Next-Level Privacy Maturity Models: Integrating an Ethical Perspective

Remarks at the Ethics Essentials Conference

Ottawa, Ontario
March 27, 2014

Address by Patricia Kosseim
Senior General Counsel and Director General, Legal Services, Policy and Research Branch

(Check against delivery)

---

Introduction

Thank you for your kind invitation to be here today and to participate in your conference on Ethics Essentials: Managing Ethical Responsibility and Accountability in Government, Crown Agencies and Civil Society.  More specifically, you have asked me to address the “Next Level of Sophistication in Privacy Protection”.

I have long believed that respect for privacy is founded not only on black letter legal obligations, but on foundational ethical and moral obligations as well.  As you could tell from my bio, I have been keenly interested for some time now in the broader legal, ethical and social dialogue about privacy – a balanced dialogue which is inclusive and integrated, at the interface between society and emerging technology, that helps inform and support responsible innovation not only for us, but for future generations as well.  

Too often, privacy conversations are overly preoccupied with the exact wording of statutory laws and regulations, in an effort to determine what we minimally must do in a given case.  While necessary to reduce risk of legal liability, this type of discourse unduly narrows the dialogue -- whether intentionally or not -- excluding the more important ethical question of what should we do in the circumstances? 

The Right to Privacy

It is now well established by the Supreme Court of Canada that the right to privacy is a fundamental value in a modern, democratic society.  “Grounded in man’s physical and moral autonomy, privacy is essential for the well-being of the individual.  For this reason alone, it is worthy of constitutional protection, …(and) has profound significance for the public order.”

A recognized corollary to the right to privacy is the right of individuals to access information about themselves held by others in order to be able to verify and challenge its accuracy.

And a further corollary to that is the need for transparent mechanisms to notify individuals this information even exists, with effective oversight to ensure accountability on the part of those who collect, use and disclose it.

While these values form the fundamental bedrock on which we stand, the context in which we try to apply them moves like quicksand under our feet.  The nature and pace of change we are witnessing in our lifetime are unprecedented.    

Recontextualization

While it may now be trite to point out the changes brought on by ubiquitous computing, they are far from trivial.  Social media platforms, audio/video/aerial/internet surveillance, behavioural tracking and facial recognition, mobile apps, smart devices and the internet of things have completely altered how we go about living our daily lives, our interactions with employers, our relationship with the state, our dealings with businesses, how we learn from, relate to, and communicate with, one another.

The once bright line between the public and private sectors is now getting blurred as governments turn increasingly to private actors to outsource certain processes or functions.  Airlines, banks, utility companies and internet service providers have become indispensible tentacles for extending state reach and gathering intelligence for law enforcement and national security purposes.  In his Twentieth Annual Report to the Prime Minister, the Clerk of the Privy Council calls on Federal Public Servants to “embrace enterprise approaches” and draw lessons from the private sector on how to improve productivity, efficiency and client service through innovative information technologies.

The separation we once strived to maintain between our public and private lives is becoming harder and harder to keep.  As Big Data and power of analytics become more powerful and sophisticated, disparate bits of our online and offline selves get pieced together to create a fuller portrait of who we are (or at least how we appear to be to others).  Our web-browsing history, socio-demographic data, real-time location data, travel patterns, financial transactions, purchasing habits, computer meta data, biometrics, etc. have unprecedented value to both commercial organizations and governments, including foreign governments in some cases.

The changes we are seeing call for a recontextualization of our understanding of privacy. 

Back to Basics

But what does recontextualization mean?  Too often, people throw up their arms and sigh in discouragement, wondering if privacy even exists anymore.  “Kids don’t care about privacy – just look at what they put out there on Facebook”, is a misguided refrain we hear far too often. And then there are influential business leaders whose cavalier quotes unfortunately get picked up and repeated:
“You already have zero privacy.  Get over it.” – Scott McNealy, CEO of Sun Microsystems

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” – Eric Schmidt, CEO of Google

But just because the context has changed, doesn’t mean our core values have.

People do still care about privacy – and increasingly so.  A public opinion survey commissioned by our Office last year found that two-thirds of Canadians are concerned or extremely concerned about the protection of their privacy. 

Seven in ten think that their personal information is less protected than it was ten years ago, while a slightly higher proportion (71%) think that protecting personal information will be one of the most important issues facing this country in the next 10 years. 

Businesses themselves have caught on to the fact that there is a return to be made on privacy investments.  Through advertisements, companies appeal directly to consumers’ need for protection putting themselves forward as having a competitive advantage over others.  I doubt very much there’d be any money making proposition in this claim at all if individuals simply didn’t care about privacy.

Research under our Contribution Program demonstrates that kids do care about privacy, even though the concept may be a relative one for them, and even though they may choose to express it differently.

And the Supreme Court of Canada recently affirmed in a case involving strikebreakers being photographed on a picketing line in front of a Casino entrance that individuals do not lose their privacy interests just because they are out in public.

Recontextualization is not about watering down or diluting privacy as being less important, but rather, it’s about giving practical meaning and life to privacy principles in a way that takes into account the new reality we live in.

Against this backdrop, let me go on then to answer the specific question you have asked me:

How do you get to that Next Level of Privacy Sophistication? 

The Next Level of Privacy Sophistication

No doubt there are many smart businesses and entrepreneurs out there who have developed very colorful and visually-appealing maturity models for organizations and government institutions to use when assessing the state of their “privacy health”.  It is not my job to endorse any one of them over another. 

However, if you ask me to propose a privacy maturity model that assesses what I think is the “next level of privacy sophistication”, I would want to see three aspects included: Accountability, Leadership and Ethics.

Increased Accountability

Time after time, our Office has reiterated the importance of “walking the talk” when it comes to privacy.  Too often we see wonderfully crafted privacy policies and procedures on paper, but then find out they were not followed in practice.  The failings that occur are often at the implementation phase where employees are not trained, insufficiently trained, or even when trained, choose not to follow organizational protocols in a culture where there are too few reminders and too little consequences.

A recent example of this reality can be found in the Commissioner’s Report of Findings in the Employment and Social Development Canada (ESDC) breach released just this week.  You will recall this investigation was initiated when the Department reported that a portable hard drive containing the personal information of 583,000 student loan recipients went missing last year.   Among other personal data, the portable hard drive contained Social insurance numbers, names, dates of birth, home addresses, telephone numbers and student loan balance information. 

The report, which was tabled Monday in Parliament, and which is available on our website, details how the hard drive, that was neither password-protected nor encrypted, was left unsecured for extended periods of time.

The investigation found a gap between policies and practices which led to weaknesses in physical, technical and administrative controls and a low level of employee awareness of departmental policies and procedures.

While ESDC had privacy and security policies which on paper met the Government of Canada’s requirements for the protection of personal information, it essentially failed to translate its own policies into meaningful business practices.

A private-sector equivalent of this example is our Office’s investigation into the Google WiFi matter a couple of years ago.

In 2010, Google discovered that, in an effort to collect publicly broadcast information from Wi-Fi access points to enhance the company’s location-based services, its Street View cars had collected actual email content (i.e., “payload data”) transmitted over unsecured wireless networks.

Following an investigation, the Privacy Commissioner found that the company had contravened federal privacy law by collecting personal information without consent, including highly sensitive information in some cases. 

The Google engineer who developed code for sampling categories of publicly broadcast Wi-Fi data as part of an experimental project, also included code allowing for the capture of payload data -- thinking this might be useful to Google in the future. He identified what he believed to be “superficial” privacy concerns, but contrary to company procedure, failed to bring these concerns to the attention of Counsel whose responsibility it would have been to address and resolve them prior to deployment.

Because of this employee omission, and the cursory oversight of managers which failed to catch it, the company’s privacy procedures were never triggered as they should have been before product launch.

In both these cases, as in many others, the companies agreed, through the intervention of our Office, to take it up a notch and strengthen their internal governance and accountability mechanisms.

The adoption and incorporation of Privacy By Design Principles endorsed by unanimous resolution of International Data Protection Commissioners in Jerusalem in 2010, are a means by which organizations and businesses can embed privacy protection into new information technologies at the early stages of product or service development, before they are deployed in the market.

In addition, our Office has a number of helpful resources for business and governments to enhance their privacy accountability structures, processes and cultures.  Getting Accountability Right Privacy Management Program and our Interpretation Bulletin on Accountability are helpful tools for organizations interested in taking privacy protection regimes to the next level of sophistication to ensure accountability measures are not just empty claims, but can be demonstrably and meaningfully implemented in practice.  

Lead with Courage

While effective privacy maturity models help ensure compliance with existing laws and regulations in order to “get it right” a more sophisticated level of privacy protection helps guide institutions and organizations “to do the right thing”.  Leading with courage helps foster respect for privacy and build a culture and understanding of its importance, over and above the written letter of the law.

For instance, it is very revealing to see which organizations and government institutions choose (or not) to come forward to report privacy breaches to our Office, and/or to notify affected individuals.  Even though they may not be legally required to do so (or at least not yet), several do on a voluntary and proactive basis.  Recognizing the importance of transparency and taking seriously their responsibility to be held accountable, they choose to report the breach and notify individuals who could, once informed, take the necessary mitigating steps to minimize the risks of harm.   

While some do this to avoid potential common law liability or to reduce reputational hits to their organization, one would hope somewhere in a boardroom somewhere is a CEO or senior public servant advocating in favor of “doing the right thing”.

Organizations and government institutions that have voluntarily and proactively invested in the development of privacy breach protocols and processes for effectively and expeditiously responding to privacy breaches will be that much further ahead should privacy reporting eventually become mandatory.

Another example of leading with courage in the area of privacy that comes to mind is the example of our own office and its privacy and access to information responsibilities.   Well before the introduction in 2006 of Bill C-2, the Federal Accountability Act which brought our office under the Privacy and Access to Information Acts, our Commissioner at the time had already begun inculcating a culture of public accountability, getting us to manage ourselves in the spirit of transparency as though we were already subject to Privacy and Access to Information laws. 

Courageous leadership is also evident from the level of investment organizations or institutions choose to put towards privacy protection.  The sad reality, as we have been told by a number of “insiders”, is that for-profit businesses need to focus on the bottom line.  If they have to make trade-offs between complying with federal privacy regimes where there are not likely to be significant financial consequences if any, and other legal compliance regimes with heavy fines or administrative penalties attached, they will tend to direct resources to where it counts. 

But more enlightened business and government leaders do get it.  They understand the reputational impacts privacy breaches can have on their organizations and institutions, and more importantly, they understand the nexus of trust that must be preserved in their relationships with consumers or citizens, in order to achieve sustainable success in the long term.

A Next Level of Privacy Sophistication is one that invests courageously in its Chief Privacy Officer or ATIP Office and takes pride and value in the importance of this internal function.  A next generation privacy maturity model affords them the necessary resources, decision-making authority, leadership and independence needed to do their job in an effective and meaningful way. 

Integrate Ethical Perspective Up front

A third aspect one might consider including in a Next-Level Privacy Maturity Model is the integration of an ethical perspective in the corporate decision making process.  Privacy by Design principles discussed above help enhance accountability by addressing how privacy protection can be embedded right up front in the product development process.

Even prior to that however, it seems to me there is also room for more informed and inclusive dialogue about whether to even pursue the development of the product or service at all.  Just because we can do something, doesn’t always mean we should.

For decades now, the scientific research community has developed the concept of research ethics boards to review the ethical aspects of a proposed research project.  Many funding agencies require prior approval by these REBs before they agree to release funding. REB members bring diverse perspectives to the table and look at the ethical implications of proceeding with an experiment, weighing the potential benefits of the research outcomes against potential risks to research participants.  Recently, academics, data protection authorities and businesses themselves have begun to posit whether some equivalent is needed to help guide commercial organizations wanting to exploit Big Data in order to research and analyze consumer behaviour.

The concept of consumer ethics boards serving in an advisory capacity to corporations has been proposed as a means of helping them evaluate the broader implications of using personal data and making more deliberate choices about which “roads” they ultimately choose to go down or not.

Conclusion

In conclusion, it seems to me that a Next Generation Privacy Maturity Model is one that assesses the degree to which businesses or institutions can demonstrate meaningful accountability, lead with courage, and integrate an ethical perspective into corporate decisions about future products or services.

No constructive dialogue can come from alarmist views and doom and gloom perspectives.  Conversely however, we cannot hide our heads in the sand either.  Let’s not kid ourselves.  The kinds of incremental changes and decisions we are making today, as individuals, groups, businesses and governments will forever change the lives of our children. 

Pervasive surveillance technologies have the potential to alter not only how we express ourselves, but how we think and learn.  Children who grow up knowing their expressive activities are being tracked by others may over time alter their spontaneous behavior, creative thinking and experiential learning, including their ability or willingness to learn freely through mistakes. 

Internet users who understand their meta data and web browsing history are being collected by businesses and governments may stop looking for the kind of information they used to seek out in an effort to understand both sides of a societal debate that interested them so they could formulate a more enlightened view about it.  How much longer will they be able to look up information through anonymous means such as public libraries, brick & mortar bookstores, ol’ fashioned video stores or “dumb” tv’s?  How much time before these anonymous means become completely obsolete and what alternatives will they have then? 

Individuals whose location data is being tracked in real time through mobile devices and whose images could be captured and recognized through facial recognition technologies may over time limit the types of people they associate with and the kinds of activities they partake in.  How long will inclusive and diverse perspectives be tolerated if people worry about somehow, through social media, chat rooms, even emails, getting caught up within three degrees of separation from “persons of interest”?

What will happen to our notion of human solidarity and civil responsibility if we worry that donations we make to seemingly legitimate charitable organizations might somehow get caught up on the list of suspected terrorist organizations?

Privacy is indeed fundamentally important to a free and democratic society, and without it, many correlative freedoms are also at stake.  This is not alarmist, but nor is it trivial.  It is part of the broader ethical debate we need to be having about the kind of world we want to live in and leave behind for others.  Every individual, group, business and government department is a relevant participant in that debate and an active player in the decisions we make today that will affect how we live tomorrow.  Those are the kinds of perspectives and considerations I believe a next-generation privacy maturity model needs to take into account.