personal Data Protection; David Smith, Nymity EU Research Advisor and the former Deputy Commissioner and Director of Data Protection Information Commissioners Office, UK; and Paul Breitbarth, Nymity Director of EU-US Data Protection Projects and Senior Solutions Advisor and former Senior International Officer, Dutch DPA

Return to footnote 1

Footnote 2

OPC Consent Paper, p. 1

Return to footnote 2

Footnote 3