OIPC Annual Report Calls For A “Proactive” Approach To Privacy Protection

OIPC Annual Report Calls For A “Proactive” Approach To Privacy Protection

Michael Gilburt is a JD candidate at Osgoode Hall Law School.

On May 17, 2011, Ontario’s Information and Privacy Commissioner (OIPC) Dr. Ann Cavoukian released her Annual Report on the state of privacy protection in Canada. The Report articulated a clear message to public and private institutions: “be proactive” in protecting personal information and online privacy.

Dr. Cavoukian argues that a reactive approach to privacy protection, which relies on “legislation meant to safeguard privacy,” will not keep pace with “the flow of information and advances in technology.” As such, the Report calls on institutions to embed “default privacy and access within processes and technologies from the outset” in order to avoid privacy breaches and inefficiencies caused by requests for government-held information.

Dr. Cavoukian has characterized her proactive model for privacy protection as “Privacy by Design.” The Report suggests that Privacy by Design be used as a standard to assess all new products, technology or services. For instance, the standard would require a firm to request access to customer information and clearly explain how the data will be appropriated. By doing so, it is believed that firms will mitigate risk and revisit assumptions about how much personal information is necessary for the system to operate effectively. The end result, according to Dr. Cavoukian, will be a “doubly-enabling, positive-sum, win/win relationship."

In support of the Privacy by Design approach, the Report highlights two case examples. The first involves the OIPC’s collaboration with Hydro One to embed privacy protection into their smart grid. The Corporation integrated a number of due diligence requirements into the initial planning stage in order to refine what customer information must be gathered and to design systems to protect the data.

A second case example was drawn from the Ontario Lottery and Gaming Corporation, which incorporated a privacy-protecting mechanism into its biometric facial recognition system (which is used to identify individuals who are banned from entering gambling institutions). If no match is found, the facial image is automatically deleted from the database.

The Report also highlights a number of key privacy policies in need of reform. Two salient issues include the protection of personal health information on mobile devices and the issue of standardizing the cost of health record access. The latter issue has been the subject of prior advocacy by Dr. Cavoukian, who has urged the Ontario government to establish a benchmark for access fees.

It appears that Dr. Cavoukian’s message has extended beyond Canada. The Privacy by Design concept has received international praise and was recently adopted as a resolution by the International Data Protection and Privacy Commissioners Conference. This summer, the OPIC intends to release a whitepaper on how a utilities provider in Germany has incorporated Privacy by Design principles into its organizational practices.