IPC - Office of the Information and Privacy Commissioner/Ontario | Discussion Papers

Privacy by Design and Third Party Access to Customer Energy Usage Data

Tue, 29 Jan 2013 00:00:00 GMT

The increased availability of customer energy usage data (CEUD) is one of the numerous benefits of Smart Grid improvements. CEUD allows for more efficient power use by utilities and customers to better deal with spikes in demand. Utilities can avoid having to use expensive “peaker plants” which kick in when energy demands exceed normal levels of supply. And with greater access to information about their own CEUD, customers can make more informed choices about when and how much electricity to use. The paper explores the issue of third party access to CEUD and its benefits, as well as the potential privacy risks. It examines the potential new products and services created by third party access which may support conservation and new market opportunities.

Privacy and Security by Design: A Convergence of Paradigms

Thu, 24 Jan 2013 00:00:00 GMT

Rapid innovation, global competition and increasing system complexity present profound challenges for informational privacy. While we would like to enjoy the benefits of innovation - new conveniences and efficiencies - we must also preserve our personal control and freedom of choice over our data flows.

There is a growing understanding that innovation, creativity and competitiveness must be approached from a “design-thinking” perspective - namely, a way of viewing the world and overcoming constraints that is at once holistic, interdisciplinary, integrative, innovative, and inspiring. The same design-thinking perspective is being applied to privacy and security. Privacy and security must be embedded into every standard, protocol and process that touches our lives.

This paper highlights the convergence of these two paradigms. In the first part, the concept of security by design as understood in the technical community is introduced. In the second, the concept of Privacy by Design (PbD) as understood in the privacy community is discussed. The third and final part explores how these two concepts share notable similarities and how they may complement and mutually reinforce each other. (News Release)

Encryption by Default and Circles of Trust: Strategies to Secure Personal Information in High-Availability Environments

Fri, 14 Dec 2012 00:00:00 GMT

As portable storage devices become increasingly prevalent in the health care sector, concerns also arise regarding the privacy and security of personal health information (PHI). Medical professionals in high-availability data environments, from family doctors to large hospitals, need to ensure data security and protect information through encryption as the default, as the potential for privacy breaches that can be costly and cause lasting damage to their reputation. Taking these steps provides a positive-sum, Privacy by Design approach which benefits both patients and caregivers. The paper introduces the “Circle of Trust” concept, modeled after PHIPA’s “Circle of Care,” which refers to the mobile encryption deployment scenarios and role-based access that enables the free flow of PHI among authorized health-care providers as needed, while at the same time, ensuring PHI remains encrypted and inaccessible to everyone else.

News Release: Privacy and Security as the Default Standard for the Health Sector

Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices

Tue, 04 Dec 2012 00:00:00 GMT

Information management and its protection is imperative to any organization’s success, regardless of its size. Privacy breaches can have profound and long-term adverse consequences, including significant financial impact and damage to the reputation and brand of the organizations involved. The international standard of Privacy by Design is an actionable framework which has been put into practice by a growing number of organizations worldwide to make privacy the default setting.

In order to further guide organizations through this potentially challenging process Commissioner Cavoukian has released a new paper, Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices. This new paper provides an anthology of the experiences of organizations from a wide range of sectors including telecommunications, technology, healthcare, transportation, and energy. It provides a comprehensive overview of the partnerships and joint projects that the Commissioner has engaged in to implement Privacy by Design by providing concrete and meaningful operational effect to its principles.

News Release

Abandon Zero-Sum, Simplistic either/or Solutions - Positive-Sum is Paramount: Achieving Public Safety and Privacy

Wed, 14 Nov 2012 00:00:00 GMT

There is great interest in how the Office of the Information and Privacy Commissioner of Ontario, Canada (IPC) has approached privacy and public safety issues, by bringing them together in a positive-sum manner. In this paper, the IPC shares its approach to applying Privacy by Design (PbD) which is relevant in the context of public safety and law enforcement, including the application of PbD to surveillance programs and the use of associated technologies. The paper also offers examples of when a failure to adopt a PbD approach has led to an erosion of public confidence in law enforcement initiatives, for example in the mandatory collection of personal information in the context of second-hand goods and telecommunications.

Privacy by Design and the Emerging Personal Data Ecosystem

Wed, 31 Oct 2012 00:00:00 GMT

This paper describes the systems and initiatives driving the Personal Data Ecosystem and how they seek to address the challenge of protecting and promoting privacy, while at the same time, encouraging the socio-economic opportunities and benefits of personal information as a new asset class. The paper features case studies of the Personal Data Vault and platform at Washington-based Personal Inc., and the personal data network belonging to San Francisco-based Respect Network, plus invaluable market data on the emerging PDE provided by Ctrl-Shift of London.

A Policy is Not Enough: It Must be Reflected in Concrete Practices

Wed, 05 Sep 2012 00:00:00 GMT

Privacy policies and procedures alone, without a concrete strategy for implementation, will not protect an organization from privacy risks. The policies and procedures must be actively communicated, and staff must be educated about measures that need to be in place, so that policies will be reflected in actions. This paper sets out a series of seven steps that organizations should consider implementing in order to effectively translate their privacy policies into privacy practices.

Privacy and Drones: Unmanned Aerial Vehicles

Thu, 16 Aug 2012 00:00:00 GMT

Unmanned Aerial Vehicles (UAV) present unique challenges due to their ability to use a variety of sensors to gather information from unique vantage points – often for long periods and on a continuous basis. The prospect of having our every move monitored, and possibly recorded, raises profound civil liberty and privacy concerns. At the same time, there are many desirable benefits associated with these technologies. The aim of this paper is to provide a background for general privacy readers, as well as for potential users or regulators of UAV activities, as they relate to the collection, use, and disclosure of personal information.

Privacy by Design and User Interfaces: Emerging Design Criteria – Keep it User-Centric

Thu, 21 Jun 2012 00:00:00 GMT

The design principles we highlight in this paper are among those that we hope will increasingly be recognized in multiple contexts — in both corporate and public sectors alike. We hope to encourage deeper investment by companies into the user design space, which will also contribute to a deepening evidence base that the privacy and policy community can draw upon in future Privacy by Design work.

Privacy by Design in the Age of Big Data

Fri, 08 Jun 2012 00:00:00 GMT

While organizations have practical incentives to make the most of their ever growing observation space (the data they have access to), they also have a pressing need to embed in these systems enhanced privacy protections. We outline in this paper just such an example — how an advanced Big Data sensemaking technology was, from the ground up, engineered with privacy-enhancing features. Some of these features are so critical to accuracy that the team decided they should be mandatory — so deeply baked-in they cannot be turned off.

This paper demonstrates how privacy and responsibility can be advanced in this new age of Big Data analytics.