Is your IT department ready for more stringent privacy laws? On the heels of the federal government’s bill to modernize federal privacy laws (that is, the Digital Charter Implementation Act, 2020), the Ontario government has declared the federal bill inadequate. Consequently, on June 17, 2021, the Ontario government issued a whitepaper entitled Modernizing Privacy in Ontario, initiating further public dialogue on its proposals to improve privacy protection.
The whitepaper identifies a rights-based approach to privacy; safe use of automated decision-making; thoughtful consent and lawful uses of personal data; data transparency; protections for children and youth; and other privacy principles as priorities.
Time and legislative enactments will ultimately determine privacy protections. The reality is that Europe and some other global jurisdictions have more far-reaching privacy laws than currently exist federally and in Ontario.
So, what does this mean for organizations and IT departments in particular?
First, ensure that you understand the macro or organizational privacy obligations. Remember, personal information is data that can identify someone. Personal information includes certain cookies and biometric information like fingerprints and facial recognition data, for instance. Some technologies that use personal information, including artificial intelligence and algorithmic decision-making (for example, to classify data subjects and determine their suitability for a job), are invasive, contentious, and raise ethical and cultural concerns. Some personal information, for example, medical records, is particularly sensitive and requires impenetrable IT safeguards.
Many business activities that process personal information, including activities that create, use, collect, process, store, maintain, disseminate, or dispose of personal information, will impose privacy obligations.
Apply a privacy mindset on a macro level, and provide policies and procedures, IT systems, and personnel to discharge privacy obligations. Implement written policies and procedures, appoint a privacy officer and process personal information with transparency and informed consent.
Critically, any new IT systems or upgrades to existing systems should, by default, include privacy and data protection principles from the design phase and throughout the entire systems development lifecycle.
The IT systems and practices that will help to ensure compliance with privacy obligations include:
- Restricting access rights to personal information on a need-to-know basis.
- Two-factor authentication, passwords, and other measures to secure systems against unauthorized access.
- Encrypting of data, both at rest and in transit.
- Anonymization of data may provide enhanced data protection. Anonymization applies processes and techniques to data to ensure that it cannot be (readily) associated with a specific data subject.
- Pseudonymization is a form of anonymization that assigns a pseudonym or alias to a data subject. Typically, pseudonymization involves replacing direct identifiers with randomly generated values or other pseudonyms. The result of pseudonymization is two-fold. First, there is no association between the actual data subject and the data. Second, each pseudonym becomes a unique way of referencing and identifying an alias’ data set.
- Intrusion detection devices or software.
- Training both users and IT personnel.
- Involving the IT department without delay in the event of a security breach.
Meeting your duty of care
Information Technology PolicyPro includes policies and procedures to help your IT department meet privacy and data protection obligations. See IT 8.04 – Confidentiality and Privacy and IT 8.06 – Managing a Security Breach, to get started.
Remember that all your IT policies provide the foundation for privacy and safeguarding of personal information. Therefore, other essential policies include IT 8.03 – User Identification and Passwords; IT 8.07 – Cybersecurity; IT 9.06 – Data Encryption; IT 10.05 – Network Intrusion Detection; IT 2.07 – Disposal of Hardware and numerous other policies.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, here.