Rising Risks, Changing Laws: Navigating Privacy in Canada’s Digital Landscape

In this episode of the Cloud Lounge, host Zeshan Randhawa is joined by Mark Rye, Managing Director of HLB System Solutions, to delve into the crucial and evolving issue of privacy protection in Canada. As technology advances, organizations are handling more personal information than ever, raising concerns about data security breaches and identity theft. Together, they will explore Canada’s comprehensive federal privacy laws and recent provincial updates, discussing the implications of these changes for both organizations and consumers in the ever-changing landscape of privacy legislation.

Transcript

You’re listening to the Cloud Lounge podcast, a show about business technology and all that jazz brought to you by Softlanding a leading it service provider in Canada. Let’s get started. Here’s your host, Zeshan Randhawa. Welcome to the cloud launch podcast. I’m your host Zeshan. Now I know everyone values their privacy and the importance of having your vital information protected and secure can easily be realized by taking a look at the news and seeing the endless amount of stories around data security breaches and identity theft cases. Now, in this information age, we’re sharing, storing and consuming information at unprecedented alarming rates and typically organizations and the people that work within them have a data hoarding mindset. I see it every day. We typically don’t want to or don’t have the time to determine if a document is still needed or even go through the content management repositories. We have to do some spring cleaning. Now, this hoarding of unnecessary or even outdated data can also increase our exposure of risk for data leakage. Now, legislation is trying to play catch up and many privacy laws are undergoing changes or being introduced at the federal and provincial levels. And one of the most recent examples of this is coming out of Quebec with them updating their provincial privacy laws with Bill 64. Now, the result is the new framework that these bills introduce, where they aim to increase accountability and transparency with consumer data. For our guest. Today, I’d like to introduce Mark Rye. Mark is the managing director at HLB System Solution, an MSP Corp company. Welcome to the Cloud Lounge podcast, Mark. And could you just start by telling us a bit about yourself and your career journey? Sure, thanks Zeshan. I appreciate the opportunity to be here on the podcast. As you noted. I’m a managing director at HLB System Solutions powered by MSP Corp. I spent the past 25 years working in technology and technology services with an emphasis on information and records management and information privacy. I’m a certified information privacy professional with the International Association of Privacy Professionals and I spend a lot of my time consulting with organizations at this intersection of technology privacy and information management. Excellent. Just the person we want to talk to Mark. Can you start us by just reminding us what the meaning of information, privacy and data privacy really is and what is the actual importance of it? Sure, the terms information privacy and data privacy are used somewhat interchangeably when we talk about data, we tend to think about structured data, the type of content that would fit easily into spreadsheets or a database table. And when we think about information, this tends to broaden the definition to include unstructured content such as text in a word, file, email or teams, chat, information privacy and data privacy are used to describe the idea that an organization has control over how personal it information such as information about a customer prospect or employee is collected stored, controlled and ultimately disposed of at the end of its life cycle. And in our technology driven world where data is being created and exchanged at an ever increasing rate, legislation has been rolled out in many jurisdictions to ensure that personal information is being handled in a way that protects the individual while still allowing the organization to provide the associated product or service. Absolutely. In the past, there is a view of that data about individuals was something that you wanted to collect as much as you can in case there was a use for it in the future, right? With the date breaches that we’ve seen in the past number of years, we realized that this over collection of information and and poor information life cycle management magnifies the impact of those breaches because there’s many more individuals, data and many more data points when you’re you’re doing that over collection of the data, collecting more data than is required to the intended business purpose. And that certainly doesn’t look good on an organization when they breached data about you as an individual that you didn’t even know they had or that really had no reason to continue to store after the product or service was delivered. Absolutely. As it relates to privacy, definitely the concept of less is more, keeping less data is better. It is definitely true. Yeah, and that is really the focus minimizing data collection and then managing through the life cycle and making sure that you’re removing that data as soon as the intended purpose is no longer there. That’s a key foundation of your privacy program. Excellent. And obviously, since Mark you kind of live and breathe this, I’d love to hear kind of from your perspective, what are the most significant kind of privacy challenges fed by Canadian businesses today? Yeah, this is a really good question because it helps focus the conversation on both the problems, the challenges and then what do we need to do about it in terms of solutions. So one challenge that comes to mind is the the sheer speed of technology change that we operate under. So implementing a sound information privacy program would be a significant effort if the environment was static where systems data locations formats never changed. However, we all know that new technology enters the organizations at a rapid pace and much of this technology has promise and potential to improve the productivity and effectiveness of how we work with our most sensitive and personal information knowing that that is the case in designing our privacy programs to be able to assess the risk of those new platforms and extend our existing information privacy controls to new systems in a timely manner to vet them and rule them in or out. A suitable addition to the environment is kind of key to keeping pace with that technology chain. And I know we can follow that one on with a secondary point that is really around the use of AI in the business Artificial Intelligence. As I I know you’ve spoken about brings tremendous promise to automate and streamline our work environments. However, there’s real concerns with enabling AI without the governance model that will provide the guardrails to achieve and ensure that information privacy obligations are met. I have an example of that if you’d want me to run through. That would be amazing. Yeah. Yeah. OK. Sure. So one simple example of that would be enabling a technology such as Microsoft Copilot within your environment without a full review of the organization’s information structure and access controls in a scenario where access controls have not been updated and do not follow the principle of least privilege. There’s a potential for AI solutions that leverage your organization’s existing data. So when it’s looking at your own data set to surface information that users didn’t even know they had access to simply by asking the AI series of questions AI may be returning results based on the current access controls, scenarios like this can expose sensitive and personal information and are real concerns in terms of employee and consumer privacy. So the remedy to that is to ensure that access controls are in place and that they follow the principle of least privilege for each employees role prior to enabling the AI on the content within your organization. So I think something we should all should be considering as we look at the role of AI in our business going forward. And then a third challenge facing Canadian businesses is really the evolving laws and regulations around information privacy. Yeah, absolutely across the country, you’ll find a mix of federal provincial, municipal and even industry based regulations and legislation that govern different organizations. These legislations are all gonna be updated on different timelines and while they’re all quite similar, they’re going to have unique differences. So identifying which legislation governs your organization and staying current with the legislative requirements is an additional challenge of, of working in this privacy space. Yeah, and, and Mark, I, I actually wanted to dive a little deeper into that as well because I know a lot has changed on the legislation side of things with new laws being introduced and different provinces and, and federal and provincial levels and so on. Would you be able to kind of walk us through the, the main kind of privacy laws that have been passed uh in the past few years. Yeah, for sure. In terms of legislation, I think many people are probably familiar with our federal legislation known as PIPEDA the Personal Information Protection and Electronic Documents Act. And this is a long standing piece of legislation that governs privacy for most private sector organization, organizations across the country. And the core of PIPEDA really dates back to the year 2000. So while it has had some amendments over the years, most privacy professionals would agree that it’s lagging behind the pace of the technology change which it needs to govern. Currently under consideration in the House of Commons is Bill C 27 which would repeal parts of pivot and introduce new legislation, the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. And the Bill would also be a significant shift from what currently is in place. The Ombudsman model which does not result in many financial penalties for non compliant to an enforcement model with monetary penalties and a simpler framework for issuing those fines for non compliant proposed bill C 27 changes would bring our federal legislation much more on par with progressive privacy legislation such as the well known GDPR from Europe that a lot of people are probably familiar with. That’s something to keep an eye out for, keep an eye on the news and see how that bill progresses. Eventually there’s lots going on as well. So in Quebec Law 25 is certainly I’d say the most significant change that we’ve had in a long time in Canada is the Law 25 coming out of Quebec, which will be in full effect as of September 2024. And it’s introduced significant changes around the capture of and consideration of legitimate consent, which is an important privacy concern, cross-border, data transfer requirements and data portability. Again, very GDPR like in terms of the direction it’s gone. And while it is the Law 25 in Quebec is a provincial legislation, it doesn’t just apply to organizations operating in Quebec. And I think that’s important for everyone to hear. So if you’re an organization across the country and you’re collecting and storing information about residents of Quebec, make sure you’re aware of Law 25 and your responsibilities there. Interesting, interesting. So, yeah, some implications there, even if you’re not just operating out of Quebec. Yeah, that’s for sure. So, and this, that goes the same for GDPR and other legislation. So while each organization is going to have a primary legislation that they are responsible for and accountable to other jurisdictions, depending on the type of business that you operate. Other jurisdictions may have additional legislation that, that you need to be aware of and compliant with as well. Now, it definitely sounds like Mark when it comes to kind of you know, privacy and collecting data and information. And again, maybe over collecting data and information, there could be legal financial implications. I’d love to hear again from your perspective, what are the potential consequences of failing to comply with these privacy kind of regulations? Yeah, it’s a great question. And uh where I tend to start is the privacy is the, is at the heart of that trust relationship that the organization has with their client and non compliance, especially around data breaches and information that potentially should not have been stored in the first place or continue to be held in the first place can cause that reputational damage to the organization. You know, that’s commonly cited as the costliest part of the data breach because it goes on for months and years into the future. Once someone associates your brand with that, that negative incident, while there are direct financial penalties, and certainly we talk to those in a second really that reputational damage has, has been shown time and time again to be the single largest cost for organizations. But if we look federally and provincially, there’s definitely allowances to issue financial penalty directly to a business and Law 25 like we just talked about from Quebec is far and away the most progressive legislation at the moment. In terms of financial penalties, fines, they can range from $5000 to 25 million dollars. So this is so this definitely gets people’s attention and it led to really some concerted efforts within the province of Quebec for businesses and organizations there to take note and ensure that they’re operating in a way that’s compliant with Law 25. And then internationally, we saw last year Meta, the Facebook owned Meta and was fined 1.3 billion. That’s billion with A B by the European Data Protection Board. There’s definitely big numbers that float around out there and it gets people’s attention. This is the good thing. It increases awareness. It’s not that every organization is likely to be fined to that capacity, but it’s really just this awareness that it’s out there. The legislation is real and that everybody needs to start moving in that direction of compliance. Absolutely. And, and Mark, speaking of legislation again,  you did mention uh PIPEDA before the Personal Information Protection and Electronic Documents Act. What steps should businesses take to kind of ensure compliance with PIPEDA. What can they do? That’s a great question. I think a key thing I would point out to anyone who’s interested in sound privacy practices and ultimately complying with legislation like PIPEDA. It’s understanding that at the base of all of these legislation are the 10 fair information principles. And these are principles that are really at the heart of what does it mean to conduct yourselves in a way that has privacy at its core and understanding and building it out a program that aligns with those 10 fair information principles provides the foundation from which compliance with your specific legislation can be met. And those principles, you can find them online at the government of Canada, the office of the Privacy Commissioner of Canada’s website. But quickly accountability. The 10 fair information principles include accountability, identifying purpose, consent, limiting collection, limiting use, disclosure and retention accuracy, safeguards, openness, individual access and challenging compliance. So when you dig in on each of these, you start to get a real sense as to what it means to operate in this is in this more privacy aware framework. And then again, really, then with that awareness in place, you can look at the legislation that you’re accountable to and really try to close the gap on those finer points that remain, that’s gonna get you a solid base operating with an understanding of the 1010 fair information principles and then look at your legislation and start to close those finer and more specific gaps uh that you’re accountable to. But I would say one thing stepping back from that level of comment, I would say if we’re looking for a starting point, really, I tend to tell people start with know your data because one thing is for sure, without a clear understanding of the collection, storage, safeguarding and disposition of your personal information compliance is not possible, right? So if you don’t know what information is coming into the organization and how you’re handling it. Compliance is not possible. So while we’ve spoken a lot about kind of the legislation and this idea of privacy programs, I’d like to reinforce that there is a very practical application of all of this that begins with a full understanding of what information you have and what risk that represents and that can really be accomplished by completing a scan of your environment. There are tools out there that will allow you to scan your, let’s say your file shares, your shared drive, your email system for personal information. So you can say, find all the driver’s license, the email addresses, the credit card numbers and return that information back to us. This tells the tale, this is really the litmus test to see. OK, where do we sit uh in terms of um our, our privacy risk and, and what, what are we to do? Exactly right. And I think most organizations are quite surprised when they see the results of those scans by both the sheer volume of personal information that exists on their networks. And then the lack of access controls to at least some of that information, that concept of know your data is a great place to start and really provide some perspective on the road of head for your organization. And then there’s, there’s one other thing Zeshan that  we hear a lot at the beginning of the conversation and it’s this idea that can you make me compliant, you know, and we really need to talk to the client and help them understand that compliance is not a rubber stamp. It’s not a one time activity. It’s a continuous improvement process assessment, remediation, documentation training. It’s really a program level activity that the business needs to budget and resource accordingly because we know it’s you’re not going to be compliant with whatever legislation you or regulations you need to be compliant with by accident. It requires real intention to do so. And for that reason, support for privacy compliance really needs to start at the top of the organization and it needs to be resourced and promoted as really a key pillar for the organization and then built out from there. One of the things that we’ve found over the years is that a lot of organizations while they may become aware of their responsibilities, they don’t have the knowledge in house to resource that. And that’s one of the reasons we built out at MSP Corp our Privacy as a service and that really provides a fractional privacy professional which will lead an organization through the implementation of a privacy program, bring the tools, the expertise to move things forward, to remediate privacy risk, to mature your privacy practices, build out the documentation. And that’s I’d say a key part of in all of this is along the way you want to build kind of your track record to show your due diligence on this effort because that’s really important to be able to show that you’re understanding your responsibilities and that you’re taking a systematic series of actions and activities that are going to progress the program forward over time, that’s going to be useful. If you ever need to sit down into an investigative situation, be able to say, well, here’s what we have done. Here’s what we understand our responsibilities to be. Here’s what we have done, what we have accomplished. And here’s, you know, the path that we’ve been moving along. So I think important for people to take away is think of it as a journey towards compliance and not an end goal itself because the journey will continue on. Absolutely. It’s an ongoing iterative process. That’s it for sure. Perfect. So in kind of closing here, Mark, I’d love to kind of get your idea on kind of or a bit of your explanation on the concept of kind of privacy by design and how it can be implemented in business practices. Yeah, absolutely. So privacy, but by design is an approach that wasn’t originally developed by Ann Cavoukian who was the former Information and Privacy commissioner of the province of Ontario. And simply put you can think of privacy by design as beginning with the end in mind. So imagine the challenge of coming into an organization that’s had very little consideration for privacy has data all over the place, lots of information systems and exchanges going on, that’s going to be very difficult to remediate and may never be fully effective privacy by design is an approach that encourages privacy to be considered and designed for in every step of technology design and implementation phases. And there’s online again, resources, there’s seven key principles. So if listeners are interested to dig into privacy by design, definitely there’s a methodology that they can tap into. But I think maybe more of interest might be just a scenario. Imagine if you were implementing, let’s say a SharePoint project or something similar that involved a lot of sensitive information at a Fortune 500 company or a Canadian Bank or a federal government department. In an ideal scenario. In the planning and design phase of the project, you need to have representation from a number of different parts of the business. You might have project management there, you might have it governance and risk, records management, cybersecurity, and privacy. They all might be at the table to ensure that the system designed meets everyone’s interest. Unfortunately, though I think too often these projects are viewed simply as technology projects without contributions from those different perspectives. And you know, we often see this where a project that has huge information, privacy implications is deployed without all of these considerations during the design and deployment that phases. And then after the fact, we’re, you know, you you you’re trying to assess and reel in that risk. So one of the key proactive privacy activities that we have at our fingertips in the industry is something we refer to as a privacy impact assessment and the purpose of the privacy impact assessment or PIA you’ll commonly hear it referred to is to review a project plan and identify privacy concerns prior to the project progressing. The PIA is such a powerful process that it’s been widely adopted as the best practice and it’s also referenced in many legislations as well that it is something that needs to take place, especially when a new system that’s being developed or deployed holds personal info when an existing systems being overhauled and changed when data is migrating from one location to another. Those are all scenarios where the PIA can help identify the privacy risk associated with the work prior to it going ahead and then can influence the project midstream for a better result. Excellent. Well, mark, I would really like to thank you for joining us today, providing your expertise, your background, your kind of thoughts into privacy. Definitely a a topic where you want an expert to be guiding you rather than trying to uh figure things out on your own uh as well. So thank you so much for joining us at the Cloud Lounge podcast and providing our listeners with some  great information. Yeah, I appreciate the opportunity. Thanks so much. Ask anyone who’s been part of an organization that suffered a data breach or has personally been the victim of identity theft. Data privacy affects all organizations and us. The people that make up the organizations need to be more proactive about protecting our data and our privacy. I would like to thank Mark Rye for joining us today in our privacy conversation. If you enjoy this podcast, please leave us a rating and review on your favorite podcast platform. Until next time, this has been the Cloud Lounge podcast. Take care.

 

Subscribe

Click the links below to subscribe in your favourite podcast app

     

 

Written By:

softlanding

Softlanding is a long-established IT services provider of transformation, professional services and managed IT services that helps organizations boost innovation and drive business value. We are a multi-award-winning Microsoft Gold Partner with 13 Gold Competencies and we use our experience and expertise to be a trusted advisor to our clients. Headquartered in Vancouver, BC, we have staff and offices in Toronto, Montreal and Calgary to serve clients across Canada.

More By This Author