Standards Council of Canada
Office of the Privacy Commissioner of Canada
112 Kent St.
Place de Ville
Tower B, 3rd Floor
Reference: Standards Council of Canada comments on the Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting and Cloud Computing
Standards Council of Canada (SCC) welcomes the opportunity to comment on the OPC report on Online Tracking, Profiling and Targeting and Cloud Computing issues. This letter supplements the letter sent to the OPC on December 10, 2010 on the subject of Cloud Computing.
SCC is the coordinator of standardization activities in Canada. We accredit standardization organizations, verifying that they have the resources, structures and expertise to deliver trustworthy services. SCC also approves National Standards of Canada, and represents Canada in key regional and international standardization forums such as ISO and IEC.
The issues raised in the OCP report, such as privacy protection in Canada, online profiling and targeting, cloud computing as well as challenges posed by convergence of technologies, are all highly relevant from a standardization perspective. SCC is pleased to note the linkages created in the report between the development of new technologies, the challenges that this poses and the solutions that standards can provide.
By way of example, SCC and stakeholders in the national standards system recommend the development of an international management system standard for privacy and identification management based on the existing security standard ISO/IEC 27000 series. This approach would create consistency in how organizations implement an integrated management system for security, privacy, identification management and likely other similar needs. It would be beneficial from the regulators' perspective as the compliance factor would be addressed securing that the objectives and principles of regulation is met.
Also, as the user base of online technologies grows this might eventually lead to the establishment of a method for "policing" through peer assessment and audits. In this case, the standardization system would be able to assist through implementation of established procedures for personnel and management certification.
PIPEDA is based on standards for privacy, and as the report notes, has been working well. In light of the above, as PIPEDA moves towards the next review process, SCC would be happy to discuss with the OPC the value that standardization solutions might provide in this area (ref. page 6 of report).
As concerns Cloud Computing, the report rightly notes the need for standardization solutions as these technologies are developed and implemented. Canada is a participant to the international Joint Technical Committee 1 (JTC 1) that develops standards for the information and communications technologies including Cloud Computing. Standards in the Cloud Computing area will be required to ensure interoperability and consistency and to protect users' identify and information. In order to ensure the competitiveness of the Canadian ICT industry, industry and government in collaboration will need to secure the necessary funding in order to be present at the international negotiation table.
SCC would finally like to comment on the notion presented for discussion in the report that government undertakes to develop personal information security standards (ref. pages 41 and 45 of report). While government is certainly involved in standards setting, it by no means acts alone. Canada's voluntary standardization system is based on a process by which standards are developed through consensus by committees of affected stakeholders. These may include representatives from industry, governments, academia and the public interest. The committees are organized and managed by an organization that specializes in the development of standards – often one of Canada's four accredited standards development organizations.
The basic process by which a standard is developed is consistent among all standard development organizations, national and international. The following is a simplified breakdown of the process:
- Identification of the need for new standard
- Preliminary study and preparation of a draft outline
- Establishment of a committee (pre-existing or new)
- Committee meetings and consensus building on the draft
- Vote on the draft standard
- Publication of the standard
Standards development in Canada is in line with accepted international standards best practices. These requirements are derived from WTO/TBTFootnote 1 Annex 3 provisions and ISO/IEC Guide 59, "Code of Good Practice for Standardization". Traditional Canadian consensus principles of equal access and effective participation by concerned interests, balance of interests, and a mechanism for dispute resolution are also included as requirements of accreditation.
SCC will review standards submitted by standards development organizations for approval as National Standards of Canada. Key criteria for designation as a National Standard of Canada include:
- Subjected to public scrutiny
- Published in both official languages
- Consistent with or incorporates existing international and pertinent foreign standards
- Does not act as a barrier to trade
National Standards of Canada can be submitted to international standards development organizations for consideration and adoption as international standards.
Going forward, SCC looks forward to supporting the OPC on issues related to online tracking, profiling and targeting as well as Cloud Computing. We would be happy to assist with input on broader questions or comments that might arise related to privacy issues and concerns in general.
Managing Director, Standardization
- Date modified: