PIPEDA and Privacy Preferences Design
PIPEDA
"PIPEDA" Is an acronym for the "Personal Information Protection and Electronic Documents Act". It is a federal law of Canada.
PIPEDA dictates how organizations must handle personal information about an individual. Examples of personal information include, but are not limited to, credit card information, driver’s licence, pictures, bank account information, phone numbers, and email addresses.
PIPEDA defines an organization's legal responsibilities with respect to the way they collect, use, and disclose PI. Within this document, the terms "personal information", “organization”, "collect", "use", and "disclose" are used as defined by PIPEDA. They are defined briefly, with examples, as follows:
Personal Information
Information about an identifiable individual. Examples include name, address, and credit card information.
Organization
Includes an association, a partnership, a person and a trade union.
Collection of personal information
An organization gathers personal information from a user and optionally stores it internally. Collection is always internal in the sense that the information does not leave the confines of the organization. For example, a site may request a user to enter their name, address, and credit card, and then store them on an internal server.
Use of personal information
An organization or service uses collected personal information for the purposes for which it was collected. Like collection, use is internal to the organization. As an example, an organization uses credit card information when an individual purchases an item from the organization’s web site. Later, the organization uses the individual's address to ship the item to them.
Disclose personal information
An organization shares information it has collected with external third parties. One way disclosure of personal information can occur is when an organization transmits personal information electronically to another party for their use. For example, when an individual makes a credit card purchase through an organization’s web site, the organization must transmit the credit card information to the credit card company itself to realize the purchase. Such transmission is a form of disclosure.
Policies
An organization’s legal responsibility with respect to collecting, using, and disclosing personal information is realized through two kinds of policies -- a policy for collecting, using, and disclosing personal information, and a policy for inquiries and complaints.
Organizations are obliged to publish a policy stating the purpose(s) for which they are collecting personal information, how long they will retain the information, how they intend to use it, and if and how they will disclose it to third parties. The reason for publishing this statement is so that users can determine and evaluate the organization's privacy policy before providing any personal information. If the user is not comfortable with the organization’s privacy policy, they can decide not to provide any personal information. However, the result may be that the individual cannot use services provided by the organization.
Secondly, organizations are required to publish a policy regarding how users can make inquiries about the personal information that the organization has collected. Inquiries include:
A request for a copy of all of the user’s personal information,
Checking personal information for accuracy, and providing corrections to the organization,
Information about how the personal information has been used internally, and what has been disclosed to third parties and why, and
Registering a complaint with the organization about the organization’s failure to follow their own privacy policies.
Since PIPEDA is a law, failure on the part of an organization to openly publish policies or to follow the policies they have published can lead to audits by the privacy commissioner, fines, or lawsuits.
IDRC Privacy Preferences Design
IDRC’s privacy preferences design encompasses a set of privacy preferences, user interface, and information model for capturing, storing, and transmitting a user’s privacy preferences. The preferences afford users the ability to detail the level of privacy they want to assert with respect to various types of personal information.
Although the terminology is not the same, privacy preferences are statements by a user about the ways they want their personal information to be collected, used, or disclosed. For example, one of the preferences in the design relates to tracking of the user’s location. Users can specify that they want to block all location tracking. Blocking is equivalent, in PIPEDA terminology, to not allowing collection, use, nor disclosure of location information. Or, the user may choose to share their location with some services, but not others, e.g, share their location with Google maps, but not with Flixster (a movie locator and ticket purchasing service). Here, “sharing” is equivalent to allowing collection and use by the Google maps service only.
Relationship Between PIPEDA and Privacy Preferences Design
There are three points of intersection between PIPEDA and privacy preferences design.
Policies
A minor relationship involves the privacy preferences themselves. Since they are personal preferences, they are a type of personal information and are subject to PIPEDA. The implication is that any organization that uses Privacy Preferences Design is collecting, using, and/or disclosing personal information in the form of preferences. As such, the organization must establish and publish policies that define what is collected, why it is collected, how it is used, and how and why it is disclosed. Note that In this case, one of the main reasons for the preferences it to share (disclose) them with other parties to ensure that the user’s privacy needs are met.
Nonetheless, privacy preferences are relatively low in terms of sensitivity. By comparison, credit card information is much more sensitive and can cause an individual greater harm if not kept private. The implication is that an organization’s privacy policies with respect to preferences is relatively simple: state that the collection, use, and disclosure of these preferences is to enhance an individual’s privacy with respect to more sensitive personal information, and that it is beneficial to the user to collect, use, and disclose this kind of personal information compared to other kinds.
User Control
A more interesting relationship is in terms of control. As noted above, PIPEDA requires organizations to inform users of the organization’s privacy policy. Users can then make an informed choice about whether they are willing to supply the organization with personal information. But, that is the extent of the user’s control. It is an all-or-none affair, and usually means the user either provides personal information or does not use the service at all.
Privacy preferences design affords users a finer degree of control over the collection, use, and disclosure of their personal information, since it provides specific directives for various kinds of personal information, and for groups of web sites or services. In addition, given that the preferences are digitally encoded, they are easily transferred and used in other contexts. That is, the user does not have to re-enter their preferences on site-by-site, service-by-service, or app-by-app basis.
Note that this relationship resonates with some of the seven prinicples of Privacy by Design. In that regard, it is proactive on the part of the user (principle 1), it is visible and transparent (principle 6), and it is user centric (principle 7).
Personal Privacy Policy
The most radical idea is that the privacy preferences are the privacy policy required by PIPEDA. Under this view, the preferences are seen as what the user is willing to allow and prohibit in terms of sharing personal information. An organization could respect the user’s wishes and state that their (the organization’s) privacy policy is synonomous with the user’s needs and preferences as expressed through Privacy Preferences Design.
The main benefit here is that it is a user-centric solution since the user is in control. The organization is able to give the user exactly what they want in terms of privacy, instead of an all-or-nothing policy.
Even so, the organization must still publish a privacy policy, and in such a way that the user’s privacy preferences can plug into it. The organization begins by establishing a standard privacy policy that covers all users as would normally be the case under PIPEDA. That way, the organization has at least a policy for users who do not have any privacy preferences, or do not care to create any. But, as a second step, the organization indicates to users that they can fine tune the policy themselves. The organization accomplishes this by adopting and implementing Privacy Preferences Design. This can, at least, take the form of a run time questionnaire where the user enters their preferences through a series of dialogs. Another approach is where the user uploads a copy of their privacy preferences (their “personal privacy policy”) to the organization, possibly from their phone, a usb stick, or from some server. The organization uses the uploaded preferences to adapt their basic policy to reflect the user’s wishes.
Another implication of this approach has to do with changes the user makes to their preferences over time. Sometimes this is due to the user changing their mind and either strengthening or relaxing the degree of privacy of some preference. In addition, users will add new preferences depending on contexts -- newly encountered services or different devices. The policy is thus dynamic.
The organization would still have to develop and publish an inquiry and complaint policy. For example, suppose the user encounters some odd behaviour that leads them to believe that some aspect of their personal information was used or disclosed without their knowledge or consent, and, more importantly, counter to their stated preferences. Suppose further they determined that a certain organization was responsible. They would then want to follow that organization’s inquiry policy so as to at least determine that the organization had an accurate and up-to-date copy of their preferences, or at worst, properly lodge a complaint with the organization. In order for a user to verify their preferences, the organization would have to publish an inquiry/complaint policy.
There is a possible downside to this approach in terms of the legal obligations of the organization. It is likely that the organization’s legal department prefers a single privacy policy to handle all users. Privacy Preferences Design amounts to a custom, personalized privacy policy on a per user basis. The legal department might object to that as an overly complex However, the upside to this approach is that it could actually simplify the legal responsiblities of the organization because the user is more likely to be satisfied if their privacy policy is what the organization respects. Privacy preferences seen as a privacy policy locates responsibility into the hands of the user. If the organization follows the user’s preferences, then the user is unlikely to file a complaint.