Dr. Ann Cavoukian: Opening Keynote
Privacy, Facial Recognition & Intelligent Technologies: Preparing for the Unintended Consequences
Key Takeaways: Dr. Ann Cavoukian
Privacy doesn’t mean secrecy, it means control of your data. Privacy should be proactively embedded into design, baked into code, into data architecture. Devote a little more time upfront to embedding privacy and gain a competitive advantage. You're going to be offering a lot more than the minimum regulatory compliance requirements.
- Make privacy the default. Users don't have to ask for privacy, you give it automatically
- Privacy is a win-win model
- Make privacy a positive: invest upfront because you get multiple gains
- Embedding privacy by design helps achieve essential equivalence with the GDPR
Presentation Slides: Dr. Ann Cavoukian
Link to Download Slides:
Audio Recording of Smart Cities Panel
Link to Audio Recording of Dr. Ann Cavoukian
Panel 1 — Smart Cities: Personal Data, Trust, and Technology
Moderator: Bianca Wylie, Founder of Open Data Institute
Panelists (from left to right): Dr. Ann Cavoukian, Privacy by Design Centre of Excellence; Jenny Tremblay, Director General, Smart Cities Challenge, Infrastructure Canada; Eric Lawton — I&T Division, Risk Management, Cyber Security & Compliance (RMCS&C), City of Toronto; Greg Wolfond, CEO of SecureKey
Key Takeaways: Smart Cities Panel
Organizations use a lot of third parties who collect information on their behalf because organizations don't have the resources to do everything. So it's important to maintain control over that information. While data may be in custody of a third-party for a period of time you always should retain control over that data. Look at what information should be storing in a public cloud or versus of private cloud. Put privacy and security requirements in place. Put terms and conditions on privacy and security requirements into agreements. So that you have those contractual controls with the service providers that meet your requirements.
- Resident engagement: it's not just a nice to have, it's a must-have
- Private sector partners should respect privacy laws and respect privacy rights
- We want to create a Smart City of privacy to distinguish us from the Smart Cities of surveillance
- People in a country legitimize the government and we need to remember that inaction leads to the legitimacy of something that is not what you like
Audio Recording of Smart Cities Panel
Link to Audio Recording of Smart Cities Panel
John Beardwood: Fiduciary Duties
Fiduciary Finesse: Function or Flail — How New Laws, Scrutiny and Expectations Have Raised the Stakes for Officers and Directors
Key Takeaways: John Beardwood on Fiduciary Duties
Top five reasons why boards of directors should care about privacy and security measures:
- Avoiding harm to the shareholder value
- Privacy regulators require It
- CSA MS Notice 51-347 disclosure of cyber security risks & incidents: security regulators require
- Risk of derivative actions: self-preservation requires It
- In United States derivative actions were brought not just against the corporation in the case of a privacy breach, but also against the board the directors themselves
Presentation: John Beardwood on Fiduciary Duties
Link to Download Slides
Audio Recording of John Beardwood on Fiduciary Duties
Link to Download Audio Recording for John Beardwoodhttps://soundcloud.com/feroot-privacy/john-beardwood-on-fiduciary-duties-for-privacy-officers-and-directors
John Beardwood Part 2: The Connected Car
The Connected Car: Understanding the Legal Framework
Key Takeaways: John Beardwood, the Connected Car
There's an unspoken assumption that all the data which is collected by connected cars is personal information. That's not the case. And there's another unspoken assumption that even if it is collected, that it would be governed by privacy legislation. That's also not the case. There are 3 key privacy definitions that need to be examined in the context of connected cars and IoT.
- To what extent is the info collected by IoT Personal Information (PI)?
- To what extent is the PI collected, used or disclosed by a party other than the subject individual?
- To the extent that privacy laws do apply, what consent should be obtained — and how?
Base definition of personal information: information about an identifiable individual
- Information that relates to an object or property does not become information “about” an individual, just because some individual may own or use that property. (Alberta Court of Appeal 2011)
- Information about an Object is PI because info associated with objects – like VINs – when there is a serious possibility it could be used in with other information to identify an individual (Alberta IPC 2012)
- Information which is identifiable and being used for a purpose relating to that individual, is PI. BC IPC (2012) *NOT consistent across jurisdictions
Presentation: the Connected Car
Link to Download Presentation
Audio Recording of The Connected Car: Understanding the Legal Framework
Link to Audio Recording of John Beardwood on the Connected Car
Panel 2: Driving Change for Access to Information from Intelligent Vehicles
Panelists from Left to Right: Sharon Polsky MAPP, President, Privacy & Access Council of Canada, Jay Fallah, Co-founder & CTO at NXM Labs; Greg Scott, Executive Director of the Global Alliance for Vehicle Data Access (GAVDA); Noemi Chanda, Manager, Data Protection and Privacy at Deloitte & Rajen Akalu Ph.D., Assistant Professor at the University of Ontario Institute of Technology.
Key Takeaways: Intelligent Vehicles Panel
Connected vehicles are a game-changing technology with respect to legislation and regulation. Currently, there isn’t a data mechanism for companies to work together and it’s a highly fractured system. For instance, some government departments are responsible for safety, another department is responsible for consumer rights. Existing regulatory constructs are woefully inadequate and there is still a lot of ambiguity about what is considered “identifiable data”. It’s a matter of catching up to the technology, clarifying what is meant by “identifiable data” and finding new, innovative ways of working together and building a coordinated transportation system that is inclusive and equitable for everyone.
- You have to standardize the system at some level. At some point, consumers will have to opt in or not
- We need to make a better connection between privacy + transportation systems
- A public-private partnership is a potentially effective way of managing these issues and making it more systematic
- We need robust protection and competition, or else consumer protection will suffer
- Future autonomous connected car systems need to be wary of potential discriminatory practices, in order to serve the public good
Audio Recording: Intelligent Vehicles Panel
Link to Audio Recording of Intelligent Vehicles Panel
Addressing Privacy, Legal & Ethical Risks in the Emerging Data Environment
Key Takeaways: Adam Kardash — Addressing Privacy, Legal & Ethical Risks
We're dealing with massive, incalculable, amounts of data. The Internet of Things is just one example of that. There's also an explosion of companies using third party service providers to manage their data in helpful ways. But the data is everywhere and it’s a very, very, very complex ecosystem. The focus for addressing the myriad of issues is less about legislation and more about the creation of a trust model: how do we respectfully treat data? How do we “do the right thing”? The ethical considerations with respect to data use. That's where things are going. That's where the freight train is.
- Respectfully treating data is premised on trust
- If you want to build a trust model or framework, you need transparency
- A part of accountability is building accountability frameworks for the respectful treatment of data from the moment you collect it, create it, to the moment it's no longer with you
- It’s important not to have a knee jerk reaction to more regulation, because a lot of the work is just by companies or groups of companies working together to actually respectfully treat data
Abubakar Khan: Closing Keynote
Abubakar Khan —Director, Business Advisory for Office of the Privacy Commissioner of Canada
The Business Advisory Directorate at the Office of the Privacy Commissioner provides free and voluntary consultation for SME’s and large Enterprises. The goal is not to replace any legal services or consultants, but to provide regulatory certainty or regulatory advice and engage in conversations about forward looking opportunities, especially in areas where business models are evolving and where new technologies are being implemented.
The Business Advisory Directorate can help you determine what you can and cannot do, and how to do what’s right. They can also ask for an on-demand review, not pointing fingers or alleging that you have broken the law, but saying this is an area they would like to come in and review. For instance, here is their latest report on Smart Cities: https://www.ipc.on.ca/newsrelease/ontarios-privacy-commissioner-leads-call-for-a-privacy-protective-approach-to-smart-city-projects/
On that note, the OPC invites you to keep track of their Business Advisory opportunities and if there is something that is of value to your organization, don't feel shy to reach out and engage with them!
Publications by Event Partners
Beardwood, John, Cybersecurity Survey Report, Fasken
Chanda, Noemi, Implications of Connected and Autonomous Vehicles in Ontario: Insurance and Data Access & Security, Deloitte
Long View, CyberWatch Managed Security Services
See more photos and follow us on Facebook!