Canada Privacy Symposium

Breakout Sessions

 

Use these links to jump to the topic you’re interested in:

 

For session times and to view a complete conference schedule, visit the At-A-Glance.

 

  HEALTHCARE PRIVACY

 

Enabling Secondary Use of Unstructured Data with Proven Anonymization Methods

Khaled El Emam, CEO, Privacy Analytics

More than 80% of data today is unstructured or free-form text, residing in medical devices, text files, transcripts and online forums. The purpose of this session is to first describe an attack on a large corpus of medical records to understand what aspects of the data make patients identifiable. We will then examine three case studies in which unstructured data was anonymized in order to use or disclose it without consent. Case Study 1: Consists of close to 300,000 oncologist notes in a breast cancer database that was being anonymized to be interactively queried and analyzed by cancer researchers. Case Study 2: A set of discharge notes from a hospital being shared by researchers. Case Study 3: Forum posts by patients in a disease-focused online discussion board.

What you’ll take away:

  • Learn the practical challenges around anonymizing unstructured data or free-form text
  • Discover what to look for in free-form text data in order to anonymize it
  • Hot to evaluate if the data is anonymized “enough”

Healthcare Interoperability between Canada and the U.S.

Rick Shields, Partner, nNovation LLP

There are an increasing number of providers coming up from the U.S. to offer electronic health records systems to hospitals in Canada. These systems are often well-developed and well-tested, with a fairly long history of successful use in large hospital systems in the U.S. Many advertise their compliance with HIPAA on the assumption that the standards are identical in Canada. They are not. There are substantial differences between HIPAA and the various laws impacting health information privacy within Canada, adding a layer of complexity and legal risk to these contractual arrangements. Come learn more about the statutory differences, contractual issues to be wary of and practical issues that have arisen when implementing a health records management system from a U.S. provider.

Making Shared Accountability Work

Natalie Comeau, CIPP/C, Senior Privacy Advisor, University Health Network
Robin Gould-Soil, CIPP/C, Chief Privacy Officer, University Health Network

At IAPP Canada 2013, the speakers discussed the impact of shared accountability on the privacy model planned for Ontario’s largest shared electronic health records system. Considerations around shared accountability for HICs and HINPs in similar situations were discussed in the areas of breach management, access requests, consent management and governance. Here, we’ll continue to focus on accountability and provide lessons learned in the past year around how policies and procedures with shared accountabilities can be operationalized. Knowing the roles each party will play and the resources each have to contribute is crucial to identifying reasonable operational practices that maintain underlying principles, such as being patient-centred, and can be easily incorporated into parties’ existing privacy programs.

What you’ll take away:

  • Insight on how privacy and security policy principles can be translated into operational practices
  • Guidance on identifying program requirements that may affect your privacy program
  • Helpful tips and tools
 

  INFORMATION SECURITY

 

CRYPTOGEDDON—Healthcare Compromise

Todd Dow, Founder, Cryptogeddon

What do a famous rock star, a federal politician and a police officer have in common? Their health records are all stored online and hackers want to get at that data. There are numerous ways of intercepting healthcare data. Institutions are more focused than ever on securing that data to ensure that a data breach does not occur. In this fictitious scenario, you have been hired by GetWellSoon Hospital to conduct a penetration test, identify any weaknesses and provide corrective action to remove identified weaknesses. In this informative hour, we’ll use various publicly available infosec tools to walk through the penetration test and the resolution process for this particular scenario. Topics and tools will include social engineering, cryptography, virtual machines, network and intrusion monitoring and vulnerability exploit tools.

What you’ll take away:

  • An understanding of key information security concepts
  • A healthier respect for how vulnerable data has become
  • Key tips and techniques to safeguard data

From FOIP to IS, with a Bit of OMG

Sydney Jones, CIPP/C, Senior Manager, Information Privacy and Security, British Columbia Lottery Corporation

Privacy and security are playing an increasingly cohesive role in the management and protection of personal information. When a department merger at a provincial Crown corporation brought together access to information and privacy with information security, the information privacy and security structure presented an opportunity for acquiring a new body of knowledge and skills. How does an access and privacy manager with newly assigned responsibilities in information security get going and get educated in a highly technical field? How does someone accustomed to strategy and assessment learn up about systems and configurations? How do privacy and security intertwine to benefit growth in becoming a more effective privacy professional? How does having a broader background contribute to a stronger privacy and security program? This session will discuss how the journey of discovery has (so far) been marked with milestones and lessons learned.

What you’ll take away:

  • Considerations and thoughts for the pursuit of lifelong learning
  • How employees with knowledge of both privacy and information security contribute to a stronger and more effective program

The Futility of Traditional 1.0 Technology Safeguards against 2.0 Web Application Hacking

Blair Campbell, CIPP/C, Senior Manager, Scotiabank
Jason C. Lin, Corporate Security Officer, Ontario Telemedicine Network

Traditional safeguards (e.g., firewalls, SSL and locked-down servers) are no match for web applications that are accessible 24 hours a day, 7 days a week, to hackers concentrating their efforts on shopping carts, forms, login pages, dynamic content, etc. How can your organization proactively manage your sensitive protected information from external threats? Website security is possibly today's most overlooked aspect of securing the enterprise and should be a priority. This presentation will breakdown top web application security risks and provide examples and solutions, as well as an encryption primer—all without getting lost in the weeds.

An Introduction to the ISO Security Standards for the Privacy Professional

Angela J. Carfrae, CIPP/IT, Independent Contractor, Carfrae Consulting

This presentation will explore the 10 security domains of ISO 27001/27002, the framework used by many security professionals to build a comprehensive security program. It will be a high-level introduction to each of the domains, and then suggest which domains the privacy professional should be most interested in working with their security counterpart to gain efficiencies for their company and improve the privacy program. For example, the privacy professional should be able to rely on their secuity group that the communications and operations domain is functioning, but the privacy professional should be highly involved in the asset classification domain in order to make sure that information that is considered “private” by the organization is appropriately classified in the scheme defined by the security group.

What you’ll take away:

  • A high-level understanding of the ISO security framework
  • Understanding the difference between security and privacy
  • Identification of opportunities for working in cooperation with the security team

Privacy and Information Security: A Perfect Marriage

Angela Swan, CIPP/C, CIPP/IT, Information Privacy and Security, British Columbia Lottery Corporation

In May 2013, British Columbia Lottery Corporation (BCLC) successfully amalgamated its privacy and information security teams and gained significant advantages in both areas. Here, we’ll discuss why the decision to amalgamate was made and what cultural and procedural changes were necessary to make the change a success. You’ll learn the challenges and discoveries that were made when the technical security team became involved in the privacy impact assessment process and how privacy legislation strengthened the information security program. BCLC’s new integrated information privacy and security assessment process will also be presented. This new process allows for faster, more comprehensive privacy and security reviews of new systems and initiatives and is designed to assist business units in understanding the privacy and security risks and opportunities within their projects.

What you’ll take away:

  • An understanding of the benefits gained to both privacy and security by working together
  • Knowledge of key technical areas often overlooked in the privacy impact assessment process
  • An understanding of how to cross-train privacy and security staff members to create a more effective team
 

  LEGAL/REGULATORY UPDATES

 

Big Data, Personalization and Digital Market Manipulation

Eloïse Gratton, Partner and Co-chair Privacy, McMillan LLP

In the late sixties, with the development of automated data banks and the growing use of computers in the private and public sectors, privacy was conceptualized as having individuals “in control over their personal information” (Westin, 1967). The principles of Fair Information Practices were elaborated during this period and have been incorporated in data protection laws (DPLs) adopted in various jurisdictions, including in Canada through PIPEDA and substantially similar provincial laws. Data-mining techniques and capabilities are now reaching new levels of sophistication. This session will focus on the fact that in the era of big data, new business models and marketing techniques, including facial recognition, market manipulation, subliminal marketing, personalization reaching new levels of sophistications and dynamic pricing practices, just to name a few, are triggering concerns that are not properly addressed with the current Canadian data protection laws. Come hear about these new business models and the type of concerns that privacy professionals will have to deal with in the near future with regards to these models. You’ll hear practical and useful solutions necessary to ensure that business practices are both legally compliant as well as ethical, fair and reasonable.

What you’ll take away:

  • Learning about upcoming concerns dealing with emerging technologies and big data
  • Understanding the current challenges with Canadian data protection laws regulating new practices
  • Learn practical solutions useful in dealing with new marketing practices

Canada’s Anti-Spam Legislation: Final Words from the Regulators

Moderator: Shaun Brown, Partner, nNovation LLP
André Leduc, Manager, National Anti-Spam Coordinating Body, Digital Policy Branch, Industry Canada
Emilia de Somma, Legal Counsel, Canadian Radio-television and Telecommunications (CRTC)
Dana-Lynn Wood, Senior Enforcement Officer, Canadian Radio-television and Telecommunications (CRTC)

With Canada’s Anti-Spam Legislation (CASL) coming into force in a few short months, this session will provide one of the last opportunities to hear from both Industry Canada—the government department that developed the legislation—and the Canadian Radio-television and Telecommunications (CRTC), which will be responsible for enforcement.

What you’ll take away:

  • The definition of a “commercial electronic message”
  • Interpretation of Industry Canada regulations
  • Types of guidance material that organizations can expect to see in the coming months
  • CRTC enforcement mandate under CASL

PIPEDA Sneak Peek

Moderator: Chantal Bernier, Interim Privacy Commissioner of Canada
Barbara Bucknell
, Acting Director, Policy and Research, Office of the Privacy Commissioner of Canada
Anne-Marie Hayden
, Director General, Communications, Office of the Privacy Commissioner of Canada
Brent Homan, Director General, PIPEDA Investigations, Office of the Privacy Commissioner of Canada

Here’s your chance to hear the key theme of the OPC’s PIPEDA annual report to parliament, which is typically tabled in parliament a couple of weeks after the Symposium. While the full contents of the annual report will only be available upon tabling in Parliament, this is an opportunity to get a sneak peek of the main theme of the OPC’s annual report and a few highlights. Learn about OPC investigative findings relating to theme; OPC policy and research; current public opinion research; and communications efforts, public education tools and resources designed to raise awareness around the issues.

What you’ll take away:

  • An opportunity to hear about major OPC priorities under PIPEDA
  • A look at some key PIPEDA investigation findings
  • A sense of the OPC’s focus in its annual report to parliament, enabling better organizational preparation on tabling day

Privacy Update: Recent and Upcoming Privacy Law and Litigation Developments

Alex Cameron, Partner, Fasken Martineau LLP

Come hear a practical overview of significant privacy legal and regulatory developments over the past year, including legislative changes, commissioners’ findings and orders and court decisions. We’ll also review privacy class action and related litigation activity. We’ll conclude with a look ahead to anticipated future developments in the area. Attendees will come away with a solid understanding of the current state of privacy law and how it impacts organizations, as well as future changes to watch for.

A View from the West

Elizabeth Denham, Information and Privacy Commissioner, Office of the Privacy Commissioner of B.C.
Gary Dickson, Information and Privacy Commissioner, Office of the Privacy Commissioner of Saskatchewan
Diane McLeod-McKay, Information and Privacy Commissioner, Office of the Privacy Commissioner of Yukon

Join commissioners from Western Canada as they discuss hot issues that they are currently tackling. You’ll hear three unique perspectives on the issues: one from a commissioner with 10 years experience, one who is in the middle of her term and one who is just starting.

 

  MOBILE/ONLINE PRIVACY

 

Ad Choices—The Policy Debate on Advertising Data Collection

Wally Hill, Vice President, Public Affairs and Communication, Canadian Marketing Association (CMA)
Peter Kosmala, CIPP/US
, Senior Vice President, Government Relations, 4A’s-American Association of Advertising Agencies

AdChoices (youradchoices.ca) is Canada’s first self-regulatory framework for data protection in online behavioural advertising (OBA). It joins similar efforts in the U.S. and Europe to provide consumers greater transparency and control over the use of their web viewing data for advertising purposes. But can self-regulation work in Canada? What does the OPC expect from Canadian industry? How will these programs—and advertising data collection—evolve as consumers continue to migrate to mobile environments and anxieties over tracking persist? This session will summarize privacy approaches to online advertising in Canada with relevant contrasts to the U.S. and EU. It will offer useful insights into how Canadian consumers view targeting and tracking as well as outline practical standards for meeting regulator expectations.

What you’ll take away:

  • Knowledge of the privacy commissioner’s views on targeting and tracking under Canadian law
  • Timely perspective on current and emerging consumer choice mechanisms in online ads, web browsers and mobile apps
  • Understanding of the complex interrelation between self-regulatory and regulatory enforcement of OBA in Canada, the U.S. and Europe

 

Both Sides of the Coin: Addressing Online and Mobile Privacy Concerns for Canadian Consumers and Advertisers

Angelique Okeke, Senior Counsel, Lotame
Noga Rosenthal
, General Counsel and VP, Compliance & Policy, Network Advertising Initiative (NAI) 
Tim Stoute
, CTO and Co-CEO, eyeReturn Marketing 

Here, we’ll address current issues and privacy challenges facing digital advertising companies today, including do not track, threats of regulation, the potential death of the cookie, the so-called technology arms race and challenges presented by mobile as well as cross-device and omni-channel marketing. This open dialogue about these privacy issues will include discussion of solutions that move the ball forward. We will conclude by sharing predictions about the future of the third-party advertising ecosystem and where the industry will stand in 2015.

Different Strokes: Managing Privacy Across Marketing Channels

Michael Chase, Chief Marketing Officer, St. Joseph Communication
David Elder, Special Digital Privacy Counsel, Canadian Marketing Association, Counsel, Stikeman Elliot LLP

Business organizations routinely interact with and market to consumers through an increasingly broad array of traditional and electronic channels, with the latter growing at an unprecedented rate. While such a multi-channel approach offers greater marketing breadth to business organizations and convenience to an increasingly mobile and tech-savvy consumer marketplace, it can also create significant challenges to ensuring equivalence and privacy compliance across all channels, particularly when adapting material, including notifications and consents, to size and character-limited formats, or through standardized platforms maintained by third parties. Using illustrative case studies, this interactive session will examine some of the privacy challenges inherent in various marketing channels and suggest best practices for privacy-compliant and ethical marketing.

What you’ll take away:

  • Key privacy risk areas/challenges with respect to common and emerging marketing channels
  • Best practices and practical tips for ensuring compliance in various media/formats

How to Stay Competitive in an Online and Mobile World

Adam Kardash, Partner, Osler, Hoskin & Harcourt LLP
Maltie Maraj
, Senior Counsel, Tealium Inc.
Deborah Reine, Senior Counsel, Royal Bank of Canada

Technology has changed the world we live in and affects all aspects of our lives, including how we socialize, how we communicate, how we work and how we shop. This interactive session will consider the challenges of using online and mobile technology (e.g., what is personal information, notice/consent) and the risks of using online and mobile technology (e.g., information security, privacy breaches, reputational risks). This discussion will lead to our key message: By understanding the relevant laws and regulations across jurisdictions, considering self-regulatory bodies and keeping an eye on the leading lawmakers, businesses can remain competitive and compliant in an online and mobile world.

What you’ll take away:

  • Global overview of the legal, regulatory and privacy issues facing the online and mobile world
  • The current state of online and mobile services
  • How businesses using online and mobile technology can remain competitive and compliant in the current regulatory climate

Online Surveillance and Privacy: How to Repair Our Broken Relationship with the InterWebs

Claudiu Popa, CIPP/US, President, Informatica Corporation

Last year's news of state-sponsored hacking and rogue industrial malware made global business uneasy. This year's scandalous revelations of government surveillance of all digital communications have fundamentally changed the way we work and play online. While the criminal element buries deeper into the darkest recesses of the Internet, legitimate businesses and individuals feel more exposed than ever. The simple act of conducting a Google search or downloading an image is fraught with peril. We anticipate our online activity tracked at every turn, and everywhere in between. Here, we’ll offer a plain-English exploration of what we know about the tracking of our online activity, what information is collected, how it is used and what its impact is on our lives, our businesses and the global stage. You’ll enjoy the knowledge-driven approach with clear examples of tools and techniques that can be readily used to protect data, identity and reputation in the invasive, new climate of cyber-surveillance. The key message is not about “taking back the Internet” (it wasn't ours in the first place). It's about leveraging its power without fear—essential techniques to be shared by privacy and security professionals in all sectors.

What you’ll take away:

  • Clear understanding of what Internet surveillance is and how far it goes
  • Understanding the direct linkages between online tracking and privacy principles such as consent
  • Readily applicable tools and techniques for protecting privacy and compliance
 

  OPERATIONAL PRIVACY

 

21st Century Breach/Incident Response: Do You Have the Right Players at the Table?

Vikas Bhatia, CEO & Executive Risk Adviser, Kalki Consulting
Susan M. Kalp, General Counsel and Chief Human Resources Officer, Kalki Consulting

Often, privacy, compliance and information security officers and their teams each have a perspective of what an incident is, how they are notified and the responses required. We question whether these individuals and their siloed approaches are enough to respond to today’s incidents. During our session, we will examine the preconceived notions that exist within, and external to, organizations of all sizes as incident response plans are developed. We will also look at key business functions, cultural differences and internal and external non-technical stakeholders that should be included before, during and after an incident occurs. Incidents almost always force companies to reassess their risk profile. Our interactive session will allow participants to role play a real-world scenario involving external stakeholders, where the response required extends beyond internal privacy, compliance and information security. This presentation will bring to light the harsh realities for those tasked with shaping the incident responses.

What you’ll take away:

  • Traditional response processes do not have the appropriate stakeholder buy-in
  • Response processes have been built around compliance mandates (which are outdated or insufficient)
  • Consideration of detection technologies, as well as the associated processes, need to be tested

Assessing Technology and Privacy Risks via the PIA Process

Marjorie Platero, CIPP/C, PIA Officer, Office of the Privacy Commissioner of Canada
Anne Overton, IT Research Analyst, Office of the Privacy Commissioner of Canada

New initiatives often harness advanced computing power and the collection and use of data to deliver enhanced products and services. While the OPC will draw on its experience with PIAs in the federal public sector, this session will be invaluble for both public- and private-sector privacy professionals engaged in (or considering the introduction of) a PIA process in their organization. We will provide advice and guidance on developing PIAs for projects with a technological component and which involve the collection and/or use of personal information. You’ll learn how technology and privacy risks may be assessed and mitigated through the PIA process, and how evaluating privacy issues at the front-end of an initiative can ultimately bring about even greater results for everyone.

What you’ll take away:

  • Learn about PIA requirements in the federal public sector
  • Gain insight into how technology and privacy risks may be linked
  • Understand how security and privacy risks can be assessed through the PIA process

Effective Privacy Training to Build Accountability

Fazila Nurani, CIPP/C, President, PrivaTech Consulting

In this networking session, we’ll discuss how to effectively train adult learners on privacy compliance and best practice so they retain the information they learn and apply it in their day-to-day work (a learner-centric approach). We will share ideas on e-learning, in-person sessions, customized training for different departments, frequent reminders and tips, re-training, testing to demonstrate understanding and metrics to evaluate the privacy training program. A strong (and practical) privacy training program is critical to building accountability. This session will demonstrate to participants that it does not need to be costly or burdensome.

What you’ll take away:

  • A strong understanding of what your privacy training program should achieve
  • Clarity on how your privacy training program can be rolled out or improved
  • An appreciation of the time/resources that should be invested in a privacy training program

Demonstrating Accountability

Constantine Karbaliotis, CIPP/US, CIPP/C, CIPP/E, CIPP/IT, CIPM, Americas Privacy Leader, Mercer
Lauren Reid, CIPP/US, CIPM, Director, Compliance Solutions, Nymity Inc.

Accountability has become a very important concept in privacy and probably one of the key contributions Canada has made to privacy worldwide. But how does one implement accountability? We will look at an approach that is based on making the word “accountability” mean something in an operational context, based on practical tools and approaches.

What you’ll take away:

  • Accountability frameworks
  • Operational considerations in accountability
  • An accountability scorecard

Measuring Privacy

Tracy Ann Kosa, Senior Privacy and Safety Strategist, Microsoft Corporation

To date, there is no mechanism to measure the effectiveness of privacy law, either in inception or execution. In other words, we have no idea whether the privacy legislation actually protects privacy. Confusion over concepts—privacy v. security v. confidentiality—frequently leads to an inability to assign roles, responsibilities and accountabilities, as well as create a governance structure. The duality of a privacy professional’s job combined with the variety of organizational cultures equals an imprecise combination of depth, quality, breadth, nature and application of operational privacy. Privacy programs often have no set criteria, metric or descriptive quality. The same conditions that enable customization bring the lack of standardization causing issues with nomenclature and creating partnerships for data sharing. This session proposes three new ways to create metrics for privacy and provides case studies and samples for each.

What you’ll take away:

  • The types of purposes of privacy metrics
  • How to develop your own privacy metrics
  • Some of the pitfalls and ethical issues with metricizing privacy
 

  PUBLIC-SECTOR PRIVACY

 

Implementing Privacy Accountability in a Provincially Funded Agency

Pamela Snively, Managing Director, AccessPrivacy by Osler
Samara Starkman, CIPM, Chief Privacy Officer, Director, Privacy & Access, Cancer Care Ontario

Here, you’ll gain practical guidance on how to develop, implement and maintain a privacy management or accountability program in government and healthcare settings. A privacy accountability framework is needed to support the effective implementation of a privacy program in any government agency. And privacy accountability in a provincially funded agency requires largely the same components as it does in a private-sector organization, but operationalizing accountability can be different. In this session, you will learn how privacy legislation in government agencies mandates the establishment of a privacy accountability program for e-health initiatives.

What you’ll take away:

  • Tools and guidance developed by privacy commissioners that you can apply to your own privacy accountability program
  • Learnings from CancerCare Ontario’s own case study, including insights on implementing and managing an accountable privacy program in Ontario

Party Like It's 1988: Trying to Fit Ontario's FOI Laws into 2013 Realities

Peter Meyler, Access and Privacy Officer, City of Mississauga
Paul Wan, Access and Privacy Officer, City of Mississauga

The networking session will explore the Monty Python-like world of Ontario’s outdated FOI laws with today’s real-world situations. Using actual access decisions and IPC orders, we will examine the inconsistencies that abound in the interpretation and implementation of FIPPA and MFIPPA and find common solutions. Topics covered include “Is that dog-bite an open and shut case?”, “Close the door, I’m in the washroom” and “Was that IPC order a paradigm shift or a zero-sum thing?”

What you’ll take away:

  • Learn consistent solutions to common problem areas for FOI access decisions
  • Create a network of contacts to be able to communicate with when common issues arise
  • Create list of problem areas currently under MFIPPA and FIPPA for transmittal to government

Watching Them Watching Us—A Timely Conversation about Oversight of Government Surveillance

Moderator: Chantal Bernier, Interim Privacy Commissioner of Canada
Ray Boisvert, Former Assistant Director of Canadian Security Intelligence Service (CSIS), CEO, I-Sec Integrated Strategies
Colin Freeze, National Security Reporter, The Globe and Mail
Sukanya Pillay, Executive Director and General Counsel, Canadian Civil Liberties Association (CCLA)

This facilitated networking session, led by interim Privacy Commissioner of Canada Chantal Bernier, will feature the unique perspectives of three individuals on the very topical subject of government surveillance. Join the conversation as these four speakers spark a discussion on a matter of national importance to Canadian citizens everywhere.

 

  ADDITIONAL EXPERTISE

 

Canada’s Anti-Spam Legislation (CASL): Understanding the Exemptions and When They Apply
Sponsored by:    

Arlan Gates, Partner, Baker & McKenzie LLP

Privacy and marketing advisors rightly focus on how to comply with CASL, but finalized government regulations have expanded the already significant carve-outs from the anti-spam provisions of the legislation. This session will explore key circumstances when CASL does not apply to senders, recipients, messages and marketing activities, based on the latest guidance from Industry Canada and the CASL regulators: the Competition Bureau, the CRTC and the Privacy Commissioner of Canada.

Privacy...It’s a Global Affair!

Carman Baggaley, Strategic Policy Advisor, Office of the Privacy Commissioner of Canada
Brent Homan
, Director General, PIPEDA Investigations, Office of the Privacy Commissioner of Canada
Michael Maguire
, Senior Advisor, PIPEDA Investigations, Office of the Privacy Commissioner of Canada

What has been highlighted for the last few years is now a reality. With trans-border data flows and globalized commercial markets, privacy risks have become an international concern that often demands an international compliance response. Hear an expert panel discuss the various forms that international collaborative efforts have taken, from coordinated enforcement initiatives with the Dutch and Irish DPAs to the inaugural GPEN International Privacy Sweep involving partner agencies around the world. Hear the OPC’s perspective on how such progressive initiatives yield benefits and efficiencies to authorities, individuals and organizations alike.

What you’ll take away:

  • Understanding the continuum of collaborative options available to privacy enforcement authorities
  • Understanding the practical implications, for organizations and authorities, associated with information sharing, collaborative enforcement and other cooperative activities

The Unintended Consequences of Privacy Paternalism

Joseph Alhadeff, VP Global Public Policy and Chief Privacy Strategist, Oracle
Ann Cavoukian
, Information and Privacy Commissioner of Ontario
Khaled El Emam
, CEO, Privacy Analytics
Dan Kruger
, Founder, President, & Chairman of the Board of Directors, Absio Corporation

In the era of big data, cloud computing and the Internet of Things, a disturbing proposal has recently emerged that seeks to dramatically revise the OECD Fair Information Practice Principles (FIPPs), thereby weakening the basis of privacy laws. While the proposals advocate greater accountability on the part of data users/processors, they also feature fewer controls on the collection of personal information and enhanced regulatory oversight of data misuse and resulting harms. In response, Commissioners Cavoukian and Dix and Professor El Emam challenge the proposal and argue that individuals have basic expectations that their personal data will be used in accordance with the reasons why they have been asked to provide it. That is why placing limits on specifying the purpose, collection and uses of personal information are critically important and should ideally be embedded as the default, proactively—the essence of Privacy by Design. PbD reflects current realities and needs, extending the FIPPs rather than diminishing them: User control is extended while accountability is enhanced. Come hear this expert panel discuss how diminishing the OECD principle of Purpose Specification, Collection and Use Limitation is a misguided proposition. Learn how to avoid the seductive and fictional notion of an ever-benevolent data user/processor. And avoid the trap of privacy paternalism.

The Unexamined Life Is Not Worth Living: Dave Eggers’ The Circle and the Triumph of Transparency

Douglas Forman, PhD, Certification Exam Manager, IAPP

Socrates’ appeal for self-scrutiny is seen as the catalyst for all human achievement. But what if we applied this intense level of scrutiny to the lives of others? In David Eggers’ The Circle, the protagonist is led to believe, through her work at the world’s most powerful Internet company, that a stripping away of personal privacy will engender a more civil and humane society. Of course, as is the case with most dystopian fiction and film, such well-intentioned attempts often result in the inexorable destruction of individual freedom. Following in the tradition of Animal Farm, Fahrenheit 451 and Brave New World, Eggers exposes the sinister underbelly of such naïve idealism. Come join this book-club style discussion, led by a former university English instructor, of the novel hailed as a “parable about the perils of life in a digital age” and “a vivid, roaring dissent to the companies that have coaxed us to disgorge every thought and action onto the Web.” Be prepare to share your insights as we explore how The Circle is relevant to the issues and questions you face in your daily work and gain an understanding of how artists and writers are reacting to the age of big data, widespread surveillance and digital utopianism.

What the Hack? Anatomy of a Data Breach Response
Sponsored by:    

John Russo, Vice President, Legal Counsel, Corporate Secretary & Chief Privacy Officer for Equifax Canada Co.

Breaches occur, even at organizations with robust business continuity programs. Once a breach happens, the impact can ruthlessly restrict an organization’s ability to conduct business, weaken or destroy customer and brand loyalty and result in liability damage in excess of the organization’s assets. Customers may feel betrayed and concerned over the risks of the comprised data—and they will want to know what actions the organization is taking to protect them from the consequences. Come explore the anatomy of a data breach response and learn how to ensure that your organization is prepared.