Office of the Information and Privacy Commissioner, Ontario, Canada

Panel on PrivacyCentre for Information Integrity & Information Systems

Assurance, U of Waterloo7th Biennial Research Symposium

October 21, 2010Toronto, Ontario

Ann Cavoukian, PhDOntario’s Information and Privacy Commissioner

• Ensures that government organizations (provincial and municipal) comply with freedom of information and privacy laws in Ontario

• Investigates privacy complaints and resolve appeals when the government refuses to grant access to government-held information

• Conducts research on access and privacy issues

• Educates the public and raise awareness about Ontario’s access and privacy laws

Privacy Defined

• Right of an individual to exercise a measure of control over the collection, use and disclosure of their personal information

• Definition of personally identifiable information (PII) - any information, recorded or otherwise, relating or linked to an identifiable individual

• Privacy is contextual / think of privacy as an aspect of CRM (Customer Relationship Management)

What privacy is not

Privacy Security

Security is, however, vital to privacy

Fair Information Practices

• Why are you asking?– Collection; purpose specification

• How will the information be used?– Primary purpose; use limitation

• Any additional secondary uses?– Notice and consent; prohibition against unauthorized

disclosure

• Who will be able to see my information?– Restricted access from unauthorized third parties

Why We Need Privacy by Design

Most privacy breaches remain undetected – as regulators, we only see the tip of the iceberg

Regulatory compliance alone, is unsustainable as the sole model for ensuring the future of

privacy

Privacy by Design:The 7 Foundational Principles

www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf

1. Proactive not Reactive: Preventative, not Remedial;

2. Privacy as the Default setting;

3. Privacy Embedded into Design;

4. Full Functionality: Positive-Sum, not Zero-Sum;

5. End-to-End Security: Full Lifecycle

Protection;

6. Visibility and Transparency: Keep it Open;

7. Respect for User Privacy: Keep it User-Centric.

Privacy by Design:The Trilogy of Applications

Information Technology

Accountable Business Practices

Physical Design & Infrastructure

Privacy by Design in 2010:Gathering Momentum

• May – As part of the European Commission’s new European Digital Agenda, Peter Hustinx, the European Data Protection Supervisor, recommended that Privacy by Design be included as a binding principle into data protection legal framework;

www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2010/10-03-19_Trust_Information_Society_EN.pdf

• October – Regulators from around the world gathered at the annual assembly of International Data Protection and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a landmark Resolution recognizing Privacy by Design as an essential component of fundamental privacy protection;

www.privacylaws.com/templates/EnewsPage.aspx?id=1663

• December – The U.S. Federal Trade Commission released a major report on protecting consumer privacy in which it recommended that companies adopt a Privacy by Design approach by building privacy protections into their everyday business practices.

www.privacybydesign.ca/media-centre/in-the-news/

Embedding Privacy at the Design Stage:The Obvious Route

• Cost-effective

• Proactive

• User-centric

• It’s all about control – preserving personal control and freedom of choice over one’s data flows

Conclusions

• Lead with Privacy by Design;

• Change the paradigm from the dated “zero-sum” to the doubly-enabling “positive-sum;”

• Deliver both privacy AND security or any other functionality, in an empowering “win-win” paradigm;

• Embed privacy as a core functionality: the future of the Smart Grid may depend on it!

How to Contact Us

Michelle Chibba Director of Policy and Special ProjectsInformation & Privacy Commissioner of Ontario2 Bloor Street East, Suite 1400Toronto, Ontario, Canada M4W 1A8

Phone: (416) 326-3333 / 1-800-387-0073Web: www.ipc.on.caE-mail: info@ipc.on.ca