Michael Gilburt is a JD candidate at Osgoode Hall Law School.
On May 17, 2011, Ontario’s Information and Privacy Commissioner (OIPC) Dr. Ann Cavoukian released her on the state of privacy protection in Canada. The Report articulated a clear message to public and private institutions: “be proactive” in protecting personal information and online privacy.
Dr. Cavoukian that a reactive approach to privacy protection, which relies on “legislation meant to safeguard privacy,” will not keep pace with “the flow of information and advances in technology.” As such, the Report calls on institutions to embed “default privacy and access within processes and technologies from the outset” in order to avoid privacy breaches and inefficiencies caused by requests for government-held information.
Dr. Cavoukian has characterized her proactive model for privacy protection as The Report suggests that Privacy by Design be used as a standard to assess all new products, technology or services. For instance, the standard would require a firm to request access to customer information and clearly explain how the data will be appropriated. By doing so, it is that firms will mitigate risk and revisit assumptions about how much personal information is necessary for the system to operate effectively. The end result, according to Dr. Cavoukian, will be a “doubly-enabling, positive-sum, win/win relationship."
In support of the Privacy by Design approach, the Report highlights two case examples. The first involves the to embed privacy protection into their smart grid. The Corporation integrated a number of due diligence requirements into the initial planning stage in order to refine what customer information must be gathered and to design systems to protect the data.
A second case example was drawn from the Ontario Lottery and Gaming Corporation, which incorporated a privacy-protecting mechanism into its biometric facial recognition system (which is used to identify individuals who are banned from entering gambling institutions). If no match is found, the facial image is automatically deleted from the database.
The Report also highlights a number of key privacy policies in need of reform. Two salient issues include the protection of personal health information on mobile devices and the issue of standardizing the cost of health record access. The latter issue has been the subject of prior advocacy by Dr. Cavoukian, who has to establish a benchmark for access fees.
It appears that Dr. Cavoukian’s message has extended beyond Canada. The Privacy by Design concept has and was recently adopted as a resolution by the International Data Protection and Privacy Commissioners Conference. This summer, the OPIC intends to release a whitepaper on how a utilities provider in Germany has incorporated Privacy by Design principles into its organizational practices.
