A Risk Based Approach for Accountability and Compliance

Remarks at the 35^th International Conference of Data Protection and Privacy Commissioners

September 26, 2013
Warsaw, Poland

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

It was with great enthusiasm that I accepted this invitation because, like many other DPAs, the Office of the Privacy Commissioner of Canada is in the middle of adjusting its response measures to what is really a situation of unprecedented risks.

Just to put us in context, I would describe these unprecedented risks into five main pressure points, as we see them in our everyday work:

1. The diffusion of public safety threats, going from clearly defined entities such as states, to dispersed individuals, which increases state appetite for personal information, supported by fast evolving surveillance capacity. This certainly impacts the context of our Privacy Impact Assessment (PIA) review.
2. The perfect storm of vulnerability of technological platforms, expansion of criminal opportunities in personal information trade, and massive potential for dissemination, redefines our reaction to breaches.
3. The increase in criminal activity surrounding personal data trafficking: even though crime rates are constantly declining, notably because of better physical security measures, criminals are increasingly turning to Internet fraud.
4. The persistent complacency of data holders in the face of these privacy risks compels us to spell out, more specifically than ever, our expectations upon data holders.
5. Finally, the diversity of threats to privacy that comes from these pressure points.

To respond effectively to these pressure points, our Office has been focusing on clarifying its methodology to hold data holders accountable and to calibrate our compliance action in a new context for privacy risk management.

In this presentation, I will describe this methodology. In the interest of time, I will focus on the application of our approach to the review of PIAs and to the handling of privacy breaches.

I. THE OPC RISK-BASED APPROACH

I chose to focus on PIA reviews and reaction to breaches because each function brings to light a different category of risk:

• PIAs address risk related to legitimacy, as well as data protection;
• Reaction to breaches squarely addresses risk related to protection.

1. PIA Reviews

In Canada, any federal government institution that adopts a new initiative or modifies an existing one in a manner that may impact on privacy, must submit a PIA for our review.

The risks at issue in this context relate both to democratic values and to individual data protection, particularly in the case of public safety or national security initiatives. Because the ground is shifting in this area, we felt the need for a solid anchoring to assess and address risk and to calibrate compliance action risk. Consequently, we have issued a reference document entitled A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century, which we use to review PIAs or any policy or legislative proposal. It breaks down risk assessment into four steps:

• First, we challenge legitimacy: Is there empirical evidence that the measures are necessary, proportionate, likely to be effective and the least intrusive option?
• Secondly, we verify whether the organization assessed privacy risks and developed appropriate risk mitigating measures.
• Thirdly, we assess program accountability, particularly in cases of outsourcing.
• Fourthly, we assess oversight: As applicable, we call for external review structures, an “architecture of protection” to use Daniel Solove’s terms, that ensure proper checks and balances.

To calibrate our compliance action according to greatest risk:

a) We review PIAs on a priority basis according to the following triage factors:

• whether the privacy risks fall under one of the four priority areas where our Office has identified highest privacy risks, namely public safety, genetics, information technology and identity management;
• the number of people that would be affected;
• the sensitivity of the information at play;
• parliamentary, media and public interest to ensure we respond to the concerns of Canadians.

b) We have adopted a system to follow-up on the implementation of our recommendations.

c) We report to Parliament on our main findings.

d) In high risk cases, we follow up with an audit to ensure compliance. By way of example, after our PIA review of the Passenger Protect Program (“no-fly list”) in 2007, and of body scanners, in 2009, we proceeded with audits in 2009 and 2011 to verify compliance.

2. Reaction to breaches

In relation to breaches, our focus is on individual risk for data protection which we assess according to a framework based on three main pillars:  

1. Physical protections;

2. Technological safeguards; and

3. Administrative measures sufficient to address risks including, policies and procedures, accountability frameworks, compliance monitoring, staff training, outsourcing guidelines and breach response procedures.

To calibrate our reaction to breaches, we have developed a risk based approach which is inspired on a risk mapping model developed for the Centre for Information Policy Leadership by Richard Thomas, which consolidates other risk models, in particular the very comprehensive Guide produced by the Commission nationale de l’informatique et des libertés in 2012.

The risk mapping rests on two factors: impact and accountability.

Impact is based on possible harm to individuals. It can be tangible or intangible.

Accountability refers to the governance framework for data protection.

We assess the severity of the breach on a scale from negligible to severe risk, examining accountability and impact separately, then calibrating our potential action based on a scale for each:

• Negligible risk, where accountability is so robust to address all identifiable threats and where possible harm to individuals is very remote;
• Limited risk, where accountability is robust but does not address 100% of identifiable threats, and where possible harm may be overcome with little difficulty;
• Significant risk, where the accountability frameworks only partially address threats, and where individuals may suffer significant consequences;
• Severe risk, where there are no or very limited policies and procedures for protection of privacy, and where severe harm may be caused.

I would like to clarify two points:

• In relation to assessing impact, we do not look at materialization of harm – first because it is very difficult to assess; in fact, hackers often sit on the information they have stolen for a long time before using it, precisely not to be linked to the breach – and secondly, because the mere creation of a vulnerability of personal information constitutes harm in itself.
• In relation to accountability, consider both breach response and existing safeguards at the time of the breach: a data holder demonstrates its level of accountability for protection of privacy as much in how well and promptly it reacts to a breach, as how diligent it was in efforts to prevent it.

Depending on our risk assessment on that scale from negligible to severe, we calibrate our compliance action to ensure highest efficiency.

Here are some concrete examples from, say, “softer” to “firmer” compliance action.

III. TAKING ACTION ON THE BASIS OF RISK

1. Web leakage

Inspired by international studies that found many websites disclosed users’ personal information to third-party sites without proper consent, we recently reviewed several popular Canadian websites to determine whether “web leakage” was an issue in Canada.

Our technologists identified privacy concerns with 11 sites. We found a lack of transparency of privacy policies and some technological shortcomings which lead to the disclosure of e-mail addresses, names and physical addresses to third-party advertisers. On the basis of the risk mapping I described, the shortcomings in accountability and the possible harm to individuals could be described as limited.

We felt that the level of risk warranted softer compliance action, one we call “structured dialogue”. We contacted each company by letter, informed them of the shortcomings we observed, recommended corrective measures and only closed the files when we had received assurance from all websites that the corrective measures had been implemented.

“Structured dialogue” covers situations where there is a risk to privacy protection and a need for corrective measures, and is appropriate for the level of risk and for the objectives we wish to achieve.

In this case, we obtained compliance at lower cost for Canadians and with full cooperation of data holders.

2. LinkedIn

The second example I will provide is our risk assessment in relation to the LinkedIn breach of June 2012.

You may recall that in that case LinkedIn suffered a criminal intrusion when they had 6.5 million passwords stolen and posted on the Internet. We looked at possible impact and we looked at risk management at LinkedIn. We observed certain safeguard shortcomings, but LinkedIn demonstrated excellent breach response and they were totally forthcoming with us.

As was the case with web leakage, we felt that any risk management failings and potential harm were limited.

Again, we chose to engage in a structured dialogue — but this time an enhanced version, since we considered the level of severity of any potential harm to individuals was higher. We brought in our three provincial counterparts who have jurisdiction over the private sector, namely British Columbia, Alberta and Québec. Jointly, we recommended some improvements on safeguards but felt that the organization’s breach response demonstrated a high level of accountability, and no jurisdiction undertook an investigation.

LinkedIn accepted our recommendations and in fact introduced enhancement to its safeguards during the course of our action.

3. WhatsApp

By comparison, the application of our risk mapping showed a higher level of risk in relation to the state of WhatsApp before our joint action with the Dutch DPA.

You may be aware that in early 2012, Canadian and Dutch DPAs agreed to conduct separate but coordinated investigations on a common respondent, WhatsApp, a California-based developer that sells a smartphone messaging app.

Our concerns about WhatsApp led us to discover that:

• Messages – therefore content data – were sent unencrypted,
• A user’s whole address book had to be uploaded to the app, including the contact information of non-users; and
• User status updates were visible to all WhatsApp users, not just the user’s contacts.

On the basis of the risk map, failure in risk management – such as lack of encryption – would be qualified as significant. Severity of harm – such as the fact that a person’s status and location could be widely broadcast – would also qualify the severity of harm as significant.

In that case, we decided to proceed with an investigation. We also decided to name WhatsApp publicly as allowed under our legislation when we consider it is in the public interest to do so. WhatsApp has committed to implementing our recommendations.

4. Staples

Continuing on this progression from softer to firmer compliance action, the last example I will share is our audit of Staples, an office supply store, with franchises in several countries.

In that case, in two investigations we found that Staples had sold used computers without properly eliminating the information of the previous owner.

An application of the risk map would, in my view, qualify severity of the possible harm as significant since entire contents of personal records were disclosed. The failures in risk management are severe considering the lack of monitoring to ensure all resold computers were wiped, the insufficient training in that regard and, of greatest concern, the fact that the findings of our first investigation had not been acted upon and had led to a second complaint.

We proceeded with our most forceful compliance action: an audit that was made public and we required Staples to produce, within a year, a third-party audit to demonstrate that all our recommendations had been implemented.

Staples did comply and produced an independent audit demonstrating the implementation of all our recommendations.

CONCLUSION

We are still refining our approach but to conclude let me share with you some preliminary thoughts on our experience so far:

1. Going back to my first point about unprecedented privacy risks, both in nature and in degree, we find that a clear risk assessment framework grounds our analysis in a way that ensures an approach that is both consistent and adaptable in the face of fast paced change.
2. Risk mapping also allows us to calibrate our compliance action to respond to an unprecedented diversity of privacy risks and to ground that calibration in clear, transparent decision-making
3. This calibration of compliance action has allowed us to bring compliance at lower cost and effort, in a more strategic way: I mentioned web leakage and LinkedIn, where corrective measures were adopted within weeks of our dialogue, but I also could have mentioned fast-food chain A&W who changed its privacy policy within days of us issuing the results of our Privacy Sweep, an action which itself took less than a week.

In short, I would summarize our experience so far with this risk mapping approach as the exact illustration of the title of this conference; in the face of unprecedented, fast-evolving risks, it is a compass in a turbulent world.