As of Jan. 1, all Canadian companies will have to abide by the rules and regulations set forth by Canada’s Personal Information Protection and Electronics Document Act (PIPEDA). Yet by all accounts, thousands of companies are still far from ready, and further still from understanding the implications of the Act.
PIPEDA, which according to the Act “confers extensive rights on individuals to control the collection, use and disclosure of their personal information by organizations,” is making life difficult for IT (and legal) departments, forcing them to re-examine their systems to make sure years of collected customer information is suitably protected and legitimately possessed.
Because of a lack of foresight, the typical corporate reaction was to “let the problem get bad and [then] change the technology,” said Austin Hill, executive vice-president, enterprise division of Zero Knowledge Systems Inc. in Montreal. Unfortunately, it is too late for technology to be a panacea. There is no plug-and-play solution for privacy compliance, he said.
“Companies don’t know what data they have, where it is kept and where it is going,” said Peter Hope-Tindall, chief privacy architect with dataPrivacy Partners Ltd. in Mississauga, Ont. “And this shows gross deficiencies in the whole IT process.”
For decades the cost of storage decreased at a prodigious rate and, with it, the desire to purge, destroy and streamline customer information. There was an unspoken corporate decree that the more customer information collected, the better. It was a foregone conclusion that the more data that could be mined, the greater the gem haul would be. The result of this thinking is that today thousands of companies are left with absolutely no idea how much customer information they’re storing.
“I would say that we are at the low end of the learning curve,” said Michael Weider, CTO of Watchfire Corp. in Ottawa, referring to how much companies have actually learned about how much data they have.
Because of this original “collect-all” mentality there is a disconnect between the actual customers’ personal information and whether or not collecting it was ever justified in the first place. Since there is no PIPEDA grandfather clause, just because a company has customer information now doesn’t mean it has the right to keep it as of Jan. 1. Stored personal information has to match legitimate business requirements. Thus a bank can store and ask for a customer’s social insurance number because it is a business requirement, but a retailer would most likely have no legitimate reason to have access to one.
The basic tenets of PIPEDA are quite simple and are not difficult to follow: customer data is not to be shared or sold without consent, data collection must be legitimately explained and, lastly, a customer may come to a company and ask to see all the personal information stored about them. In other words, customers will now have the right to audit a company’s information repositories. The first tenet is dictated by corporate policy, the second legal. The third, and by far the most difficult to comply with and solve since it requires a company to know where all the data is stored, is an IT problem.
Prepare to be surprised. Few companies have thought about about how PIPEDA will affect them, Hope-Tindall said, and for those that have, there has been a “mad dash” to be compliant by next year. “Drive the issue down to the end user to report their data holdings,” Hope-Tindall suggests. He said companies will be surprised by how much personal information is sitting on desktop hard drives and workstations. If everyone lets IT know what they have, it is easier to map a solution to control the data. Hill agreed. “You have to work with your IT people to identify the databases” with personal information.
Hope-Tindall said one of the best ways to approach the problem is to answer a simple question: how does our company handle proprietary corporate information? To comply with PIPEDA, apply the same type of approach to customers’ information, Hope-Tindall suggested. Keep the information under tight wraps and don’t store any data that has no specific business value.
But even with the PIPEDA deadline looming, many companies are still looking at privacy as strictly a legal matter rather than one with far reaching implications for IT.
“If you don’t maintain the infrastructure, it will come back to haunt you,” said Bob Welling, director of business development with SecureD-Services Inc. in Oakville, Ont.
“Do all corporations understand these risks? No. Will it take a large lawsuit? Probably,” he warned, although Welling admitted the litigious nature of Canadians is historically less pronounced than that found in the U.S.
Take matters into your own hands. Some of the organizations Hope-Tindall gives a B+ or an A- for PIPEDA preparedness are taking matters into their own hands and designing their own solutions.
The privacy architecture “is a set of design standards for IT applications in the government of Alberta to embed privacy protection at the design level,” he explained.
The solution is divided into five major sections; establishing a terminology, which provides a common language to discuss privacy issues; privacy taxonomy, a classification system for personal information and the actions that can be taken against the data; an identity-key scheme, the ability to separate identity from specific information; data placement, a set of rules to control where personal information is stored and the extent to which it can be shared; and privacy transformations – techniques to anonymize personal information.
The goal is to have a set of software tools available to all developers by the end of 2004 so that all government of Alberta applications are, by default, built with privacy protection in place, Campbell said. As it stands today, the Alberta government is PIPEDA-compliant. The privacy architecture will just make it easier to enforce PIPEDA compliance on future government designed applications, he added.
The solution will allow for information to be moved from one government department to another without the risk of accidentally passing on inappropriate information. For example, personal information attached to a health document (such as name, address and birth date) could be passed over to the motor vehicles licensing bureau to update a file, but all medical data, as defined by the data placement rules, would be withheld.
The system will also have a unique test, called the k-anonymity test, which will allow for a document’s level of anonymity to be assessed. If, for example, there is a document that contains information about a certain medical condition afflicting a group of people in Calgary, the test may show that personal privacy is protected since the population base is huge and identifying the exact persons unlikely. Similarly, the same data representing residents in a small northern town might point to privacy invasion since simple deduction (say by age) might be enough to identify the patients.
Campbell and a core team of less than a dozen people took about eight months to come up with the solution, though there was input from hundreds of end users. “We fully anticipate that [there will] be challenges in the implementation but we’re quite confident that we have a basic structure that is workable,” Campbell said.
The health care lead. Toronto’s University Health Network (UHN) is another organization that takes personal privacy very seriously. With more than 5,000 users accessing what can only be described as the most personal of personal information, the network – comprised of three downtown hospitals: Toronto General, Toronto Western and Princess Margaret – relies on access control and auditing to protect patients’ privacy.
“System securities (and access) are based on the role or the job type,” said Tiffany Jay, privacy manager for UHN. Access and functionality varies from doctors and nurses to lab technicians and administrative staff.
Because of the nature of the profession, most medical staff have access to personal patient information to ensure nothing stands in the way of prompt and accurate diagnostics and treatment. But even though the medical profession is probably the most educated about privacy concerns, the UHN still audits patient record access.
In fact, each week patients are randomly selected and access to their records is audited, Jay explained. If an ophthalmologist was found to have accessed records pertaining to patient who recently received a liver transplant, questions would be asked since, on the surface, there would be no reason for an eye doctor to be looking at a transplant patient’s medical chart.
“Because it (privacy) is part of the Hippocratic oath…there is a higher level of accountability,” Jay said. Other than one case last year (six individuals without authority, three medical residents and three staff, were caught after accessing the records of some well-known patients), there have been no instances of access abuse, she said.
The UHN relies on technology as a piece of a bigger pie, one that starts with education.
Austin agreed that this is the only way to go. Though privacy controls will soon be built into all applications, as will be done in Alberta, he said technology is only part of the solution.
“Don’t ever expect compliance in a box,” said Hill. “It will never happen.”