Data Privacy Day 2011 at Dalhousie University

data-privacy-day

Matt Lonsdale is a JD candidate at Dalhousie University.

On January 26, 2011, Dalhousie University hosted its 4th annual Data Privacy Day. The half-day conference featured presenters from a wide variety of backgrounds, running the gamut from journalism to computer security to law. They spoke on topics ranging from browser security to compliance with the Personal Information Privacy and Electronic Documents Act (PIPEDA), and drew a crowd of over 200 students, academics and administrative staff from the public and private sector. With audience attendance over twice last year’s numbers, the event was a great success and even received attention from the national media. Video and slides from the presentations should be available shortly on Dalhousie’s Event Archives page.

For those interested in the legal aspects of collecting and managing the personal information of others, there was David Fraser’s presentation Privacy and the Cloud for Universities and the Real World. Fraser’s talk looked at the emergence of cloud computing, the benefits it can offer and the privacy implications that need to be considered when using these services. Cloud computing refers to the practice of organizations or users outsourcing to third party service providers computer services that would normally be maintained on-site. A common example of this is the increasing trend among universities to contract their email services out to Google. Attracted by the prospect of easier administration and less overhead costs, the University of Alberta became the first Canadian university to get in on the act last December.

As these services are typically accessed over the internet, the service provider and their client can be (and often are) geographically separated and operating in different legal jurisdictions.  This can prompt privacy concerns among administrators who may be unsure of their duties under federal and provincial privacy legislation, or who may not have faith in the privacy protection provided by a government of a foreign jurisdiction. Fraser’s presentation suggested that there is a common concern that information stored in a post-9/11 United States is simply more vulnerable than information stored in Canada. Fears of secret FISA courts have made Canadian organizations reluctant to entrust their data to U.S. based service providers.

Fraser dismissed these concerns, pointing out that similar legislation exists in Canada in the form of the CSIS Act, which also authorizes so-called “secret courts”. Existing privacy legislation already allows for personal information to be turned over to police services and future legislation may may expedite this process in certain circumstances. Even as someone with an interest in privacy law, Fraser’s suggestion that it was too simplistic to assume data in Canada is safer simply because of our privacy legislation was an eye-opener.

More than a lack of privacy legislation, Fraser said, what companies should be concerned about when outsourcing information management to third parties is the contract they are signing with the service provider. PIPEDA, which governs what uses non-governmental organizations may make of the personal information they collect, does not prohibit Canadian organizations from using cloud computing services to process data. However, Section 4.1.3 of Schedule 1 of the Act does mandate that contractual protections be put in place to protect the data.

The message of Fraser’s talk was that organizations should not make decisions on whether to use cloud computing services based on misplaced fear or a misunderstanding of their duties under PIPEDA. Instead, a thoughtful analysis should be done to see if the risks of using such services can be mitigated, so that the benefits of cloud computing can be enjoyed.

Fraser was not the only one taking note of how the law has attempted to deal with the increasing public demand for privacy protection. In How The Cookie Crumbles, Bob Doherty drew attention to the recent EU Directive requiring advertisers to get the “informed consent” of users before using browser cookies to track users and develop profiles for targeted advertising. Whether this Directive will be implemented on a national level in a way that changes the behavior of advertisers has yet to be seen.

Unsurprisingly, a recurring theme in this year’s event was the impact of social networking on the privacy landscape. Ryan McNutt, a new media officer with Dalhousie’s Communication and Marketing department, spoke of the increasing importance of managing your online “brand” by repeatedly asking yourself “What am I revealing about myself online, and why am I revealing it?” Henry Stern, a Security Engineer from Cisco Systems presented on the value social network accounts can have for computer criminals and how the popularity of these services has motivated them to adapt their old tricks to work more efficiently in the social networking context. Despite these warnings, both presenters were careful not to demonize social networking and emphasized the benefits that social networking can bring to individuals and organizations. Similar to Fraser’s talk on cloud computing, the consistent message was that the key to taking advantage of the many opportunities that social networks present is knowing how to mitigate the risks that come along with them.

While not explicitly related to social networking, Robert Ellis Smith’s presentation Why Is Privacy So Damn Important Anyways? also emphasized that privacy is not about closing ourselves off from the world. The goal of privacy is to allow us to share freely what we wish to share and protect what we don’t. In the wake of Jennifer Stoddart’s re-appointment as Canada’s Privacy Commissioner, and her stated intention to help Canadians develop strong “digital literacy skills”, this is a message that Canadians are sure to hear more of in the coming years.