Is your organisation collecting too much data and is it well protected?

April 6th, 2018

By Danielle Miller Olofsson, Chief, Knowledge Management and Market Strategies.

The recent debacle involving Cambridge Analytica’s use of personal information from Facebook users to conduct psychographic profiling so as to enable American presidential campaigns to better target potential voters should come as a surprise to no one. Data mining has been going on for years. As each of us provides quantities of personal information in bits and pieces to organisations through the transactions we conclude or internet searches we conduct, these pieces can be collated to provide an accurate portrait of anything from our health, to our shopping patterns, to our electoral preferences. Mining may be done by the organisation that collected the data or, in the case of Facebook, by a third party that either legally or illegally accesses this information.

While how to protect the data they collect should be at the top of the list of questions organisations are asking in the wake of the Facebook case, two, perhaps more basic, questions remain:

  1. are organisations collecting too much data?

  2. are they keeping it for too long?

Given the number and variety of security threats facing organizations, the only foolproof way of ensuring that data is not mishandled, whether deliberately or inadvertently, is not to have the data to begin with!

Both the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial Act Respecting the Protection of Personal Information in the Private Sector (PPIPS) limit the scope of information organisations are allowed to collect. While Quebec’s legislation requires an organisation to collect only the information that is necessary for the object of the file, the federal legislation limits collection of personal information to that which is necessary for the purposes identified by the organization. Organisations, therefore, should ask themselves whether the information they are collecting is truly necessary for the object of the file. Excess information simply equals increased risk.

A second point to bear in mind is that PPIPS and PIPEDA respectively forbid organizations from using or keeping personal information for longer than is necessary to achieve the purpose for which the data was originally collected. PIPEDA stipulates that personal information shall be retained only as long as necessary for the fulfilment of the purposes identified by the organization. What is necessary for the fulfilment of the purpose, however, is not specified and requires a case-by-case analysis. Slightly different from its federal counterpart, the Quebec legislation provides that once the object of the file has been achieved the information can no longer be used unless the person concerned has consented to it. While the Quebec law does not seem to impose a burden to dispose of the information, the Quebec privacy commission clearly emphasises this obligation in its interpretive bulletins. Nevertheless, both PPIPS and PIPEDA raise an increasingly tricky question: how to effectively remove data or at least neutralise it so that it is not damaging if illegally accessed?

The Blockchain Challenge

Recent debates over the right to forget and the Draft OPC Position on Online Reputation proposing de-indexing as a way to enforce this right illustrate the difficulty of absolutely obliterating information. Destroying information becomes even more difficult if the information in question is contained on a Blockchain which is designed to retain information indefinitely. Moreover, the use of Blockchain in transactions of all kinds may increase significantly over the next few years.

Anonymizing personal information so that the data that is collected cannot be traced back to any one individual is, of course, another solution. Technics for doing so include:

  1. removing certain data (ie. deleting the name next to an address;

  2. replacing data with pseudonyms;

  3. adding statistical noise; and

  4. aggregating the data.

None of these techniques has proven foolproof as re-identification is all too easy.

Given the difficulty of either truly anonymizing or deleting data, the strict legal requirements placed on an organization to protect the personal information they collect, and the numerous security threats out there, organisations would be well advised to adopt clear data governance policies including provisions on the type and amount of information they collect as well as when and how they will dispose of it.

Invariably accidents will occur but if an organisation can demonstrate that it has a clear data governance policy and consequently that it took every possible measure to protect information, it stands a better chance of weathering a potential storm.

For more information about the data protection measures to be adopted within your organization, do not hesitate to contact a member of the Privacy, Data Protection and Cyber-Crypto Security team.