Search

SearchLoading

Executive Summaries Apr 6, 2018

Is Your Organisation Collecting Too Much Data and Is It Well Protected?

The Cambridge Analytica case reminds us that organizations need more than ever to protect the information they collect. Is there a foolproof way to ensure good data management or is a leak inevitable? Overview of the steps to take to better protect the data collected by your company.

Danielle Miller Olofsson has authored this article.

The recent debacle involving Cambridge Analytica’s use of personal information from Facebook users to conduct psychographic profiling so as to enable American presidential campaigns to better target potential voters should come as a surprise to no one. Data mining has been going on for years. As each of us provides quantities of personal information in bits and pieces to organisations through the transactions we conclude or internet searches we conduct, these pieces can be collated to provide an accurate portrait of anything from our health, to our shopping patterns, to our electoral preferences. Mining may be done by the organisation that collected the data or, in the case of Facebook, by a third party that either legally or illegally accesses this information.

While how to protect the data they collect should be at the top of the list of questions organisations are asking in the wake of the Facebook case, two, perhaps more basic, questions remain:

  • are organisations collecting too much data?
  • are they keeping it for too long

Given the number and variety of security threats facing organizations, the only foolproof way of ensuring that data is not mishandled, whether deliberately or inadvertently, is not to have the data to begin with!

Both the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial Act Respecting the Protection of Personal Information in the Private Sector (PPIPS) limit the scope of information organisations are allowed to collect. While Quebec’s legislation requires an organisation to collect only the information that is necessary for the object of the file, the federal legislation limits collection of personal information to that which is necessary for the purposes identified by the organization. Organisations, therefore, should ask themselves whether the information they are collecting is truly necessary for the object of the file. Excess information simply equals increased risk.

A second point to bear in mind is that PPIPS and PIPEDA respectively forbid organizations from using or keeping personal information for longer than is necessary to achieve the purpose for which the data was originally collected. PIPEDA stipulates that personal information shall be retained only as long as necessary for the fulfilment of the purposes identified by the organization. What is necessary for the fulfilment of the purpose, however, is not specified and requires a case-by-case analysis. Slightly different from its federal counterpart, the Quebec legislation provides that once the object of the file has been achieved the information can no longer be used unless the person concerned has consented to it. While the Quebec law does not seem to impose a burden to dispose of the information, the Quebec privacy commission clearly emphasises this obligation in its interpretive bulletins. Nevertheless, both PPIPS and PIPEDA raise an increasingly tricky question: how to effectively remove data or at least neutralise it so that it is not damaging if illegally accessed?

THE BLOCKCHAIN CHALLENGE

Recent debates over the right to forget and the Draft OPC Position on Online Reputation proposing de-indexing as a way to enforce this right illustrate the difficulty of absolutely obliterating information. Destroying information becomes even more difficult if the information in question is contained on a Blockchain which is designed to retain information indefinitely. Moreover, the use of Blockchain in transactions of all kinds may increase significantly over the next few years.

Anonymizing personal information so that the data that is collected cannot be traced back to any one individual is, of course, another solution. Technics for doing so include:

  • removing certain data (ie. deleting the name next to an address;
  • replacing data with pseudonyms;
  • adding statistical noise; and
  • aggregating the data

None of these techniques has proven foolproof as re-identification is all too easy.

Given the difficulty of either truly anonymizing or deleting data, the strict legal requirements placed on an organization to protect the personal information they collect, and the numerous security threats out there, organisations would be well advised to adopt clear data governance policies including provisions on the type and amount of information they collect as well as when and how they will dispose of it.

Invariably accidents will occur but if an organisation can demonstrate that it has a clear data governance policy and consequently that it took every possible measure to protect information, it stands a better chance of weathering a potential storm.

For more information about the data protection measures to be adopted within your organization, do not hesitate to contact a member of the Privacy, Data Protection and Cyber-Crypto Security team.

You would also like

Executive Summaries Dec 2, 2024
Data-Privacy

Bill 82: One Step Closer to a National Digital Identity (and Modifications to Other Provisions!)

News of the Firm Nov 21, 2024
Entrepreneurship forum

Entrepreneurship Forum: Vision 2025
Executive Summaries Nov 6, 2024
Athlete

Protecting Privacy in Sports – Don’t Wait to be Caught Flat-Footed!

Executive Summaries Nov 1, 2024
data-protection

Obligation to Report Information Security Incidents: The Autorité des Marchés Financiers Catches the Wave and Publishes a New Regulation

Executive Summaries Oct 18, 2024

Right to Data Portability: Is your Organization Ready?

News of the Firm Oct 9, 2024
Tech Forum 360

Tech 360 Forum: Growth and Inflection Points
News of the Firm Jun 3, 2024

Prospera: Québec’s Economic Barometer
Press Release May 14, 2024

Canada's Best Managed Companies: BCF Recognized for 17th Consecutive Year
Press Release Apr 2, 2024
paul et misha

BCF Strengthens its Expertise in Artificial Intelligence

Press Release Jan 10, 2024
new-partners-2024

BCF Has Appointed Three New Partners
News of the Firm Dec 1, 2023

Who’s Who Legal : 5 BCF Professionals Stand Out
Press Release Dec 1, 2023

BCF extends its Partnership with the Canadian Association of Black Lawyers to a Third Year
Executive Summaries Nov 23, 2023

Demystifying Privacy Impact Assessments (PIAs)
Executive Summaries Nov 21, 2023

The Data Processing Agreement: An Essential Resource to Implement
Executive Summaries Nov 15, 2023
camera-on-a-wall

The Incident Response Plan: the Cornerstone of Effective Crisis Management
Training and Events Nov 7, 2023
forum-privacy-en

Strategic Forum on Enterprise Data Protection
News of the Firm Sep 28, 2023

Chambers Canada Ranking: Five of our Lawyers Recognized
Press Release Sep 11, 2023
Photo of Julie Doré

Julie Doré Takes Over Management of The BCF Business Law Firm
News of the Firm Jul 13, 2023

Prospera – Quebec Economic Barometer
Media Coverage Jun 19, 2023

Julien Tricart, Member of the Meritas Sports Law Group
News of the Firm Jun 1, 2023

Pride Month: Let’s Create an Inclusive Future
News of the Firm May 10, 2023

Canada’s Best Managed Companies: BCF Recognized for 16th Consecutive Year
Executive Summaries Mar 30, 2023

New Privacy Requirements: Is Your Business Compliant?
News of the Firm Mar 8, 2023

Every Woman Counts
Training and Events Feb 27, 2023

Strategic Forum on the Role Played by Businesses in the Fight Against Climate Change
Press Release Feb 27, 2023

BCF Partners with the Canadian Association of Black Lawyers to Promote Diversity in Québec Law Faculties
Press Release Feb 14, 2023

BCF's More Inclusive Approach: Improved Parental Leave
Press Release Feb 8, 2023

Shaun E. Finn Appointed to the Superior Court of Québec
Major Cases Feb 3, 2023

How to Ensure a Business Succession?
Executive Summaries Jan 24, 2023
Business black folders on table

Adoption of Bill 78 on Transparency Business: Are You Ready?
Training and Events Jan 17, 2023

Strategic Forum on Market Consolidation and Business Succession
Press Release Dec 5, 2022

BCF Partners with the Clinique Juridique de Saint-Michel to Promote Access to Legal Studies for Young People from Diverse Communities
Executive Summaries Nov 2, 2022

What Are the Best Practices for Managing Privacy Incidents?
News of the Firm Oct 20, 2022

Shaun E. Finn, Co-Author of In the Public Eye: Privacy, Personal Information, and High Stakes Litigation in the Canadian Public Sector
Executive Summaries Oct 14, 2022

Should Using Personal Information Obtained Without Consent Be Grounds for Class Action Authorization?
News of the Firm Sep 29, 2022

Five of our Lawyers Stand out in the 2023 Edition of the Chambers Canada Ranking
Executive Summaries Sep 19, 2022

Cybersecurity and Privacy in Canada: What You Need to Know About Bill C-27
Executive Summaries Sep 16, 2022

Is the Loss of Personal Information Sufficient to Justify the Success of a Class Action on the Merits?
Executive Summaries Sep 16, 2022

Bill C-26: The Federal Government Takes a Closer Look at Cybersecurity and Privacy
Executive Summaries Sep 1, 2022

Jocelyn Poirier, BCF’s Chief Privacy Officer
News of the Firm Aug 25, 2022

43 BCF Professionals Stand Out with 78 Nominations in the 2023 Editions of Best Lawyers in Canada and Ones to Watch
News of the Firm Jul 21, 2022

Seven New Lawyers Join BCF
Major Cases Jun 14, 2022

Adoption of Bill 96: Be Ready
News of the Firm Jun 1, 2022

Pride Month: The Value of Diversity
Press Release May 16, 2022

BCF, the 3rd Largest Law Firm in Québec
Press Release May 11, 2022

Canada’s Best Managed Companies: BCF Recognized for 15th Consecutive Year
News of the Firm Nov 22, 2021

BCF Recognized by the Globe and Mail as one of Canada’s top Law Firms
News of the Firm Sep 20, 2021

Chambers Canada 2022: BCF Earned Band 1 Ranking in Québec for Corporate and Commercial Law
News of the Firm Aug 20, 2021

Seven New Lawyers Join BCF
Training and Events May 3, 2021

Privacy and Data Protection Class Actions: Trends, Challenges and Best Practices
Media Coverage Apr 26, 2021

A First in Canada: Privacy Class Action Dismissed on the Merits
News of the Firm Mar 22, 2021
escalier

BCF Welcomes Seven New Lawyers
Executive Summaries Dec 15, 2020

Collaboration in the Time of COVID-19: Legal Considerations for Successful AI and Healthcare Partnerships
News of the Firm Sep 30, 2020

Shaun E. Finn and Danielle Miller Olofsson Publish a Unique Practical Handbook on Privacy and Data-Protection Class Actions
Executive Summaries Jul 24, 2020

What Are the Implications of the End of EU-U.S. Privacy Shield Framework for Your Business?
Media Coverage Jun 30, 2020

Investigation on Tim Hortons’ Application
Executive Summaries Jun 18, 2020

Québec’s Bill 64 to Amend Data Protection Legislation: A Bill with Teeth?
Media Coverage May 6, 2020

Does the Use of Thermal Imaging Cameras in Stores Comply with Privacy Laws?
Major Cases Apr 30, 2020

COVID-19: Solutions to Address this Situation
Executive Summaries Apr 27, 2020

COVID-19: Finally a Toolbox for Developers of Geolocalisation Applications
Media Coverage Apr 3, 2020

Tracking the COVID-19 Pandemic with Cellphones
Executive Summaries Mar 13, 2020

COVID-19: Don’t Forget Data Protection When Designing a Response Strategy
Press Release Jan 30, 2020

BCF once again ranks as one of Montreal's Top Employers
News of the Firm Jan 13, 2020

BCF Names 16 New Partners for Its 25th Anniversary
Executive Summaries Dec 11, 2019

Joint Controllership or the Risks of using Website Plugins
Executive Summaries Oct 25, 2019

Are You a Leader or a Follower?Results of the Innovation Survey
News of the Firm Oct 1, 2019

Chambers Canada 2020: BCF Recognised in Corporate and Commercial Law
Training and Events Sep 20, 2019

Strategic Forum on Innovation
Executive Summaries Sep 16, 2019

Different Legislative Approaches to 5G
Major Cases Sep 9, 2019

Innovating to Survive: Are You a Leader or a Follower?
Executive Summaries Aug 27, 2019

Is Your Company Implementing a New Technology System? Remember to Protect Your Data
Executive Summaries Aug 26, 2019

5G Technology Is Coming: Legal Questions Abound
Executive Summaries Aug 22, 2019

Legal Issues Surrounding the Industrial Revolution 4.0
Executive Summaries Aug 22, 2019

Where Does Québec Stand in Terms of Privacy Class Actions?
Executive Summaries Feb 21, 2019

De-fogging the Cloud Act
Executive Summaries Jan 30, 2019
fenetres

Google and CNIL: a Case of Inappropriately Obtained Consent
Executive Summaries Jun 4, 2018

Best Practices for Québec Companies Receiving European Data
Executive Summaries May 23, 2018

Anonymization? Think Again
Executive Summaries Apr 20, 2018

The Deep Web and Dark Web Demystified for Businesses
Executive Summaries Apr 17, 2018

The GDPR is Coming: How to Get Ready
Media Coverage Apr 9, 2018

Protection of Personal Data: New Measures Put in Place by the European Union
Get the latest thought leadership