On International Privacy Day, it was an honour to present a brief introduction of the privacy landscape in Canada. This included insights from our collaboration with leading experts to develop member-exclusive privacy and information security toolkits for researchers across agencies, clients, and industry partners[1].Data might beak in to scarce fossil fuel or abundant sunlight (depending on your view) and we have about 64 zettabytes of it in the world excluding physical data (books, documents, paper). Securing our data systems is key to facilitating trust, response, and credibility within a data-rich ecosystem with all stakeholders – users and creators of data, especially digital data.
A McKinsey study first revealed that the rate of business digital adoption accelerated five years forward in just eight weeks following the onset of COVID-19, causing many privacy implications in the spheres of consumers’ access to learning/education, health services, financial services, etc. As the volume of technology-enabled and online research projects rose – along with our global market research value– the rate of cybercrime, fraud, and privacy violations also grew in direct correlation with a demand for services that fought online fraud in research.
Origins of Privacy Law
During privacy awareness week, it is worth noting that most Canadians report having high knowledge of their privacy rights and how to protect them. Self-assessed knowledge is significantly higher in Atlantic Canada (62%) and Ontario (60%) than it is British Columbia, where exactly half (50%) said they have good or very good knowledge of how to protect their privacy rights. Canadians in Quebec (39%) were significantly more likely than Canadians in Atlantic Canada (28%), the Prairies (24%), and British Columbia (29%) to be extremely concerned about protecting their personal privacy with concerns mounting among older Canadians. [2]
The history of privacy began with it being declared a human right by the Universal Declaration of Human Rights Commission in 1948, and as the use of IT grew, the need for privacy best practices grew. The German state of Hesse became the first jurisdiction to adopt the first known modern data protection law in 1970, causing several European countries to follow suit.
Data protection models run the gamut from comprehensive to sectoral, self-regulatory, seal programs, and technology-based. In Canada, we follow a comprehensive model where the use, collection, and disclosure of data in marketing research by the private sector is governed by a mix of federal (PIPEDA) and provincial legislation, while the Privacy Act governs the public sector and government. More than six in 10 Canadians are confident that government respects their privacy rights; fewer feel this way about businesses and banks are the most trusted businesses.[3]The Privacy Act and the public sector provincial laws apply to public bodies or government institutions including municipal corporations and crown corporations (e.g. CBC, VIARAIL, Canada Post).
The Privacy Act was passed in the early 80s, along with the Access to Information Act. Both are different from one another but cross-referential. Provincial laws like the Freedom of Information and Protection of Privacy Act (FIPPA) have been updated over the years more frequently than the Privacy Act.
Principles and Frameworks
Notice, choice/control, and access/right to correction are the cornerstone rights with respect to the data protection of individuals. Citizens and consumers must know how organizations are collecting their personal information, why they are doing so, and have the choice to opt-out as well as be able to access the personal information any organization has about them at any time. For example, there are only two instances where someone may not be allowed to access their own personal information: if it reveals the personal information of a third-party and / or if their personal information is subject to some privilege (national security, or solicitor client etc.).
Innovation and Ethics
The Generally Accepted Privacy Principles (GAPP) framework guides model codes of cooperation around privacy and includes the ten principles of management, notice, choice and consent, collection, use and retention, access, security for privacy, quality and monitoring, and enforcement. BC, Alberta, and Quebec are exempt from PIPEDA because their own provincial personal information protection laws have been deemed “substantially similar” to PIPEDA.[4]Recently, Quebec’s Bill 64ushered in major overhauls to the province’s laws governing the public and private sectors, making it the first jurisdiction in Canada to align its privacy framework with the European GDPR. Canadians are least likely to trust social media companies to protect their personal information and 68% of Canadians are concerned about how companies and organizations might use information available about them online to make decisions about them, such as for a job, an insurance claim or health coverage.[5]
The use of video surveillance in areas of commerce and public interest (covert or overt, fixed or mobile, body cameras or drones, video analytics to increase recognition and behavioural patterns) is allowed in Canada, so long as transparency standards around organizations’ collection, use, handling, and disclosure of data are observed in accordance with the law[6].
A four-part test helps decide on whether your approach to data collection is appropriate:
- is the collection of personal information necessary to meet the goals of the organization?
- is this collection likely able to meet the organization’s need effectively?
- is the loss of privacy proportionate to the benefit gained from collecting such personal information, and
- is there a less privacy-invasive way of achieving the same end?
Most Canadians feel they have little control over how their information is used by businesses or by government.[7]The role of innovation thus includes understanding / calculating unperceived challenges and responding in a proactive way to protect our respondents and consumers from unscrupulous and excessive data-collection.
We need to understand how to fulfil important roles and tasks when working with human beings versus machines. Trust is the critical oil that can help us compete in a way that’s commercially viable, steeped in deep partnerships, compliance and collaboration across channels, media, and locations.
[1]ESOMAR online conference “Privacy Concerns in the Post-Covid Era”. January 2022.
[2]Office of the Privacy Commissioner “2020 Survey of Canadians on Privacy-Related Issues” Phoenix Strategic Perspectives (2020-21).
[3]Office of the Privacy Commissioner “2020 Survey of Canadians on Privacy-Related Issues” Phoenix Strategic Perspectives.
[4] There are seven provincial laws deemed substantially similar to PIPEDA: Alberta PIPA, BC PIPA, Quebec law, Ontario’s PHIPA, New Brunswick’s PHIPA, Newfoundland and Labrador’s PHIAA
[5] ibid
[6]“Canadian Privacy Data Protection Law and Policy for the Practitioner Fourth Edition” Kris Klein, CIPP/C, CIPM, FIP”
[7] Same as 3