Looking at Canada’s Personal Information Protection and Electronic Documents Act, the word “reasonable” pops up quite often. Companies have an obligation to ensure they always act in a way a reasonable person would consider appropriate in a given circumstance.
Almaga Consulting President Gilles Fourchet, CIPP/C, CIPT, FIP, said one area where reasonableness should play a role for privacy professionals is conducting privacy impact assessments.
He compared performing a PIA to how encryption was viewed years ago. While encryption may not have been necessary two decades ago, it is now reasonable — and expected — for it to be a part of an organization’s practices. PIAs should be treated the same way.
“If you didn’t do a privacy impact assessment 10 or 15 years ago, you got a slap on the wrist,” Fourchet said during a session at the IAPP Canada Privacy Symposium in Toronto recently. “Nowadays, you get much more than a slap on the wrist.”
Organizations would be wise to have a PIA ready to go whenever it may be needed, he added; however, the contents of the PIA are likely going to differ from entity to entity.
If “reasonable” is one word Fourchet would attach to PIAs, the other would be “subjective.” He said in risk management, what is seen as a vulnerability or a threat to one person may be entirely different from another based on industry or the types of data an entity holds.
A financial institution, for example, has to consider what would happen in the event it suffered a data breach. In its PIA, it would need to assess what would occur if financial information were to be leaked, as well as what the incident’s impact would be on their institutional reputation.
Fourchet said organizations may take a quantitative approach to their determination of risk scores, but they should be cautious. Regulators will want to see the rationale behind their risk scores, which ultimately will tie back to reasonableness, he said.
“You have to justify it. You have to justify 'I think the risk is medium.' At the end of the day, you might have more questions than answers, but unfortunately, there is no mathematical method for you to enter numbers to get risk volatility … It’s not math. It’s not science. It’s an assessment,” he said.
Fourchet recommends organizations be proactive with PIAs. It's easier to have a PIA baked into a program than attempt to fit one into a preexisting process. He added it's important for privacy professionals crafting the PIA to meet with business owners and stakeholders as they go through establishing the document.
“Make sure the business folks keep you guys in mind from the very moment they start to have an idea,” Fourchet said. “You have to be seen as people that are adding value. A lot of times the PIA arrives at the very end of the business process. If they include you at the very beginning it would be seamless and perfect.”
By talking with all the principle parties within an organization, privacy professionals can get a better understanding of business processes and data flows. Those conversations can help avoid legal issues.
It is important for privacy professionals to include business owners and senior management as part of the PIA process for accountability. Fourchet said privacy professionals are a messenger, and it's up to business owners to ensure a PIA is carried out. Accountability cannot be transferred and if an investigation were to take place; it is ultimately the organization’s problem.
“You should act as a consultant. You provide expert opinion when writing PIAs. It is not your job to do it. It is not for you to act upon your recommendations,” Fourchet said. “You can advocate for your recommendations, but that is it. You are responsible, but not accountable, for your PIA. At the end of the day, privacy is not the business of your organization. Privacy should be seen as an added value and an advantage."
Photo by Anna Kobelak