Most data analytics staff worry about number crunching and outputs. But a lawyer has warned IT pros that proposed legislation before Parliament should also be on their minds.
“Understand them and understand what your company needs to do,” Jennifer Davidson told IT World Canada‘s Analytics Unleashed conference this month. “Don’t leave it to the last minute.”
Davidson, a partner and technology lawyer at Deeth, Williams, Wall LLP, was referring to Bill C-27, which introduces the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA), and Bill-C-26, the Critical Cyber Systems Protection Act.
If passed, the CPPA will replace the Personal Information Protection and Electronic Documents Act (PIPEDA) with new rules on the collection, use, and disclosure of personal data. Proposed fines for violating the act and its reporting obligations jump to a maximum $25 million, or five per cent of an organization’s gross global revenue, Davidson pointed out.
The new AIDA covers high-impact systems using artificial intelligence, and requires affected firms to, among other things, keep records describing how the system works and the decisions/recommendations/predictions it is intended to make. Whoever is responsible for the system has to notify the government if it results in, or is likely to result in, harming people.
Both acts have tough rules for notifying privacy regulators, victims, and possibly others in a firm’s supply chain, she added.
“When you look at this act, it’s time to pay attention,” she warned.
C-26 and C-27 are federal laws that apply to all federally-regulated industries, and to the private sectors in Ontario, the Maritime provinces, Saskatchewan, Manitoba, and the Territories, she added. Alberta, British Columbia, and Quebec have their own private-sector privacy laws that have some differences, so data pros in those provinces have to be up on the laws.
Court decisions involving data breaches should also be on the mind of a data controller or data analyst, she added.
She pointed to a recent decision faulting the Insurance Bureau of British Columbia, which insures B.C. drivers and vehicles, in the 2012 theft of a list of insured people by an employee, who then sold it to crooks. They used the names in targeted arson and shooting attacks. While the bureau had written policies forbidding unapproved uses of its databases, there was no evidence the bureau had any system or method that would have detected or prevented data theft.
The lesson from this case is “we need to actively protect data or we (companies) are going to pay the consequences,” Davidson said.
She also urged data pros and security pros to make sure their organization has policies and procedures to safeguard data it holds, and that the firm’s partners are also protecting their IT networks and data.