Unpacking the Ethics of Data Collection

With the adoption of Quebec’s new privacy law (Law 25*), information systems that collect data are now subject to an “assessment of privacy-related factors.” The speakers at our October 27 webinar on Ethics and Data Privacy helped unravel some of the issues involved to enable participants to chart a path forward. The event was moderated by Camille Grange, Associate Professor at HEC Montréal’s Department of Information Technologies.

Camille Grange

Antoine Guilmain

François Senécal

Artificial intelligence, blockchain, virtual reality… many of the latest digital innovations are built around technologies that are dependent on users’ personal data. With data privacy requirements more stringent than ever, we turned to two experts for their insights: François Senécal, KPMG Senior Manager, Cybersecurity and Privacy, and Antoine Guilmain, Associate Counsel at Gowling WLG’s Montreal office, where he co-leads the firm’s national Cyber Security and Data Protection Law Group.

Highlights of the new privacy law

“Organizations have to take this law into consideration as part of their risk management strategy,” said Senécal. “These days, privacy should be seen as a risk object that has to be managed in a given way. What this means at a practical level is that organizations need to have more control over the consent to handle personal information and heed clear limits when it comes to collecting, using and disclosing this information. The principle of ‘data minimization’ is the one we suggest organizations follow here, the goal of which is to contain any adverse impacts on privacy through the careful use of data retention mechanisms or the systematic destruction or anonymization of personal data. Right now, there’s still a lot of work to do to make sure this principle is being applied in every organization.”

Another important consideration: by requiring an assessment of privacy-related factors (commonly referred to as a privacy impact assessment or a PIA) for any information system or electronic service delivery, Law 25 is setting a higher standard than its European counterpart. “Law 25 is based on the principle of proportionality, which means the assessment process can be shorter in some cases,” said Guilmain. “But there are precious few exemptions. This may prove to be problematic. For many smaller businesses, an assessment of this nature, as brief as it may be, is simply not feasible for every technology project. We’ll have to keep an eye on the situation going forward. We may see some amendments to the legislation.”

The assessment process in practice

Using the guidelines issued by the Commission d’accès à l’information du Québec and the models put forward by regulatory authorities in other jurisdictions, Senécal and Guilmain walked participants through a simple, step-by-step approach to the assessment process.

To illustrate, they presented a case study for a fictional business they named Biometrix, specializing in face and voice biometric authentication. Biometrix’s main product uses several different types of biometric data, namely morphological traits (e.g., face shape), behavioural traits (e.g., voice) and biological traits (e.g., DNA).

The steps leading up to the assessment

Everything that needs to be done in preparation for an assessment must take the appropriate legal framework into consideration, as well as the requirements of the Quebec regulatory authority and the federal privacy commissioner, both of which can step in depending on the circumstances. In the example here, the requirements of the provincial Act to Establish a Legal Framework for Information Technology and the Commission d’accès à l’information would have to be taken into account. “These requirements are very high when it comes to biometric data about children and youth under 18. They’re not quite so severe for things like business contact information or data used for B2B transactions,” said Guilmain. General legislative provisions, including various sections of the Civil Code of Québec and the privacy provisions of the provincial Charter of Human Rights and Freedoms must also be factored in.

The first step in the process involves identifying triggers. “This is about determining where privacy considerations need to be applied,” said Senécal. “At this stage, you’ll also identify who the main stakeholders and leads are, as they will have a specific role to play in the process,” added Guilmain. “For a case like Biometrix, the company’s security team would certainly be involved, as would the chief privacy officer, and perhaps even the product teams.”

Next is what is known as an applicability analysis, which will determine the appropriate level of detail for the assessment. “Do we need something more in-depth, or is the risk fairly low and conducive to a simpler methodology?”

Following this, it is important to identify and characterize risks and the corresponding risk mitigation controls and measures, where the question will be, “What exactly do we need in terms of personal information to achieve our goals?” To determine this, you will have to take a closer look at the imperatives that are at the heart of your project, along with your overarching business objectives.

A risk analysis questionnaire will guide you in this process, with questions like “Which situations might create a privacy risk for the people concerned?” “What would be the repercussions of these situations?” “Is there a disproportionate amount of risk of a privacy breach, invalid consent, weak security precautions or insufficient anonymization measures?”

Guilmain went on to illustrate: “In the case of our made-up company, Biometrix, the data used in their authentication process is reported as being hashed for anonymization purposes. The raw biometric data is not stored anywhere. So even if a hacker does manage to get access to the hashed data, they wouldn’t be able to match it up with any given individual.”

Anonymization is nevertheless an unfathomably complex operation, he added. Anyone who works in the field knows that total anonymization is the stuff of pipedreams. “Canadian laws refer to a reasonable risk of an individual being identified. In Quebec, we’re still waiting for clearer guidelines from the Commission d’accès à l’information, but we know that the concept of anonymization and the required degrees of anonymization vary tremendously from one industry to the next.”

Implementation and monitoring

The next stage of the assessment process requires a personal information inventory along with a description of how this information will be treated. “For the purposes of the Biometrix case study, we’re talking about raw biometric data and hidden data, in other words, pieces of information that can’t be tied to an individual’s identity,” said Guilmain. “The focus will be on how and from whom the information will be collected, how it will be conveyed, who will have access to it and what rules will apply to storing it. In our example, Biometrix says they plan to store the data locally and solely on individual employee devices. That’s a strong solution.”

Then comes taking stock of your existing protective measures. This entails outlining how the principles of privacy protection are being applied, determining your data minimization objectives, checking whether you have valid consent mechanisms in place, ensuring your security measures are adequate, determining whether the system allows people to fully exercise their privacy rights, and so forth.

The last step of the assessment process is drafting an implementation plan and obtaining the necessary approvals. “Bear in mind, though, that any such approvals are never final. This is a living, breathing document. From an operational perspective, it will never stop evolving,” said Guilmain.

The requirements of Law 25 aside, social pressures are making today’s organizations more aware of, and responsive to, privacy-related needs in our increasingly digital world and more apt to foster a strong culture of privacy. Assessments of privacy-related factors now tend to be incorporated into the development process of a digital product from day one. “We are indeed on the verge of seeing privacy mechanisms being part and parcel of any process to develop, acquire or overhaul an information system,” concluded Senécal.

*Act to Modernize Legislative Provisions as Regards the Protection of Personal Information

Interested in shoring up your organization’s ethical foundations? Join the next cohort of our Certification in Ethics and Compliance program and be the one to lead the charge!

Questions? Joelle Zoghbi, our program manager, would be happy to help!