Ottawa lawyer Kris Klein advises Canadian organizations on how to set up policies and procedures to comply with federal and provincial data privacy legal obligations.
But earlier this month he faced data collection as a consumer. “I was parking my car at a grocery store,” he recalled in an interview, “and in order to get the 30 minutes of free parking I had to register my car on an app. So I had to download the app, put in my personal information –my name, email address, licence plate number and a password.
“Do I have a lot of confidence that this small, little, not terribly sophisticated parking app will protect my personal information? No,” said Klein, a partner at the law firm nNovation and managing director of the International Association of Privacy Professionals Canada. “But I had no choice.”
It would have been better had the mobile app had a least a small explanation of the service provider’s privacy policy, he said.
Incidents like this with small businesses he added, “are the areas that I think are posing the greatest risk for us now.”
How big a data privacy problem can a parking app be? It depends on how widely it’s used. Last year the city of Calgary discovered personal information on almost 146,000 people using the city of Calgary’s ParkPlus app was publicly available on an exposed server for over two months.
It’s something business and tech leaders should be thinking about during Data Privacy Week, which starts today. It began as Data Privacy Day every January 28th, a commemoration of the 1981 signing of the Council of Europe’s Convention 108, the first legally binding international treaty dealing with privacy and data protection. More recently it has expanded to a week of thought for individuals and companies
Data privacy and cybersecurity are two sides of the same coin: An organization can’t have data privacy without cybersecurity.
Note that Canada’s federal privacy law (see the sidebar below) says firms may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
The law also says personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Many IT and corporate leaders think the privacy of the personal information they hold is an issue for big businesses and governments. But incidents like the one Klein faced — a squeeze from a small or medium-sized firm — are a reminder that data privacy cuts across all organizations.
SIDEBAR: A primer on Canada’s data privacy laws
Klein said if they haven’t already done so, organizations should be asking this week if what they’re doing involves sensitive personal information — and that can be of consumers, partners and employees — and if there are risks to individuals. If the answer is yes, “you should be doing more to make sure you’re complying with privacy obligations. “There’s not one solution that fits all,” he cautioned. “You have to figure out where you lie on the [risk] spectrum and develop a program that suits your organization.”
Related content: Privacy by Design to become an ISO standard
In Klein’s experience, large Canadian firms are the best at spending the time, resources and money to make sure they comply with federal and provincial regulations. “Smaller and medium-sized organizations are having a more difficult time prioritizing this.”
Related content: Organizations must continuously manage privacy risks
There are three big privacy issues for data and security professionals:
— getting meaningful consent from individuals to collect and use their personal data. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) requires individuals to know what is being collected, what it will be used for and who it will be shared with. For more see this federal guideline;
— data retention. Laws require firms to keep data only as long as necessary. How long is that? Consider the theft of data on 9.7 million customers by an employee of the Desjardins credit union. Of that total roughly half were former customers of the institution;
— notifying victims and federal or provincial regulators about data breaches. Federal privacy law, which may be similar to provincial laws, requires notification of victims if the breach could involve real risk of significant harm to an individual. That will depend on the sensitivity of the personal information involved in the breach, and the probability that the personal information has been, is being, or will be, misused by the attacker. For more see this federal page.