If you’ve read anything about privacy in the last few years, you’re certain to have come across the name Dr. Ann Cavoukian. And if you don’t recall her name, surely you’ve heard of her concept of Privacy by Design. With all the data breaches we’ve encountered over the last several years and the most recent debacle with Facebook and Cambridge Analytica, the value of privacy has never been more clear.
Privacy by Design is the idea that every piece of technology, every website, every tool and process ought to consider how to incorporate concepts of privacy from day one and throughout the entire development process. Historically, many products and services have been, and continue to be, built such that privacy is an afterthought – once the product or service has been fully developed, people try to figure out how to retroactively apply privacy components. This strategy can easily lead to unnecessary collection of data, awkward programming work-arounds, and privacy policies that are far too complex for regular people to understand. By accounting for privacy from the start, through Privacy by Design, many of these problems can be prevented or simplified.
Ann’s career is impressive. She had Privacy by Design in mind before serving three terms and 17 years as the Information and Privacy Commissioner for Ontario, the largest province in Canada. Now, she is a distinguished visiting professor and Executive Director at Ryerson Universities Privacy and Big Data Institute. She is also a Senior Fellow of the Ted Rogers Leadership Centre at Ryerson University, and a Faculty Fellow of the Center for Law, Science & Innovation at Sandra Day O’Connor College of Law at Arizona State University.
Her awards are numerous and include being named one of the Top 25 Women of Influence in Canada, ‘Power 50’ by Canadian Business, Top 100 Leaders in Identity, and was awarded the Meritorious Service Medal by the Governor General of Canada for taking her Privacy by Design concept globally.
What’s inspiring about Ann’s leadership is that she never wavered from her commitment to Privacy by Design. Twenty years ago, digital privacy wasn’t a thing. AOL Instant messenger, Yahoo Messenger, MSN messenger, and LiveJournal existed. Skype showed up in 2003, Facebook in 2004, and Reddit and YouTube in 2005. To the average person 20 years ago, privacy was boring and manifested as physically locked filing cabinets in locked rooms – impenetrable without two keys. Yet Ann had the foresight to realize that planning for digital privacy would become paramount. She’s held strong to this message for more than two decades.
Today, her Privacy by Design strategy has traversed the globe and been translated into 40 languages. In 2010, International Privacy Regulators unanimously passed a Resolution recognizing Privacy by Design as an international standard. As we progress with integrating artificial intelligence, machine learning, and deep learning with our marketing technologies, we must take care to implement Privacy by Design. Not because regulators say we should, but because Ann has repeatedly demonstrated that it’s the right thing to do.
You can find Ann on Twitter, Linkedin, Wikipedia, at Ryerson University’s Privacy by Design Centre of Excellence where she is the Distinguished Expert-in-Residence, or her foundation Global Privacy and Security By Design.
You might like these posts too:
- Chemistry For The Greater Good: A leadership profile of Dr. Eugenia Duodu
- Why Love a Leader Anywhere Else: A leadership profile of Sleep Country Canada’s Christine Magee
- Leadership: Three Reasons to Believe in ‘the Why’
This post was written in my role as a consultant for Sklar Wilton & Associates. SW&A has worked for more than 30 years with some of Canada’s most iconic brands to help them grow their brand, shape corporate culture, build successful innovation, define portfolio strategies, and maximize research ROI. They offer strategic advice, business facilitation, research management, qualitative/quantitative research, and analytics. SW&A was recognized as a Great Workplace for Women in 2018, and the Best Workplace in Canada for Small Companies in 2017 by the Great Place To Work® Institute. Inquire about their services here.
Live note taking at the 2016 MRIA annual conference in Montreal. Any errors or bad jokes are my own. If you think any of this is legal advice, turn off your internet right now and grab a colouring book and crayons instead.
Panelists: Patrick Cruikshank, Eric Dolden, Derrick Leue, Serge Solski
- What is cyberrisk – extortion, online wire fraud, identity theft
- Legal trends – 3 claims per month for this legal speaker, Canada protects all aspects about a person including which brand of pop they like and what TV shows they watch not just their financial or medical records; doesn’t matter if it’s knowing or careless or preventable you are liable; if you give away confidential information even when you know it’s confidential, you are liable for the costs and profits
- Business don’t report every issue becaus it could put their reputation at risk
- Are market research companies too small for hackers to come after them? Absolutely not. Geography doesn’t matter. You are just a number on the Internet, crimes of opportunity. 80% of attacks are from external parties [yikes 20% are YOUR employees!]; They just need a door to get in and then they can figure out how to get $ from you.
- Newest legislation moved us closer to the American model. Snooping or taking of data without consent, there is an obligation ot report to privacy commissioner whether provincial or federal. If there is a possibility of harm, you are obligated to notify the persons that their information was compromised. Not every unauthorized access requires notification becuase there may be no risk of harm, whether physical, emotional, identify theft, financial loss, loss of business, reputational harm, risk of humiliations, loss of relationship, public safety or health. Snooping without taking also counts.
- PIPDEA protects only PII.
- Breach of confidence is different – giving away information knowingly, trying to get paid twice for the same thing, maybe it’s careless such as an email with an unintended recipient and that would be negligence
- [listening to these speakers makes me really wonder about what I have in my emails, how much PII or confidential information is in there? How many unintended people have I emailed?]
- [really glad MRIA included this session right after the main keynote. This is massively important and business threatening information that we all must know]
- Someone could easily lock us out of our own systems unless we pay them 500 000. Would we tell the right people because this would threaten your current and future business. It can make more sense to pay up rather than report it.
- In every case, even when there was zero harm, judges has said consumers are owed damages because their privacy was compromised, awards are around $5000 up to a high of $20000 in cases of deliberate negligence
- Look at known vulnerabilities like firewalls and failing to updates systems, employees need to know hot to avoid creating holes in the firewall, need to constantly update systems, make sure team doesn’t destroy evidence or you can’t prove that YOU didn’t do it
- Most canadians don’t have adequate insurance for cyberrisk, we’re covered for fire and injury and financial loss and liability but these don’t cover information loss, denial of service attack
- Better to have one insurance companies that covers all the issues as opposed to one covering physical loss, one covering information loss
- Human error is one of the best arguments for buying cyberrisk insurance
- Directors and officers have been named in claims for not being efficient in dealing with issues or not ensuring they stay up to date with issues – e.g., not responding after two reminders, not heeding recommendations
- Small companies probably won’t survive cybercrime while big companies might make it through
- EXPECT to be attacked, this is a hard fact. Be prepared because people and technology have weaknesses. Someone WILL click on that link and download that virus.
Live blogged in Nashville. Any errors or bad jokes are my own. Any typos are purely the fault of the iPad.
by Peter Milla and Dave Christiansen
CASRO has seen an increase in requests from clients and regulators for data privacy and security compliance
– code of standards
– safe harbor program
COmpliance means confirming to a rule, like a policy or law. CLients want operational transparency.
COmpanies will require 50 percent less business process workers and 500 percent more digital business jobs. especially regulatory analysts and risk professionals. These jobs are generally only in larger companies. This includes privacy officers.
Privacy and security are symbiotic. This can be a crisis for MR. Privacy is appropriate use of the data. security is the confidentiality and integrity of data.
– you cant just destroy data. what about all the backups. the saved copies that everyone has from their piece of the work.
– availability of data could impact life or death in some cases
What drives compliance
– client wants it [i hope vendors want it too. why is because clients want it?]
– legislation or regulation like HIPPA GLB COPAA FTC PIPIDA. you could be accused of unfair trade practice for discontinuing a poor responder.
– gain a competitive advantage
[wow, typing on an iPad keyboard is quiet and completely unobtrusive when you lay it flat! But i cant put pictures or links easily. Sorry.]
ISO 27002 – you cant be certified, you can be compliant
HIPAA compliance case study
– business associates now face liability. Uses not in accordance with BAA. failure to limit PHI. failure to provide breach notification. failure to provide HHS access when required. failure to comply with security rule.
– many companies state one year but they keep it forever
– Protected Health Information PHI.
– employees don’t usually intend to make errors, they just don’t know
– no easy checklist of requirements
– does offer a set of principles. instruction is to take necessary steps to disclose minimum necessary information
– much is process based
HIPAA security rule compliance
– risk analysis – evaluate likelihood of risks, implement appropriate security measures, document those measures, maintaining continuous review and assessment, ensure access control and integrity control, ensure transmission security, keep documentation up to date
BLUE CROSS – just had a breach that affected 80 million US citizens, 25% of the population. names, SIN, birthdays. be sure to use your free annual credit report. Take advantage of free credit monitoring. monitor your children as well. be alert when filing your income taxes.
Top security trends
– cybercrime, privacy and regulation, third party provider threats and breaches, BYOx in the workplace – Bring Your Own Device [like i’m doing right now. are my office security systems on my personal tablet?]
[note to self and everyone. turn the GPS off all of your devices. it is not necessary that every software program knows where you are, where you live, where you work, where your kids live]
Advanced Persistent Threat – APT
– china and Russia and Iran have active cyber espionage, aligned in every industry to take whatever they can, causing information security bar to be raised
CLients expect all their information is safe. need a dedicated person or team. CISSP, CISM, CISA, ISO, SDLC. [we have this person. they went to every single office in every country over the last couple weeks to remind every single person just how serious security issues are.]
[everyone should have come to this session. i don’t care if you think you’re doing fine. you need persistent reminders of just how worried you really ought to be.]
Information security is not IT security. spans people processes and technology. its digital written and spoken. it’s being proactive. it’s an organizational discipline.
– best practice for information security, NIST, CSF, COBIT. can be audited and certified. Earth’s ‘best practice’ its the policies procedures and controls and training.
– it is not industry specific. it is federal, state, industry, contractual relevant.
– vulnerability assessment annually or quarterly, penetration testing, gap assessment, awareness training, internal audit, risk assessment.
[Annie’s free public service announcement – do an internal audit today. if it looks like spam, it probably is. if it doesn’t look like what I usually email to you, i probably didn’t email it to you.]
Big Data and Privacy: The Legal Landscape Affecting Corporate Research by Shannon Harmon, JHC #CRC2014 #MRX
- our lives are a series of data points
- more opportunity vulnerability and the potential for greater abuse
- smaller entity might purchase data from 3rd party
- who owns the data, who has the right to access the data, what steps are taken to keep it secure
- goal of any regulation is to protect personally identifiable information form breach and misuse
- you can identify people with very little information so keep in mind a lot of information is PII
- Notice and consent: need to provide notice of how the data will be used, and then obtain consent – this is the core of the law related to privacy, you need to make sure the right practices were followed to do this
- Where do we look for oversight? Right now, state attorney general, FTC, FCC, FDA
- Fair information practice principle – only collect what you need to collect and only retain it for as long as is necessary to fulfill the specified purpose
- FIPP – data quality and integrity – organizations should ensure that the PII is accurate, relevant, timely and complete and this is difficult if you’ve purchased the data, supplier should have a structure in place to ensure this
- Consumer privacy protection bill of rights – google search this – things corporations should do to protect privacy, this area will become increasingly more regulated so think ahead
- Fair Credit Reporting Act – example of what big data protection framework should look like, right to review your credit report and make sure it’s accurate and get it fixed if it’s not correct, this is where we’re headed, your digital dossier is being collected and you don’t know how decisions about you are being made, you can’t contest your big data points… right now
- special considerations for health data – apple has stated that any app developers cannot use any of the health data for advertising, or data-mining except to help an individual manage their health or for medical research. but is apple responsible for developer compliance? what if a data broker got the data from someone who wasn’t supposed to have it in the first place?
- considerations for researchers
- where is the data being obtained, what are the sources
- what practices are being used to obtain it and what is your confidence in your aggregator
- how is the data being trained to arrive at conclusions? what algorithms? what human manipulation?
- think about the vendor/subcontractor relationship, is the contractor independent? a substandard contractor impacts you
- we need
- use restrictions – can’t use big data to discriminate on age, race, etc
- oversight – protect against unregulated digital dossiers
- KNOW YOUR INFORMATION SOURCE
- be intimately knowledgeable about your company’s data gathering practices – informed consent, opt-out, internal user access controls
- be ready to evolve as the law is only beginning to be developed in this area
- The Oscars of Marketing Research: Peanut Labs’ Chief Research Officer wins ESOMAR’s Excellence Award for the Best Paper
- Why do people like marketing research surveys?
- In which I rant about showing data in presentations #MRX #CRC2014
- How marketing researchers can start being more ethical right now #MRX
- Discover the Science of Fascination by Sally Hogshead, Fascinate, Inc. #CRC2014 #MRX