Walk the Talk and Show It: Demonstrable Accountability for Data Protection
Remarks at the CCCA 2012 World Summit and National Spring Conference
April 17, 2012
Address by Patricia Kosseim
Senior General Counsel and Director General, Legal Services, Policy and Research Branch
(Check against delivery)
Getting Accountability Right with a Privacy Management Program
I am especially pleased today to announce the release of our new Accountability Guidelines, prepared jointly with the Alberta and BC Offices. We’d like to thank our provincial colleagues for their long-standing partnership and continuing efforts to coordinate action on private sector privacy issues. In particular, we acknowledge the foresight of the BC Privacy Commissioner who suggested this latest joint guidance.
These new Guidelines called, “Getting Accountability Right”Footnote 1 outlines what our Offices expect to see in a company’s privacy management program. The intention is to guide organizations to meet their obligations under applicable privacy laws, and more importantly, promote consumer confidence and protect what has become a most valuable business asset and global commodity -- personal information.
But why all this attention on accountability now? Accountability is not new. It’s been long recognized as a data protection principle since the OECD Guidelines of 1980 on which PIPEDA was modelled in 2000. In fact, accountability is the very first principle in PIPEDA signalling its importance as the very means by which organizations breathe life into all of the other the data protection principles.
However, it is sometimes the most critical things that fall into that bottom rung of “boring basics” – those “motherhood” principles everyone thinks are obvious and assumes are happening as a matter of course or already being taken care of by someone else – until they erupt in crisis that is. The challenge has always been to get organizations to say what they do and do what they say– ultimately, to accept accountability. But now the challenge is how to get organizations to show accountability.
How do you move from theory to practice?
The Building Blocks for a sound privacy management program begin with an organizational commitment to develop a privacy-respectful culture. This has to start from the very top – with real buy-in from senior management. Only then, could responsibility be truly delegated to a Privacy Officer, perhaps supported by a Privacy Office in the case of larger organizations. Designated privacy staff must have clearly defined roles and responsibilities, organizational support and adequate resources to ensure that privacy protection is built into every major function of the organization. Correlated to this, reporting mechanisms must be in place for monitoring compliance and escalating privacy issues back up to the right level of responsibility when actual or potential breaches are detected.
Next are the program controls, starting with a documented inventory of what personal information the organization holds, where it is held, its level of sensitivity, and the purposes for which it is being collected, used and disclosed.
Other program controls include: internal privacy policies on key aspects of data protection; risk assessment tools for identifying and mitigating privacy risks; updated and ongoing training requirements for all staff tailored to specific needs; incident response protocols in the event of data breach; and binding contractual arrangements with service providers and sub-contractors holding them to these same standards. Effective external communications are also critical for informing consumers what they need to know to provide meaningful consent.
Ongoing Assessment and Revision
Once the building blocks are established, an organization has to have a mechanism in place to monitor, assess and improve its program. This involves an oversight and review plan to evaluate, on a periodic basis, how well the organization’s program controls are working, measured against clear performance indicators and timelines. In light of changing threats and risks, organizations must update and fine-tune their controls to ensure they remain relevant, adaptive and effective.
All of this forms part of an effective privacy management program needed to achieve demonstrable accountability. A sound privacy governance structure has to be woven right into the organizational fabric and not just tacked on as an afterthought when systems can no longer be retrofitted and mistakes cannot be undone.
Demonstrable accountability does not add to the regulatory burdens on organizations; rather, it helps ensure effective compliance with existing ones.
And what are the benefits? Greater flexibility for organizations to develop scalable and proportionate programs tailored to specific realities; re-allocation of scarce compliance resources towards higher risk areas; more effective data protection on the ground; more constructive and transparent discourse with regulators; positive market differentiation from other competitors; stronger assurances for business partners; a basis for facilitating cross-border data transfers; and most importantly, enhanced trust and confidence of consumers.
Given the vast amounts of personal information held by organizations, the explosive increase in computing power, the heightened economic value of personal information as a new currency, and the significant risks and implications of data breach, the need to “get accountability right” has never been greater.
Interpretation of Accountability
In conjunction with the Accountability Guidelines, I am also pleased to announce our new Interpretation bulletin on AccountabilityFootnote 2 also up on our website as of today. Interpretations are occasionally issued by our Office on key concepts in PIPEDA once they have reached a certain state of maturity. They are issued when enough jurisprudence has been developed by the courts and/or through the Commissioner’s findings from which we could begin to derive general principles and codify their interpretations over time.
What the Courts have said
In a string of recent damages cases, the Federal Court of Canada has affirmed that organizations will be held accountable for failure to comply with obligations under Schedule 1 of the Act. It is no defence to claim adherence to industry standards if those fall short of PIPEDA requirements. Nor will practical necessity serve as a defence to absolve an organization from its obligations.Footnote 3
The Court also affirmed that an organization will be held accountable under PIPEDA for the wrongful actions of its employees, especially where employees try to cover up their wrongdoing.Footnote 4
The Court looked to the nature of organizations in setting its expectations of them and assessing the quantum of damages. For instance, in one case involving the improper use and disclosure of inaccurate credit reports, the Court held that “a credit reporting agency makes a profit from trading in personal information of others. Such business perhaps more so than others, ought to be aware of the need for accuracy and prompt correction of inaccurate information. Such businesses should expect to be held to account when they fail to do so.”Footnote 5
In another case involving breach of PIPEDA by a law firm, the Court held that lawyers, who provide “advice to clients who deal with the personal information of customers must be knowledgeable about privacy law and the risks of disclosure... The failure of lawyers to take measures to protect personal information in their possession may justify a higher award than that which would be imposed on others who are less informed about such matters.”Footnote 6
In assessing aggravating or mitigating factors, the Court looked closely to the organization’s actions in response to breach. An organization’s failure to accept responsibility for a breach, to inform others, to take prompt action to investigate and to rectify the situation all counted against it in the Court’s final assessment.Footnote 7
Commissioner’s Findings on Accountability
The Commissioner herself has had many occasions to reflect on the concept of accountability. Our new Interpretation bulletin on Accountability draws general principles from a number of notable investigation findings, but probably the most instructive example of an organization’s obligation to “walk the talk” was the Google Wi-Fi matter.
In May 2010, Google discovered that, in an effort to collect publicly broadcast information from Wi-Fi access points to enhance the company’s location-based services, its Street View cars had collected actual email content (i.e., “payload data”) transmitted over unsecured wireless networks.
On June 1, 2010 the Privacy Commissioner initiated an investigation, and in her report of findings a year later, found that the company had contravened PIPEDA by collecting personal information without consent, including highly sensitive personal information in some cases.
What makes this case illustrative of accountability is that this serious error could have been prevented if Google’s own procedures had been followed as intended.
Essentially, the Google engineer who developed code for sampling categories of publicly broadcast Wi-Fi data as part of an experimental project, also included code allowing for the capture of payload data -- thinking this might be useful to Google in the future. The engineer identified what he believed to be “superficial” privacy concerns, but contrary to company procedure, failed to bring these concerns to the attention of Product Counsel whose responsibility it would have been to address and resolve them prior to deployment.
Because of this employee omission, and the cursory oversight of managers which failed to catch it, the company’s privacy procedures were never triggered as they should have been.
The Privacy Commissioner recommended, and Google accepted, to safeguard and delete the Canadian payload data as soon as possible. The company agreed to improve its employee training programs and increase staff awareness. It also undertook to strengthen its privacy governance model by ensuring effective implementation of internal privacy controls; involving qualified privacy personnel in the review and approval process for new products prior to launch; and, holding senior management ultimately accountable for Google’s compliance with Canadian privacy law.
Given the seriousness of this incident, and recognizing the time it will take to implement her recommendations, the Commissioner intends to closely monitor progress. She has asked Google to provide her with the results of an independent third party audit in one year’s time to assure her that the company has indeed followed through on its undertakings and brought itself into compliance with PIPEDA.
This is in keeping with contemporary thinking around the globe today that in order for organizations to be held accountable for data protection, they ought to be able to demonstrate it. In the past, we may have taken organizations at their word when, during the course of an investigation, they promised to undertake certain corrective measures. On this basis, we would consider the matter “resolved”. Although we followed up in many cases, there is only so much chasing we can do after the fact.
Based on this and other experiences, we decided to revise our case dispositions. As of January 2012, the category of “well-founded and resolved” is reserved only for those cases where organizations have, at the time of issuing our report, concretely demonstrated that they have brought themselves into compliance. A new finding of “well-founded and conditionally resolved” will apply to organizations that have not yet implemented all recommendations at the time the finding is issued, but have made an express commitment to do so and to demonstrate its corrective measures within a specified time period.
Accountability – looking around
Having said all this, I would not want to leave you with the impression that Canadians are the only ones struggling with this issue. In fact, how to demonstrate accountability for personal information protection has been gaining steam internationally and has become a global preoccupation.
In January 2012, the European Commission released a proposed Regulation which would replace its earlier Directive and become directly binding on member states. At the urging of the Article 29 Working Party, the proposed EU Regulation requires data controllers to adopt policies and implement appropriate measures to ensure compliance and be able to demonstrate it. It also requires controllers to conduct privacy impact assessments where specific risks warrant it; maintain detailed documentation of their processing operations; and for those that employ more than 250 people, appoint a data protection officer with a requisite level of independence.
The proposed Regulation expressly incorporates Privacy by Design, an accountability concept originally championed by the Information and Privacy Commissioner of Ontario and unanimously adopted by International Data Protection Commissioners in 2010. The concept requires privacy protection to be built into programs and initiatives starting from conception. The idea is to be proactive, not reactive, preventative not remedial; to set privacy as the default setting; and to embed privacy protection into the very design of the system or technology and throughout the entire life cycle of the information.
The Regulation also encourages the establishment of third party certification mechanisms, and data protection seals and marks, as a way of allowing consumers to assess the level of protection being offered.
Asia-Pacific Economic Cooperation (APEC)
In November 2011, APEC leaders endorsed the development of a System of Cross Border Privacy Rules which gives effect to the APEC Privacy Principles of 2005, including Accountability. The purpose is to promote greater interoperability across global data privacy regimes and facilitate responsible information flows across borders. Work is currently underway to develop mechanisms for the mutual acceptance of cross border privacy rules among member economies participating in the System. One novelty is the introduction of Accountability Agents whose role it would be to certify that the privacy policies and practices of companies meet the baseline requirements of the Rules. To gain APEC recognition, Accountability Agents themselves would have to meet established criteria of independence and oversight.
In March 2012, the Obama Administration released a White Paper on “Consumer Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”. The Framework consists of a Consumer Privacy Bill of Rights that includes a principle of Accountability which affirms consumers’ right to have their personal data handled by companies with appropriate measures in place to assure their adherance to the other fair information practice principles.
The Obama White Paper also proposes to develop more detailed “codes of conduct” to be developed by consensus among relevant stakeholders and become enforceable under the FTC Act.
Accountability - Looking Ahead
So, as you can see, the world is setting the stage for next Act of Accountability. Many jurisdictions are currently exploring and experimenting with new approaches to strengthen accountability for data protection: the end game being organizations that not only walk the talk, but also have something to show for it. Canada will be looking at many of these ideas and experiences as we turn our minds to PIPEDA Review II. We certainly look forward to being part of that discussion, along with many other stakeholders.
Before closing, I would like to comment on the role of in-house counsel and your challenge in particular. There are many themes we have heard at this conference, and you could approach demonstrable accountability in just as many ways. If you approach it as a matter of compliance, you will do what’s required. If you consider it a question of legal risk management, you will do what’s needed. If you see it as an issue of social responsibility, you will do what’s right. If you look at it as an opportunity for innovation, you will do it better and smarter than everyone else, creatively distinguishing yourselves as courageous leaders who respect consumers’ privacy and warrant the trust they vest in you.
On this 100th anniversary of the Titanic tragedy, I will leave you with a metaphor to think about. A lot has been analyzed and documented in history about the shipbuilders in Belfast, the materials used, the design of the ship and the number of life boats included on board; the absence of modern lights and radar systems that today would have detected the iceberg sooner, even on moonless nights; the skipper at the helm who instinctively tried to steer away from the iceberg ripping through the entire side of the ship, instead of hitting it straight on as we now know is the proper course of action; the captain whose crisis leadership was put to the test in having to evacuate thousands of passengers from the ship, many of whom sadly never made it…
By comparison however, not much attention is paid to the iceberg itself. But here’s the thing. Far from being that stationary mass of ice we all picture in our minds, the iceberg itself was moving, alive with explosive energy trapped inside like a coiled spring. Having spent thousands of years frozen on the western coast of Greenland, scientists believe it calved off sometime in 1910, taking a year to leave the Fiord plowing across the sea floor. In approximately the fall of 1911, it would have gotten picked up by the powerful West Greenland current, first northward, then unpredictably coiling south along the eastern coast of Canada. Thousands of pieces of ice broke off and melted in the warmer temperatures along the coast, but the Titanic iceberg got pulled out to colder waters and continued to make its way south at 12 km per day for several weeks, past the Grand Banks and into the Atlantic shipping lanes where the famed Titanic met its tragic fate on April 15, 1912.
“Accountability does not wait for system failure”.Footnote 8 It requires anticipation of risks long before they materialize. No static risk detection process could have charted that iceberg en route. Only a dynamic process of anticipation, foresight and close monitoring long in advance could have helped avert the danger.
Thank you, merci.
- Date modified: