One of the subtle changes driven by the European Union’s General Data Protection Regulation (GDPR) is the gradual replacement of the term “privacy” with the term “data protection”. While this might not seem a big deal, language is everything. The terms we use often define the actions we take.
In strict terms, privacy is about rights, and in particular, the rights of individuals to control collection, use and disclosure of their personal information. Data protection about obligations, and in particular the obligations of information custodians, data controllers and data processors to protect personal information in their custody and control. Privacy tends to be a policy discussion focused on the behavior of data subjects and those who use personal information. Data protection tends to be a technical discussion focused on the processes and technologies we use to protect the information.
The notion of protection versus privacy is well established in Canadian privacy law. Note the use of the terms in the “Personal Information Protection and Electronic Documents Act”, and the “Ontario Personal Health Information Protection Act”. The use of the term “protection” is much more common than the term “privacy” in Canadian law.
The term “data protection” blends our North American concepts of privacy and security. It also looks at “data” as opposed to “information”, expanding the scope of the discussion from processed data to all of the disparate data elements collected in our modern IoT systems. I would like to advocate for the use of the term data protection to bridge the silos we’ve created for privacy and security.
So what are we talking about in this merger of concepts? First let’s break down the CSA Model Code for the Protection of Personal Information. The CSA code principles grant key rights available to the individual to enable them to control the collection, use and disclosure of their personal information. These rights include right to consent, the right to access and correct their personal information, and the right to challenge the organization’s compliance with their information protection policies and laws.
The GDPR adds to this list of rights including the right to erasure, the right to restrict processing, the right to data portability, the right to object to processing and rights in relation to automated decision-making. There is every indication that some of these new rights will be integrated into Canadian data protection laws in the future.
The CSA code also defines the obligations of organizations that hold personal information. This includes the establishment of an accountability framework for managing information protection, identifying the purposes for the information, limiting the collection of information to the minimum required to achieve those identified purposes, limiting the use, disclosure and retention the information, and being open about their information handling practices.
Finally, the CSA code identifies the need for safeguards to protect information and the need to ensure a level of accuracy appropriate to the identified purposes.
In advancing the concept of data protection, the GDPR enables us to rethink how we handle two very important privacy tools; privacy by design and privacy impact assessment. In both Canada and United States there is an artificial separation of privacy and security often resulting in a duplication or significant overlap of work.
Going down the path of data protection by design gives us the opportunity to integrate both privacy and security concepts into our business and technical solutions. Privacy functionality such as consent management and individual access to personal information must be combined with cybersecurity features such as encryption and access management, to ensure solutions that are compliant with data protection by design principles.
The GDPR also calls out the privacy by design concept of data protection by default. As we build privacy and security features into our applications, we must ensure that all defaults are set to the most privacy and security friendly settings.
With the Data Protection Impact Assessment (DPIA) there is an opportunity to collapse our privacy and security risk assessments. Many Canadian healthcare jurisdictions and organizations require both a privacy impact assessment (PIA) and a threat and risk assessment (TRA) as part of project due diligence. They are often treated as separate activities and contracted-out to different consultants. All too often there is duplication when there could be significant eficiencies in combining the two.
We hear a lot these days about how much words matter. Words can unite or divide. Going down the path of data protection gives us the opportunity to better integrate privacy and security as we work together to protect sensitive data and improve the efficiency and effectiveness our privacy and security management processes.