Ontario IPC, IBM look to automate privacy

A new digital template announced this week could help enterprises and government comply with Ontario’s privacy laws.

IBM Canada Ltd. has joined with the province’s Information and Privacy Commissioner (IPC) to announce the creation of the template – a digital version of Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA). The template will be created using extensible markup language (XML)-based enterprise privacy authorization language (EPAL), created by IBM’s Tivoli Software division.

According to Tivoli, EPAL is able to create a version of FIPPA that will be machine-readable – a format that could be understood by applications and privacy tools.

“It’s taking something in English and then converts that into machine-based XML that would allow applications to more easily interpret some of these policies so that you can automate many of the common procedural tasks that go along with making privacy decisions,” explained Tarun Khandelwal, a technical sales specialist for Tivoli Software, IBM Canada in Markham, Ont.

As part of the announcement, Information Privacy Commissioner Ann Cavoukian said one municipal office in Ontario will be testing the template, to demonstrate its use.

She explained that the government chose to work with IBM to create the template in order to automate privacy policies, and alter how government employees make privacy-related decisions. The government has yet to choose a department or ministry to participate in the pilot but Cavoukian said the government will have the pilot in place in the next six months.

“The problem is when you rely on non-automated decision-making to take place, there is far less standardization of decisions, less consistency in decision making,” Cavoukian explained. “What a machine-readable version of a privacy law or policy would do is translate the rules that exist in the policy into digital form. When someone has to make a decision, the assistance is there in terms of the automation.”

Cavoukian said that FIPPA, which has been in existence since 1988, is complicated to understand and as such, moving to an automated approach would streamline portions of the Act – and would make it easier for government employees to assess privacy issues.

For example, Section 42 of the Act applies to when and under what circumstances a government agency or ministry is permitted to disclose a citizen’s personal information. In total, there are over a dozen clauses that a government employee currently has to go through to determine if the information can be released. As it stands, the employee would have to make a determination based on his or her translation of the Act. Cavoukian said the template would assist the individuals who ultimately have to make the decision.

She noted that decisions made could then be stored in a database so that a repository would eventually be developed – an approach that could also be used by enterprises.

IBM said it plans to submit EPAL for standardization to the World Wide Web Consortium and introduce support for EPAL in its privacy management tools.