Policies for privacy: safekeeping data in a digital world

For small- and medium-sized businesses and organizations, keeping up with data security and privacy — and ensuring you are compliant — means understanding your responsibilities and that legislation is a work-in-progress.

cameras staring down at people
Photo by Matthew Henry on Unsplash

It’s a cliché to say technology advances at lightning speed, but it really does move that fast. Many wonderful innovations are changing every aspect of life, for the most part, in good ways. At the same time, worries about privacy and security are legitimate.

How do we know a particular technology is secure or that data is safely protected? What steps can we take to ensure we are protecting ourselves and our clients? How do we even know whether the technology we are using in B.C. can be legally used with clients in another province or country?

For SMEs and other organizations that may not have a crew of tech specialists and lawyers on the payroll, ensuring you are in compliance, especially if you are considering implementing new technologies, means doing some homework.

Case in Point

In 2017, Waterfront Toronto’s Quayside, a huge new development project partnered with Google-affiliated Sidewalk Labs, was launched with much fanfare. The Prime Minister, Ontario premier and Toronto mayor were all in attendance at the announcement of the “smart city,” proposed as a high-tech live-work neighbourhood with a long list of efficiencies. The project met with numerous challenges over the next two and a half years and, after millions of dollars were spent, Sidewalk Labs cancelled it in May 2020.

Granted, COVID-19 sent Canada and the world into turmoil. But one of the reasons the project came to a stop was noted by the Canadian Civil Liberties Association, which released a statement the same day, calling the cancellation a “victory for privacy and democracy.”

“Waterfront Toronto never had the jurisdiction to sign off on a data surveillance test bed with a Google sibling,” said the statement. ”Serious harms to privacy would have been our future. The current Canadian regulatory landscape simply lacks modernized privacy legislation to provide essential safeguards to protect residents and visitors from the kinds of ubiquitous and intensive sensor-laden infrastructure that was envisaged. So the project was fundamentally flawed from the outset. Now we as a society have a chance to fix that privacy deficit and provide the right foundation to consider how, where and when technology can be used to meet real city needs, as expressed and experienced by residents.”

While many were relieved that the project was cancelled, others were disappointed because some of the features of the project were very exciting. Currently, Waterfront Toronto is looking for a new partner for Quayside with less emphasis on data collection and more focus on addressing service gaps in the area.

The comments that Canada’s privacy legislation needs modernizing, and that we have a “privacy deficit,” are not surprising and serve to highlight that we aren’t there yet.“

There Should be A Law for That, Right?

While suitable privacy legislation is needed, it takes time. A downside of waiting for legislation is that it slows the speed of advancement of new technologies, in some cases halting progress completely, which risks letting B.C. and Canada fall behind. But one reason legislation takes longer and requires careful consideration is because of how Canada is — and has always been— set up.

“Privacy in Canada, according to our constitution, is a shared responsibility across provinces and the federal government,” says Sue Paish, CEO of the Digital Technology Supercluster, a cross-industry collaboration of diverse organizations. “So the federal government has jurisdiction over federally regulated industries, such as banking, telecommunications, interprovincial travel, etc. Provinces have jurisdiction over other designated areas.”

Paish adds: “And, as a result, one of the most important things that can be done at a public policy level going forward in this area is coordination between the provinces and the federal government, in terms of privacy legislation, and, these days especially, in respect of data security legislation.”

For small technology companies that want to deploy technologies, and for thousands of other companies that aren’t contained in one province, it is a very complex environment.

“The complex matrix of privacy legislation is one of those items that, between our provinces, territories and the federal government, we need to provide a clear road map and a clear pathway for Canadians, in terms of the protection, sharing, leveraging and security of data,” says Paish. “Right now, we have multiple different pieces of legislation that have recently been announced or are in the process of being developed across the various provinces. So we’re not quite there yet … conversation and collaboration [first] and then come up with some legislation.”

Those conversations are happening.

The Provincial Perspective

A request via the Ministry of Citizens’ Services to the Office of the Chief Information Officer (OCIO) resulted in official, albeit anonymous, comments. Asked for examples of how the Government of B.C. and the tech industry are working together on digital security and privacy issues, several were provided. In addition to participating in and attending conferences and events (virtually this year) on the subject, the Province published a Power Point presentation “Defensible Security for Organizations” to help organizations understand what they must do from a security perspective and how to do it.

The spokesperson also pointed to the Provincial Security Advisory Council, which is made up of security leaders from the private sector who are recognized for developing and maintaining the security community in B.C.

“Much of this work is on their own personal time in leadership positions in organizations like ISACA [Information Systems Audit and Control Association], a global association that provides IT professionals with knowledge, credentials and training,” says the OCIO. “The government [of B.C.] is also working with the federal government to adopt many new cloud services where those services align with government privacy and security requirements.”

For example, the province is working with the federal government to leverage agreements they had in place with Amazon Web Services.

Further comments included a reminder that it’s important that both organizations and individuals be diligent in ensuring good privacy and security practices.“

B.C.’s Personal Information Protection Act (PIPA) is built around the premise that individuals should be made aware of what is happening to their information with the ability to consent to that use,” says the OCIO. “This requires organizations to understand and to be able to clearly articulate in a meaningful way to people what is happening with their information.”

Some types of technology are more problematic than others with respect to privacy. For example, technologies that don’t allow people to opt out of certain aspects creates a problem wherein someone can’t truly consent to how their information is being collected, used or disclosed, the spokesperson adds.

“Cloud computing generally requires more diligence as it requires application developers to build more security into the applications themselves,” says the OCIO.

Getting the Government’s “Acts” Together

Businesses should plan to be privacy and security compliant and not be compliant by happenstance. This means learning and understanding the requirements and taking positive actions to meet them.

Federally regulated businesses and others are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), while most activity of organizations in B.C., including those of non-profits and other associations, are subject to B.C.’s Personal Information Protection Act (PIPA).

The privacy principles on which both of these acts are based are the same. This helps to avoid any major discrepancies between the acts and provides businesses with clarity on what the standard is for protecting information.

If a business wants to operate in more than one province, they need to learn about and understand the requirements in each jurisdiction and take tangible steps to meet them. This information is available through the Privacy Helpline.

In the security domain, industry groups such as International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) exist that share best practices for organizations. These standards largely help form some consistency across the country for what security measures can be expected.

Security and privacy assessments can be conducted proactively and provide insights as to how an organization measures up to the law or industry security standards advanced by ISO and NIST or, for web applications, Open Web Application Security Project (OWASP) or Centre for Internet Security (CIS).Organizations can assess themselves against the provincial government’s “Defensible Security” framework, which is available online.

“Given that security in the cloud is a shared responsibility between an organization and its cloud provider, organizations should be clear on who is doing what with respect to security.”

OCIO particularly mentioned artificial intelligence, which they described as a new field requiring more diligence to ensure that information collected or created about individuals is done so correctly: “The sensitive information that is produced needs to be secured at a level equal to its sensitivity. There are also numerous ethical considerations related to this space.”

So how can you be sure you are doing things right when you are implementing a new technology? Call in an expert.

Guidance for Businesses

Ian L. Paterson, CEO of Plurilock Security, a global Victoria-based company that provides high-security solutions using patented behavioral biometrics and layered identity signals, says the first question to ask before you implement anew technology is this: What is the business goal that the technology is designed to fix?

That’s the most important thing.

“Unless you have clear success outcomes to measure a technology by, it may not actually help you in the end,” says Paterson. “Secondly, understand your own business environment and constraints. When push comes to shove, can you even deploy the technology you’ve chosen, or are there prerequisites you need to address first?”

“Lastly, have some sort of process to repeatedly measure its effectiveness overtime,” he says.“

Just deploying the latest and greatest firewall tool isn’t enough. You also need to check over time to make sure it’s meeting— and continues to meet — the needs of your business, once it’s in service.

”With respect to data and privacy security, Paterson outlines some steps.

“Table stakes for data security are generally limiting how much data is kept or stored, who has access to it and how it can be accessed,” he says. “Those are what I’d consider the basics when it comes to protecting data and privacy, which is really a discussion about conservative, sensible limits that nonetheless enable the data to be practically used for the purposes it was gathered and stored for.”

The rest really depends on the industry you’re in, he says, noting that there are a lot of resources you can use as a roadmap to securing data sensibly. For example, the Canadian Centre for Cyber Security, a federal organization, offers a lot of easily accessible guidance.

If you don’t have an internal tech department to turn these tasks over to, you’re not alone. These days, as is true of most things, Paterson says, very skilled tech departments are available for hire. For example, you could engage a managed service provider (MSP).

“[MSPs] function as an expert tech department and provide everything from basic IT services through cyber security solutions,” says Paterson. “On the cyber security front, there are also standards that you should align with to help ensure that you’ve got your bases covered when it comes to security. NIST and ISO, two well-known standard organizations, both have cyber security frameworks that you can leverage or that an outsourced IT or security provider can help you to follow.”

Given the level of mistrust and concern that exists at the public level with respect to privacy and security, how can businesses and other organizations feel assured that the technology they use is secure?

“They can’t — that’s the problem,” says Paterson. “What we have seen over the last year with things like the Solar Windshack is that the public and businesses do need to be concerned about their relationships with other organizations. It’s no longer enough for your own business to be secure.”

All your business partners, vendors and service providers also have to be secure.

“Concern and mistrust on the part of users or the public shouldn’t be eliminated; they should be applauded as healthy,” he says. “These questions encourage businesses to raise the bar for cybersecurity — to continue to make it a focus and take it seriously and to go out of their way to provide accountability to customers and the public.” Paterson says there is a growing emphasis on data privacy and data security, not just in Canada, but everywhere.

“We first saw this with the GDPR [General Data Protection Regulation] initiative in Europe, but now privacy and security are also being addressed at all levels of government,” he says. “In the U.S., for example, California has made data security a focus and is providing leadership that other states will likely follow. The diffusion of privacy and security awareness and policy throughout global government at all levels is the natural next step in the internet revolution— regulation, legislation and policy administration are finally beginning to catch up.”

And as they do catch up, we can expect more privacy and security legislation in the future.

More reading: