Ontario's Carleton University Privacy Manager Pierce White-Joncas, CIPP/C, CIPM, brings a diverse array of experience in data privacy to his work in higher education. White-Joncas' job requires him to oversee the university's privacy compliance in a number of areas, such as processing students' personal information, housing details and human resource records.

White-Joncas previously held multiple privacy-related positions in the Canadian federal government, first with Climate Change Canada and later the Royal Canadian Mint. Aside from his day-to-day work at Carleton, White-Joncas also played a major role in developing the proposed Canadian Information Privacy Protection Framework. The standard was previously under a prior iteration of a federal privacy bill, C-11, and White-Joncas hopes it will be incorporated into the proposed Digital Charter Implementation Act, C-27.

In this Member Spotlight, White-Joncas spoke with IAPP Staff Writer Alex LaCasse about the differences between Canadian and U.S. privacy laws governing how student data is stored and processed, Canada's impending national privacy legislation and the major issues young privacy professionals are confronting in the country.

Editor's note: This conversation has been edited for length and clarity.

The Privacy Advisor: How did you get your start in privacy and what do you enjoy most about this field?

White-Joncas: I fell into privacy by luck. I got a job as a privacy clerk with Climate Change Canada, a federal government department responsible for environmental issues in Canada, and they had a professional development program. I graduated from that program, ended up with the Royal Canadian Mint and found my passion for privacy. There, I became more involved in the privacy side of the operation, and they helped me obtain my CIPP/C certification. Since then, I've focused on the privacy sphere, and it's kept me in this industry for 13-plus years.

The Privacy Advisor: Coming out of the various positions you held in the Canadian government, where do you see the privacy landscape in Canada currently and what holes, if any, do you see in federal and provincial privacy laws?

White-Joncas: The government (federal agencies) in Canada and the provincial governments all fall under the public sector laws, and there's at least 17 that you must know about, especially if you're working at the federal level. For example, Employment and Social Development Canada is responsible for all the different benefit programs we have, such as student loans and disability programs. It can get complicated when you're negotiating with different provinces, trying to match the federal legislation with provincial legislation in an effort to achieve the ultimate goal, which is to get services to all Canadians, wherever they may be coast, to coast, to coast. Because of the limited gaps and differences between the public sector laws across different levels of government, it can be a little complicated for government organizations to navigate those gaps. It's about leveraging a kind of gray area, seeing where you can have a meeting of the minds and meeting in the middle.

The Privacy Advisor: Speaking of public sector privacy laws, Bill C-27, the Digital Charter and Implementation Act, is a major topic of discussion in the Canadian privacy community since it was introduced last year. How do you see this legislation being deliberated in Parliament and what are your lingering concerns, if any?

White-Joncas: A great part of my job is that the university allows me to do some external outreach and I'm the vice chair of the Digital Governance Council's Technical Committee 9 on privacy and access controls. One of the standards I was the lead driver for was the proposed Canadian Information Privacy Protection Framework under the previous comprehensive federal privacy bill, C-11.

I designed the framework because I saw all the gaps sitting there, especially when you compare it to international data privacy legislation in California, Europe and Brazil. I thought Parliament was not doing a good job putting forth the best bill for us. I wanted to create a framework to see if it could be accredited under the former C-11. Fast forward a couple of years, I paused my work on the framework and waited to see how the government would reintroduce C-27. But when they did, I was not pleased whatsoever. It lit a fire under me and I got the framework done. That kind of speaks to how I feel about C-27. I believe it's an incomplete piece of legislation that gives too much power to businesses. It will not be able to meet adequacy requirements for our partners across the pond in the EU, and now the U.K. because of their new adequacy decision regime.

The Privacy Advisor: As you're well aware, C-27 is composed of three separate pieces of legislation. One of which is the Artificial Intelligence and Data Act. How would you say it compares to the proposed EU AI Act?

White-Joncas: Part of an issue with it, is it's very much open to interpretation and manipulation by industry. The way the current bill is written, they're going to pass the bill and then worry about the regulations well after the fact. In that case, aren't you opening up the door for a lot of malicious activity to happen if the regulations aren't in place, but the bill is in force?

The Privacy Advisor: Let's switch gears and discuss your day-to-day work at Carleton. Can you explain the differences between Canadian laws governing the processing of student data versus how student data is handled in the U.S. under the Family Educational Rights and Privacy Act, for example?

White-Joncas: The analogy I like to use for universities is that they're effectively small towns. I'm a privacy officer for a small town. We have six different schools with six different faculties. We've got research happening on campus. We manage our own clinic, so we've got personal health information we're dealing with. We run an apartment precinct for the residential buildings, so that's over 4,000 tenants. Putting that in context, there's a lot that a privacy officer at a university needs to be on top of. It's not just our sector's privacy legislation, but all the other pieces of legislation impacting a university's business operations.

There's always interplay of other laws, our privacy law in Canada and in the province. The reason I say that, and this is where Canadian privacy laws differ from FERPA, is we don't have a sector-specific privacy law for universities and colleges. Every government organization and broader public sector organization follows the same privacy law, the Freedom of Information and Protection of Privacy Act, and we have enabling legislation that basically give us rules around where we can collect, use and disclose personal information. This was last updated in 1962 and the privacy legislation is about 35 years old at this point.

The Privacy Advisor: So, for someone in your position, would having a single-sector higher education privacy law be more helpful?

White-Joncas: In Ontario, there is the Education Act, which is akin to FERPA, but it only applies for kindergarten through grade 12. So, the "easy" Band-Aid would be to just bring colleges and universities under the Education Act. The caveat is they are then removed from the auspices of FIPPA because of all the same access controls, access to records requests and processes within the Education Act we have available to us as post-secondary institutions. We wouldn't want to have to comply with both pieces of privacy law.

The Privacy Advisor: Shifting back to AI for a minute, can you talk about how Carleton University has employed AI systems in its operations for the processing of student data, if at all?

White-Joncas: At Carleton we have not yet begun using AI in our operations. We're still conducting our data protection risk assessments on the tools, and we're actually looking at the assessments in the context of three different buckets. The first bucket would be used for administrative purposes: student record decision making or our IT department running some code through the system to make sure it catches some bugs, for instance. The second bucket is teaching and learning, so enabling faculty and instructors to teach AI in their classes and use the tools as part of their curriculum. The last bucket is research, which AI models are based on research already. Doing an assessment on something that was built using research is sort of a meta question. Our hope is that we'll provide enough advice and guidance to the three different user groups to enable them to use the tool in such a way that is still safe for them and safe for the organization, while also recognizing the risks and the boundaries.

One challenge I see universities facing is how the algorithm comes to the decision to either accept or reject a student? Because a student has a right to know how the decision was made about them under Ontario's FIPPA. How are we, as universities, able to generate that automated decision and document it for the purposes of an access request?

The Privacy Advisor: You're saying some universities are basing student-admission decisions on algorithmic decision making?

White-Joncas: Some universities do use an algorithm. There's a bit of machine learning there, because the algorithm had to learn from 15-20 years of application data to understand what the admissions threshold should be. Is it making the admissions decision? No. But is it being used as a screening tool? Yes.

I can see it as a way for universities to reduce the amount of human verification that would be needed for specialized application streams. I'm thinking more of the STEM programs. Naturally, you want students to have higher grades in certain areas. So, you can tune the algorithm to automatically reject a student that isn't hitting these grades in math, physics, chemistry, etc. Whereas, when you're looking at a more arts-based or social sciences-based degree, that's a little bit more subjective. I would use the argument of a fine art student, a school is not going to run that student's portfolio through an app like DALL-E, for example.

The Privacy Advisor: Finally, you've been heavily involved in the IAPP's Ottawa KnowledgeNet Chapter as a former co-chair and former Young Privacy Professional Leader of the chapter. What would you say are some of the major concerns young Canadian privacy pros encounter as they begin their careers?

White-Joncas: There are two major things that come to mind. The first is training for young privacy professionals and how out of reach it is becoming, in my opinion. Everywhere I turn, there's more training programs being offered at CAD500, CAD700, CAD1,000. That's a bit of a barrier for someone who is just starting their career. If someone can find an organization that's willing to pay for the training, that's the best-case scenario. But when we look at the current market for certain industries, especially technology with its recent layoffs, I don't see organizations necessarily wanting to throw money into developing someone they think should be ready on day 1, with 5-10 years of experience. A lot of midlevel professionals are coming and taking what we would consider entry-level privacy jobs, and it's drying up the market for young professionals.

The second thing I see is Canadian businesses sliding backward when it comes to privacy protection. One stat I found from the Office of the Privacy Commissioner of Canada's biannual polling found measures and compliance with privacy practices have decreased since 2019. One example is that, in 2021, 57% of respondents said their company had a privacy officer, which is down from 62% in 2019, which is down from earlier years. Using that data alone, young professionals are coming into the workforce with a lack of training in their trade craft and having to advise and build a privacy practice program for a company, or revise and retune it, practically from scratch.