Fitness trackers are just one of the data-gathering devices that we either wear or stare at too many times in a day that have exploded in popularity in recent years. They are also increasingly offered to staff as part of employee wellness programs in large companies.
Any incentive to encourage employees to be more active is likely to be good for a business. However, it could potentially raise privacy issues, since these devices can compile and store health information as well as exercise totals. A story earlier this year in the Washington Post recounted how an employee at a plastics fabrication business in Texas, who had previous health issues, was surprised to receive a call from the company’s owner praising a recent increase in daily steps by the worker.
For individual consumers, we have long been made aware of the amount of personal data stored on our smartphones and laptops and what to do if disposing of the devices. The importance of wiping personal data now, though, may also be required in many other consumer purchases such as when selling a car or returning it at the end of a lease.
Fast-changing technologies and improving data analytics mean that the collection of information about employees and customers — much of what might be private in nature — is inevitable. At the same time, there is commercial value in much of this data. For in-house counsel, this means trying to balance the requests of the sales side against regulatory requirements, while also demonstrating that effective privacy practices are good for business and especially its reputation with its customers.
Thrown into this challenging mix are guidelines issued by the federal privacy commissioner that took effect on Jan. 1. They require companies to obtain “meaningful consent” when obtaining private information. How it will be used and shared and the potential risks in the sharing of this information must also be outlined. With more companies migrating to the cloud and increasing data sharing, either internally or with business partners, this could also raise multi-jurisdictional issues in the area of compliance and risk management.
Data management is one of the top “pain points” for internal legal departments, says Kirsten Thompson, a Toronto-based partner at Dentons. “General counsel are increasingly under pressure to monetize data. We have all this data. Why aren’t we generating revenue?” says Thompson, who is also national lead of the firm’s transformative technologies and data strategy group.
“Smart companies are looking at this as a competitive advantage. But it also requires developing an overall message and values across everything you do. What does this message mean and how do you back it up? Remove the surprise element for consumers. If they think they are getting something of value back, they are more likely to share information,” says Thompson.
The role of the legal department is to ensure there is a “compliance blueprint” for all data collected and maintained by a company. “What risks are you assuming and how do you mitigate them?” she says.
In addition to changes enacted last year in the European Union with its General Data Protection Regulation and in California with the Consumer Privacy Act, the federal privacy commissioner in Canada is also changing its approach. “There is a shift in Canada from an ombudsman to an enforcement role. In the past, you could have a ‘good enough’ approach,” says Thompson. Going forward, she says, it will be necessary for federally regulated companies to show the process in place that ensures compliance.
Businesses should not shy away from making increased use of analytics or migrating to the cloud, which can reduce expenses and provide better computational tools, says Imran Ahmad, a partner at Blake Cassels & Graydon LLP in Toronto. “But you must map your data. Where is it kept? Data flows to a sub-processor need to be very clearly identified. Are you able to transfer to a sub-processor in the United States?” asks Ahmad, whose practice focuses on technology, cybersecurity and privacy law. In recent years, he says, there have been some concerns about storing data on cloud providers in the United States because the Patriot Act provisions may give authorities in that country access to the information.
In addition to ensuring there is a clear map of where all data is locating, he says it is also important to know how it is being stored. “Anonymizing can be very complicated to do so that it cannot be reverse engineered” [to obtain private information], says Ahmad, who also teaches privacy law at the University of Toronto law school.
There has been an increase in recent years in cloud capacity with data centres based in Canada, which might reduce jurisdictional issues. Proceeding with caution about the type of data that is stored on the cloud may still be the best course of action, says Samson Chan, a lawyer at Singleton Urquhart Reynolds Vogel LLP in Vancouver.
“There is inherently a greater risk of data breach generally when more parties are in contact with the personal information because of more chances of errors and less control of third-party data processors such as the cloud providers,” says Chan, whose practise includes privacy compliance. “If the company internally has adequate levels of protection, it may be prudent only to use cloud providers to process less sensitive information,” he adds.
Maryann Besharat, vice president, corporate, legal and compliance at Intact Insurance, says many Canadian companies continue to take a conservative approach when considering whether to move data to the cloud. “I would prefer to use a Canadian software company. You also need to confirm that they have the safeguards you have,” says Besharat.
The same caution with respect to privacy issues, she says, should be in place when using new data technologies. “Companies understand that data analytics is a great tool. But you should take your code of conduct and prepare a data ethics framework. Articulate your risk appetite,” Besharat says.
“Your lawyers should be at the table to ask questions before projects launch. The questions should be ethics based. Scrutinize the machine learning to see if it results in any bias or discrimination,” she states.
As well, the clarity of the message to customers when asking to use their data needs to be a priority. “Do they understand it? How can you obtain consent in an informed way if you can’t explain it in a meaningful way?” says Besharat.
While many customers will click on the pop-ups on their computing devices without reading the disclosure by the company about the use of their data, an important part of effective compliance, says Ahmad, is what happens when someone declines. “What if a person does not approve? Do you have a mechanism to respect the customer’s wishes and can you show this if asked by a regulator?” Ahmad adds.
Effective data management, he says, also requires very close scrutiny of any contracts with third parties, especially in the case of a data breach. “Pull out key vendor agreements. Make sure there are specific clauses to do with notification and co-operation if there is an investigation,” says Ahmad.
Peter Nguyen, general counsel, corporate secretary and privacy officer at Resolver Inc. in Toronto, agrees that keeping track of where your data is located is a priority. “Find out where your data is being hosted. Have you done a third-party risk assessment? Many general counsel may be surprised at how many [software] tools their business is using. Data is going to flow anywhere and everywhere, so it is incumbent to put in processes and educate your business about the seriousness of the issue,” Nguyen says.
Resolver specializes in risk management software and has established separate data centres in Canada, the U.S. and the EU. However, even if your data is hosted in the country where your business is located, he says, there still could be jurisdictional and compliance issues that might not have a clear-cut answer. “There are still arguments over what is a data transfer,” Nguyen says. “We provide customer support from a help desk in New Zealand. If we ask to view your computer screen with personal data on it, is that a data transfer? In Europe, the remote viewing of a screen is considered a transfer,” he notes.
Meanwhile, the EU is scheduled to complete a review by next year and then state if Canada has maintained its “adequacy status” in terms of privacy protection. Further amendments to the Personal Information Protection and Electronic Documents Act may also be required to maintain this status and to regulate new data analytics tools.
PIPEDA was meant to be technology neutral, says Thompson, and its framework puts Canada “on a middle road” between regulations in the U.S. and the EU. “I do not think it needs to be stricter, but it does need to be updated to comply with the adequacy provision,” she says.
Whatever changes ultimately come into force, Thompson says, it should already be “top of mind” for internal legal departments. “Have a strategy plan. That will make sure there is a smooth implementation,” she says.