.png)
Jason Bero of Microsoft Canada and Archive360's Bill Tolson talk through the Digital Charter Implementation Act currently being debated in Canadian Parliament.
John Roberts
John is the Chief Privacy Officer and Archivist of Ontario, and since May 2020, acting Chief Information Security Officer (CISO), at the Ministry of Government and Consumer Services. He has been active in addressing privacy and record keeping issues in data and digital initiatives throughout the Ontario public sector, especially in respect of data integration. As the CISO, John is responsible for Leading the delivery of a comprehensive cyber risk management program to predict, identify and address threats to information security and enable the Ontario government to meet its digital service delivery commitments securely. As Archivist of Ontario he also promotes access to the Archives of Ontario's collections.
-1.png)
Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.
Bill Tolson : Welcome to the Archive 360 Information Management 360 Podcast. This week's episode is entitled The Canadian Privacy Landscape in 2022 and 2023. My name is Bill Tolson and I'm the Vice President of Compliance and e-Discovery at Archive 360. Joining me today is John Roberts, Associate Deputy Minister, Deputy Chief Digital and Data Officer, Chief Privacy Officer, and Archivist for Ontario, Canada, that's the province of Ontario, correct, John?
John Roberts: That's correct.
Bill Tolson : Excellent. And John, thanks again for taking the time to join me today on our podcast. I've been following the Canadian privacy laws for quite a while based on the business I'm in, and we'll dive into some of them and get your opinion on it. But the first thing is I mentioned in my introduction, you're the Chief Privacy Officer and Archivist for the province of Ontario, can you give our listeners a bit of an idea of your duties in your position?
John Roberts: Sure. Thanks for the introduction. Thanks for the opportunity to join you on the podcast today, Bill. So my long title there gives you a sense of quite wide ranging duties and to look at each of those different bits of my spec. As Chief Privacy Officer, I'm really responsible for the government's actions around privacy. So our policy function in terms of the provinces, statutory and regulatory approach to privacy, or the internal guidance and support that we provide for the privacy community of practice across the Ontario Public Service, and some of the advice to the public. What you need to recognize is that's a very different role from the Information and Privacy Commissioner that we have. We have in Ontario, as in most Canadian provinces, a Commissioner and Officer of the Legislature who is the watchdog role over the legislation. I obviously have a very close and strong working relationship with the Commissioner, but we have different mandates in the system.
I'm the guy inside the bureaucracy trying to make sure A, that we've got the right laws and B, that we're doing our job to maintain public trust and uphold privacy protections, but the actual oversight, the place where the public would go to complain about privacy breaches, so the enforcer, if you like, is the Commissioner on the outside.
Bill Tolson : Wow.
John Roberts: I'll just also quite briefly touch on the other roles.
Bill Tolson : Oh, please.
John Roberts: I think the fact that I'm also Archivist and Deputy Chief Digital and Data Officer is a reflection of how pervasive privacy is across the government information system. And it's not kind of an add-on to my other duties, it's really fundamental part of government's information strategy, information and data systems if you like. In dealing with issues of data management, we have to have privacy embedded at the start, thinking about the access to the record of the province that needs to be balanced against appropriate protection of privacy and how that changes over not just months, but years and decades. So there's a bit of privacy in all the different aspects of what I do.
Bill Tolson : Wow, that's really far reaching and sounds like you're obviously never lacking for something to do, lots of stuff going on and like I said, I've been following the Canadian actions and laws for quite a while and Canada seems to be kind of way out in front as opposed to the United States when it comes to protecting privacy and so forth. I mean you're maybe a little bit aware that this last year we finally had, besides California which has been out in front of all the states in the United States on privacy, we had four other states actually bringing privacy laws into being, which is a great first step. But they're thinking that by the end of probably next year, the majority of the states will have finally enacted privacy laws as well, which is well long overdue, but as I mentioned before we started, the United States has their Federal Privacy Bill in the House of Representatives and we're all hoping that that's going to be passed this next year.
I know many, many, many businesses are hoping as well because one of the provisions of the federal bill is that it would preempt the state bill, so it would give, at least in the United States, companies one law to follow versus many. We're going to get into that topic around Canada here in a little bit, but there's a lot going on ever since GDPR kicked things off. Well, I shouldn't say that, Canada had laws even prior to that, but GDPR was kind of the base of privacy laws and they've been relatively aggressive in going after companies as well. But in your position that you just talked about, how long have you held that position?
John Roberts: I've been in this role for seven years. I actually came to Canada from the New Zealand public sector.
Bill Tolson : Wow.
John Roberts: A little bit of experience also of the New Zealand Privacy Act, but there are so many parallels between the privacy discourse in different countries because in a network global environment, data flows are worldwide, e-commerce, the internet, these are some of the areas that are really throwing up big privacy concerns and approaches to those are international in nature. So it's very much a global conversation and interesting to see, as you were hinting at, how there's a bit of stuff that comes out from individual jurisdictions, states, provinces, and the like, then there are things that have real global effect like GDPR, particularly because of the scale of the economy through which that was put into play.
Bill Tolson : Yes, and you mentioned data transfers and stuff. I'm sure you probably saw in the news that the GDPR/US agreement for data transfers has taken some big, big steps over the last couple of weeks and I think I saw yesterday or the day before, the EU has said yes, the provisions on the US side now meet EU privacy law and the only question now is, well, Max Schrems who brought the first two cases against Privacy Shield and the other one, is he going to take this next transfer agreement into courts? And the guess is, yeah, probably within a couple of weeks.
So it will be interesting, that's for sure. The stuff never ends and privacy, like you've alluded to and like I've alluded to, it's top of mind for obviously countries and jurisdictions and stuff, but also for politicians and companies who are just trying to work within the system to move data around and protect the privacy of individuals. There's all kinds of threats going on. I just saw a threat against actually me this morning, which I spent a little time trying to fix. It's constantly going on. But in your position, which sounds really, really interesting, what issues or challenges are you going to be focused on over the next 12 months?
John Roberts: I think at a 30,000 foot view, the real big issue is still, how do we enable citizens, Ontarians to get the benefits of the digital world, of online services, of smarter services, of more joined up government whilst also ensuring that we are fully maintaining public trust and confidence? That kind of sounds very ivory tower and abstract, but really I guess that's, to my mind, at the heart of privacy. It's not simply a compliance exercise against whatever statute is in place, privacy is something that is valued, valued deeply, maybe valued even more deeply here in Canada than in the US.
Bill Tolson : Yes, I think so.
John Roberts: Making sure that we can really look Ontarians in the eye, but at the same time give them the smart, joined up, progressive, digital government that they have every right to expect. And of course ensuring that we also have, in an economic sense, the right conditions for Ontario businesses to be able to have exactly the same confidence and trust relationship with their customer base. Want to make sure we're at a place to innovate and grow that is really attractive for startup businesses, but attractive not just because of a lax regulatory regime, but one that is able to ensure confidence, provide a level of certainty. So these kind of drivers about how do we ensure we've got privacy practices and regulations that are really fit for 2022 and beyond, and the kind of innovation cycle that we see coming out of the pandemic, that stuff's central.
I've emphasized the government services piece there, that's partly a reflection of our current statutory landscape. I think we'll get onto that no doubt, but just a reminder for listeners that in Canada we have national privacy law from our federal government that allows for individual provinces to have their own regimes as long as they are at least equivalent in the levels of protections that they provide. Ontario, my province, doesn't currently have a separate privacy statute for the private sector. We rely on our federal colleagues and the legislation that they have in place at national scale, but we do have separate privacy protection in statute for protections where government is collecting information and using it. So that stuff also needs modernization just as much as the legislation covering the private and commercial sector.
Bill Tolson : Yeah, that's exactly right on our side as well, or in the United States. I know one of the biggest topics that when I'm doing presentations on privacy laws in the United States I get is business organizations basically being afraid that number one, a given law is going to be kind of, I wouldn't say business friendly but complex to follow. So they're always wondering, are they in compliance with the law? But even more so, and as I mention a little bit talking about the state laws, they're very afraid that they're going to be faced with a huge number of slightly differing privacy regulations going from state to state and then federal.
And if the federal law doesn't preempt the states, then they're looking at a very complex kind of landscape. And when I say that, I have people question me on that because the current five state privacy bills in the United States are similar, but there are differences, not just in the size of the fines, but also certain things are defined differently. Exemptions are different from state to state. Businesses really are afraid that trying to keep track of what will probably be a constantly changing, very complex privacy landscape just in the United States is going to make them spend gigantic sums of money just to try to be compliant. It sounds like, I think John, in Canada, you've had this for a while and have been able to operate within both the provincial privacy laws as well as the federal, correct?
John Roberts: That's correct. So we've had the federal law, which allows for individual provincial statutes to effectively take precedence as long as they're substantially similar, really means equivalent or stronger privacy protections. At the moment, British Columbia, Alberta, and Quebec have private sector privacy laws in place, the others don't. But as you say, that does mean we've been grappling with this question of harmonization and potential complexity in a patchwork for industry and for businesses for some time. Ontario did do some formal consultations about privacy reform over the last couple of years, and this was a theme that came through very, very strongly from the industries that we spoke to, a strong desire to see up to date, robust legislation.
But a number of the things that you hit on in your comments, one, a reminder that legislation that is unclear causes a lot of uncertainty, potentially a lot of extra costs as organizations try to figure out whether certain things are or aren't compliant. Navigating this tension between principle-based privacy legislation that can be more enduring and more universal in scope, but the need to also provide certainty and clarity, both for individuals about their rights and for organizations that are regulated and trying to ensure that they are in compliance is a big theme. But I think the number one thing we heard from businesses was the importance of having a well orchestrated, harmonized national regime across whatever the federal government does and what the province does.
And it was certainly complicated because at the time we were consulting, the feds had a bill going through, they still do, they have a new bill now. I think a lot of folk that we talked to really urged the province to ensure that the federal statutory framework could be modernized ahead of significant changes at a provincial level to make sure that we were really in a position to properly harmonize practice between the different areas.
Another aspect of complexity, and this one again you've touched on it a few times already, is the international alignment. I'm very mindful that quite apart from companies that deal right across Canada are looking to ensure that there's a consistency between what's expected of them in different provinces and dealing with federally regulated partners. Many of those bigger organizations are already dealing with the EU, with California, with other US states, and grappling with the fact that those regimes themselves are not completely consistent.
So it's a really fraught area. I know that we all need to modernize. There is a risk of harmonization leading to stagnation, but it's not an unreasonable ask from business to have a regime that is broadly consistent. Certainly across Canada, I don't believe that Canadians from coast to coast to coast have materially different understandings of the privacy rights that they expect. As you start to move further afield into different cultural spheres, then maybe there is an argument that in certain parts of the world, privacy expectations are genuinely different. But certainly within Canada, I think they're broadly the same. And then figuring out, how do we operationalize that is an interesting set of debates.
Bill Tolson : Great points. And like you say, and like I've alluded to as well, the complexity is just going to get more and more for organizations worldwide and trying to figure out what they can do and what they can't do and how long do they keep stuff. And I'm constantly having discussions/arguments with outside experts all the time on this because they're interpreting the bills or the laws slightly different. I'm sure there'll be, at least in the States, a flood of cases, litigation, so forth that will help settle it out, but-
John Roberts: If I could just add one thing on the complexity and the sort patchwork piece-
Bill Tolson : Sure.
John Roberts: ... that's a significant factor in Canada and it may or may not play in the US. It does come back to the constitutional arrangements between the federal government and the provinces. So there are parts of social activity, if you like, that are not constitutionally assigned to the federal government to regulate. So in the privacy space, for example, their privacy law at national scale is grounded in the federal interests in trade and commerce. That gives an absolute justification for federal privacy regulation in commercial activities, but it does not give them good grounds for regulating privacy practices or asserting privacy rights in the non-commercial sector.
So one of the things that, again, came through in our consultations and thinking in Ontario was the importance of privacy as a human right is the way it was asserted by some, but as a universal value isn't purely a matter of avoiding exploitation or commercial harm, it's actually something that is present in all interactions where personal information is at play, and yet we know that constitutionally we can't rely on our federal colleagues to be extending protections to the way in which information is dealt with by not-for-profits and the like.
There's also some challenges in Canadian constitutional matters around the privacy protection of employees, which would typically fall to provinces rather than to the feds. So, understanding exactly how mandates are assigned in any given country is part of where privacy protections need to be legislated because it's almost inevitably distributed. Those questions of harmonization and alignment become really critical for policymakers to understand.
Flipping that on its head, it's not just the organizations that are regulated, there's a real driver for harmonization that comes through for individuals as well. Privacy protection is a messy and complex beast at the best of times, but being able to explain to a person what their rights are and what they should expect from any organization handling their information, that's a much easier story to tell if those rights are at least broadly consistent, no matter which organization they're dealing with; the government, the bank, telco, a sports club, a religious organization. I think citizens generally have a view of privacy that is common across all those different kinds of interactions, and yet the legislation may be distributed across multiple statutes trying to create a common understanding so that individuals too can feel confident in how they participate in the system that at the end of the day is there to protect their values and expectations.
So it's not just clarity and consistency for industry, I think everyone is well served when we have a coherent approach to privacy across the different legislative bodies that are playing.
Bill Tolson : And you mentioned data subjects or citizens, what their expectations are beyond business, I think end users data subjects like me and you separately in a personal role, we just expect some common sensical stuff and nothing to where you have to spend a week trying to understand it. It should be pretty straightforward. And I think we're going to talk about, in fact let's do it right now, you mentioned the Canadian Privacy Bill in the parliament and that's designated as C27, or the Digital Charter Implementation Act of 2022 so far, and it has some of the same kind provisions and common sensical stuff in it that many of the US state privacy laws do. I mean as well as the federal, as well as GDPR, they have a list of rights.
You have a right to query a company on what kind of PII they're holding on you, how they're using it. They also have the right, in most cases, to ask for it to be removed or deleted, if there's no legal or regulatory reason that a company has to keep it. So having those common sensical rights that I think some of the states have five, some of them have eight, but they're all generally the same stuff. And once the public is educated on this stuff, then I think there's going to be a better acceptance. But like I said, the C27, tell me if I'm wrong, John, I think it's designated if it passes, and I believe we talked about it's in its second reading in the Canadian Parliament, but there was a previous privacy bill, I think designated as C11 that did not pass, but C27 has a lot of great stuff in it. And I know Canadian federal law already has privacy law in place. Is C27 thought of as replacing the current privacy laws or just kind of adding to?
John Roberts: C27 would effectively replace the current law, which is PIPEDA, the Personal Information Protection Electronic Documents Act. You're right, there was a bill in the commons in the last parliament, C11, which I guess rather than saying it didn't pass, I'd say more accurately it lapsed with the general election, so it didn't actually pass into law, but it wasn't that it was rejected, although there was, I think, quite some vigorous debate around some of the details in that statute. C27 has got really three parts. In fact, if that bill passes, I think it turns into three distinct acts.
One is really a replacement of PIPEDA, although much is continued from the existing regime. Unsurprisingly, as you just pointed out, our privacy laws in Western countries are broadly articulating the same core set of principles, I think some cases five, eight, 10, there's a bunch of principles in the New Zealand Privacy Act, there were a bunch of information privacy principles in PIPEDA. Those core principles pretty much continue. So one of the acts that would result would be a replacement, although with a fairly substantial continuity of concepts.
The second piece would be some additional enforcement machinery to set up a tribunal because part of the procedural fairness debates are ensuring that we've got enough role clarity between different parties. What should the role of the Commissioner be as opposed to the government and how do you ensure that there is some kind of neutral party adjudicating fines and the like? Especially as potentials for fines become more significant, I think as I understand it, part of the policy logic there is that if the commissioner role is investigating and interpreting, making them judge, jury, and fine setter would become a little bit too much all in one. So a separate tribunal gets established under a second part of the bill.
And the third area, which I think is actually one of the most interesting in some ways and certainly is a topic that I'm sure you've covered on podcasts in the past, is around artificial intelligence and how to articulate privacy practices in respect of what is increasingly a fairly ubiquitous set of technologies. And I don't think any of us want to prevent AI and machine learning and the like from generating the huge benefits that they can both for individuals and for society at large, but how do the risks that are associated with people's personal information being used in often very opaque algorithmic contexts play through?
It's probably not privacy in the sense that I grew up with or I don't know how old you are, Bill, but there are many of us in this field who grew up with a simpler world in terms of what privacy meant. But AI is throwing up some interesting challenges around things that are certainly, they're privacy in the sense that individuals feel uncomfortable about how their personal data is being used, and as data subjects are anxious, wary, and sometimes even disadvantaged by bias or discriminatory algorithmic practices. On the other hand, it's quite a distinct set of harms and concerns than traditional privacy.
So anyway, long story short, Bill C27, yep, you're spot on. It's at second reading at the moment. Next stage, assuming it continues as anticipated, would be to go to committee hearings, which is when a lot of the really interesting submissions come in and if passed,.
Bill Tolson : Yeah, that's really interesting the way they broke it up, or included the three kind of separate but related things into it. And the AI piece, that is a hot topic everywhere right now and I think in the States, the various states, some of them give the right to data subjects to say, you cannot use AI or machine learning when you're utilizing my PII. I sort of understand why, but again, it complicates matters more when you have some percentage of your PII database opting out of using machine learning algorithms and the others not, again, just another level of complexity, but I understand why because I think a lot of the talk has been around, and we've seen this in some of the bigger kind of US platforms and I won't name them, but they're starting to find or at least hint at the way the algorithms are constructed, there might be some implied bias built into it and things like that.
Obviously, the privacy folks as well as end users don't want to be saddled with some sort of programmatic or systematic bias based on some of their personal characteristics. I understand it, but again, another level of complexity, that's for sure.
John Roberts: As you know, there's a range of emerging responses around rights of explainability so that if decisions are taken about individuals, they should have some ability to understand beyond someone simply saying, "The algorithm said that you were declined." That doesn't seem to be acceptable to hand over that level of control to technology, very closely related rights to have essentially a human decision maker in various cases. All of the stuff around AI is increasingly looked at through lenses of risk, trying to understand what scenarios actually give rise to risks that we want to pay more attention to. I think that's a smart approach given how prevalent the use of AI machine learning is already and attempting to over-regulate its application to personal information is really, I think, trying to put the genie back in the bottle. But equally I think there is potential, as you've said, for people to be genuinely disadvantaged through discriminatory data sets or biased learning. There are so many examples in the media and in academic studies that it's clear that that is a genuine rather than just a perceived risk.
As with all of these things, the devil is in the detail and how to strike that balance between the principle, common sense, pragmatic approach that you mentioned that people want, and the certainty and clarity combined with fast-moving technology developments does make for quite a fraught space.
Bill Tolson : Yeah. And it's going to continue to be a topic, at least in the States, in Canada, and I know that the EU is working on the same sort of stuff because I follow it, but it's going to be very interesting to see how these potential controls get put in place and what they mean and everything else.
But back on C27, one of the provisions included in the Canadian Bill C27 is called the Private Right of Action, which under specific circumstances gives individuals the right to start legal action against an organization that's misused their PII or suffered a data breach. Also, I know you mentioned, I think it's the second part of C27, which is the tribunal, that's the kind of government organization that in many cases will decide on legal action and fines and stuff like that, but there is this provision around private right of action as well. And I know in the United States the private right of action has been a huge roadblock to getting privacy bills passed into law.
And again, the private right of action basically means that an individual can sue an organization based on a perceived wrong around their PII. I think the only law in the States right now is California's law provides for private right of action. The other four states, and I talked to all four of the authors of those privacy bills, all state senators, and they all said, "Yes, we originally wanted private right of action in the bills, but we had to negotiate it out otherwise we would've never made it into law." The US federal bill that's in the House of Representatives currently has a private right of action in it, but who knows if that's going to be negotiated out as well.
John, what are your thoughts on private right of action? Do you think that could be an issue going forward with the bill or in your mind, is it an expectation from citizens that, of course, they should be able to do that?
John Roberts: I don't think citizens have an automatic assumption that they should be able to pursue a private right of action. I do think that citizens want to have confidence that the enforcement machinery, the compliance machinery is actually fit for purpose in legislation. I think they do want to be able to believe that it's got teeth, I think is the way it's usually put, that industry will pay attention and not simply treat non-compliance as a cost of doing business. As you probably know in Canadian laws at the moment, the general model is complaint to a commissioner who would've some ability to take action. Designing the compliance toolkit is always a really tricky part of any bit of policy and legislative design, the combination of sticks and carrots and getting beyond an obsession with just the maximum level of fines. We all went through that period with the GDPR introduction where the first couple of slides on the presentation talked about the potential level of fines available to the regulators.
Effective compliance is so much more than just that kind of headline number and it does come down to things that we've started to be talking about today around things like, well, who actually gets to make those decisions? Are there private rights of action as well as mediated through a commissioner or whatever? What, if any, mitigating factors are set out in law? I mean if an organization has been certified as compliant with a code of practice, does that provide any kind of indemnification? So, lots of these different pieces around certifications and transparency practices and tribunals and different kinds of process for prosecutions all come together into quite a charged bit of debate.
I would be astonished if, as the federal bill passes through committee stage, there isn't quite a bit of discussion about this whole area, not limited to the private right of action, but more broadly, how is enforcement understood? How is compliant balanced throughout so that it's appropriate and fair and proportionate? And I think sometimes private rights of action take a lot of attention because they're seen as a bit of a gotcha, that if everything else fails, you can still just go and sue and it's got some different parameters.
So I think as policy professionals, we really want to design a system that avoids egregious cases ever coming to pass, that's got the right incentives developed upfront. Some of this comes back to the earlier conversation about clarity in actual ease of compliance. We've all seen cases where there have been complaints and the regulated parties have argued that compliance was not actually practicable for them. Those get messy.
So we need to ensure that the provisions that are put in place are actually realistic, cost effective, that there are not unanticipated consequences that create really perverse incentives for weird behavior, that we don't have gaping loopholes that feel like they should be unlawful but are actually workarounds that are available to organizations, because at the end of the day, taking action, A, it's after the fact the harm has already happened, it's typically expensive and onerous for people involved and takes some time to get redress. It's just better for all of us if we try to create an environment that makes those cases as few as possible and assuming that the majority of organizations are indeed good actors, that they can comply and that any non-compliance is then more of a matter of corrective action rather than heavy duty enforcement.
Certainly in our consultations, the overwhelming message from businesses was they understand the importance of privacy to their operating model. And particularly for online businesses, your business is only as strong as people's trust in you and they need to have that confidence to provide the information, which is often the lifeblood of startup enterprise these days. So, it's a recognized part of the digital economy, the trust dynamic and organizations, businesses, I think, are looking to government to create statutory regimes that enable them to confidently articulate that they are compliant, that they are lawful, and that they've actually had some meaningful guidance from the law in terms of how to build that customer confidence.
Bill Tolson : Yeah, that makes absolute sense. I know we're running up against our time here, John, so there's two more questions I wanted to bring up. Also, I wanted to mention just based on your last description, California has private right of action, it's the only state that does, but they also created kind of a commission or office of privacy to act as a mediator, which I think is a good idea. The other states basically leave it up to the state's Attorney General's office to decide if somebody's broken the law, whether they're going to be sued, what the fines are, and stuff like that.
There is a difference there, but one of the things that I wanted to ask you about is around security safeguards, all privacy bills, or most privacy bills, at least mention that yes, PII should be protected and secured and so forth. My question, and I think this is pretty universal, including GDPR and all the other ones, most of the bills don't get prescriptive at all when it comes to data security. In the States, all the states basically say, companies must use reasonable security practices. And that's quite an opening to decide what kind of technologies and stuff. And I know C27 doesn't specifically get very prescriptive as well.
Do you think keeping general privacy regulations, data security less prescriptive is the right way to go? Or the question I've asked many US state senators are, sure, you don't want to designate specific technologies that lock in a vendor or something like that, but basic stuff like multifactor authentication or data encryption, and I haven't gotten an answer either way where anybody agrees. I was just wondering what your opinion is on prescriptive data security requirements and these kinds of laws.
John Roberts: Great question, Bill. And I think we could be having a similar discussion about cybersecurity compared to privacy, again a lot of the same dynamics. I tend to think that in primary law, keeping things relatively general is the way to go because there are such differences across different sectors, different kinds of information, et cetera. Where I'd probably go beyond just a really high level reasonable protections type statement is starting to give some criteria in law about what factors should influence what is to be considered reasonable. So requiring organizations, for example, to look at the sensitivity of the information, to look at both the insider and external threats to the data, and so on. So adding a few layers of considerations or criteria to help articulate what reasonable means because at that level of generality, it is such a slippery term.
I would suggest though that there is a lot of scope for far greater prescriptive specificity into codes of practice. I know this is some machinery that's in C27 in a lot of areas to try and say, privacy law that's universal is inevitably going to be a bit more generic than is helpful for all of the actors. But at a level of a particular sector, it is possible and indeed beneficial to become far more detailed about what some of the overarching principles really mean, how to think about certain risks, and for something like cybersecurity, potentially to specify in a more granular or even technical level what reasonable security might mean. So I think we need to think of privacy as not just about the headline act, but also about the machinery that sits underneath that. I'm a real champion of sectoral codes of practice that help give that extra level of definition for implementation support.
Bill Tolson : Sure. Yeah. No, I mean that's what businesses are looking for is, what's the standard that I need to meet to supply best case or best practice data security?
John Roberts: Data security is changing so fast.
Bill Tolson : Oh yeah.
John Roberts: It's a fool's errand, as you suggest, to be too prescriptive, but neither can we afford to ignore how fundamental it is. I've dealt a lot with our provincial CISO and many of the security incidents that she deals with are motivated by desire to exploit personal information, many of the privacy breaches that I deal with have been occasioned through some kind of cyber attack. So the two disciplines are deeply intertwined.
Bill Tolson : Yeah, that's really interesting. And I agree, and John, I think we could have gone another 45 minutes to an hour easily in our discussion and maybe down the line we can pick up a part two, but with that, John, I think we need to wrap up this edition of the Archive 360 Podcast. I want to thank you for a really interesting and educational discussion today on the very timely subject of Canadian Privacy Laws and Bills, and with C27 getting a lot of good feedback, I think this is going to be really interesting.
If anyone has questions on this topic, would like to talk to a subject matter expert, please send an email mentioning this podcast to information, I-N-F-O, @archive360.com, or you can send it directly to me bill.toson, T-O-L-S-O-N, @archive360.com, and we'll get back to you just as soon as possible. Also check back at the Archive 360 resource page for new podcasts with leading experts, like John Roberts on diverse subjects, including data security, data privacy, information management and archiving, records management, and regulatory compliance. So with that, John, very much appreciated, had a great time, and thank you.
John Roberts: Thanks very much, Bill. Pleasure talking to you.
Have a question for one of our speakers? Post it here.
.png)