A ‘reasonable’ discussion about PIAs in Canada
Looking at Canadaâ€™s Personal Information Protection and Electronic Documents Act, the word â€œreasonableâ€� pops up quite often. Companies have an obligation to ensure they always act in a way a reasonable person would consider appropriate in a given circumstance.Â
Almaga Consulting President Gilles Fourchet,Â CIPP/C, CIPT, FIP, said one area where reasonableness should play a role for privacy professionals is conducting privacy impact assessments.
He compared performing a PIA to how encryption was viewed years ago. While encryption may not have been necessary two decades ago, it is now reasonableÂ â€” and expectedÂ â€” for it to be a part of an organizationâ€™s practices. PIAsÂ should be treated the same way.
â€œIf you didnâ€™t do a privacy impact assessment 10 or 15 years ago, you got a slap on the wrist,â€� Fourchet said during a session at the IAPP Canada Privacy Symposium in Toronto recently. â€œNowadays, you get much more than a slap on the wrist.â€�
Organizations would be wise to have a PIA ready to go whenever it may be needed, he added; however, the contents of the PIA are likely going to differ from entity to entity.
If â€œreasonableâ€� is one word Fourchet would attach to PIAs, the other would be â€œsubjective.â€� He said in risk management, what is seen as a vulnerability or a threat to one person may be entirely different from another based onÂ industry or the types of data an entity holds.
A financial institution, for example, has to consider what would happen in the event it suffered a data breach. In its PIA, it would need to assess what would occur if financial information were to be leaked, as well as the incidentâ€™s impact would be on their institutional reputation.
Fourchet said organizations may take a quantitative approach to their determination of risk scores, but they should be cautious. Regulators will want to see the rationale behind their risk scores, which ultimately will tie back to reasonableness, he said.
â€œYou have to justify it. You have to justify Â ‘I think the risk is medium.’ At the end of the day, you might have more question than answers, but unfortunately, there is no mathematicalÂ method for you to enter numbers to get risk volatility â€¦ Itâ€™s not math. Itâ€™s not science. Itâ€™s an assessment,â€�Â he said.
Fourchet recommends organizations be proactive with PIAs.Â It’s easier to have a PIA baked into a program than attemptÂ to fit one into a preexisting process. He added it’s important for privacy professionals crafting the PIA to meet with business owners and stakeholders as they go through establishing the document.
â€œMake sure the business folks keep you guys in mind from the very moment they start to have an idea,â€� Fourchet said. â€œYou have to be seen as people that are adding value. A lot of times the PIA arrives at the very end of the business process. If they include you at the very beginning it would be seamless and perfect.â€�Â
By talking with all the principle parties within an organization, privacy professionals can get a better understanding of business processes and data flows. Those conversations can help avoid legal issues.Â
It is important for privacy professionals to include business owners and senior management as part of the PIA processÂ for accountability. Fourchet said privacy professionals are a messenger, and it’s up to business owners to ensure a PIA is carried out. Accountability cannot be transferred and if an investigation were to take place; it is ultimately the organizationâ€™s problem.Â
â€œYou should act as a consultant. You provide expert opinion when writing PIAs. It is not your job to do it. It is not for you to act upon your recommendations,â€� Fourchet said. â€œYou can advocate for your recommendations, but that is it. You are responsible, but not accountable, for your PIA. At the end of the day, privacy is not the business of your organization. Privacy should be seen as an added value and an advantage.”
Photo by Anna Kobelak